antivirus 2009

wadethetinter · 11-17-2008, 03:17 PM

Thank you for your help. Im sure you are sick of this bug by now. Ive been following the other threads on this hoping i could figure it out without bothering you. Ive followed the first steps the best my machine will let me. It wont let me run gmer, hjt, spybot s&d, or combo fix. dds did run.

DDS (Version 1.0) - NTFSx86
Run by wade shafer at 15:04:06.74 on 11/17/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.130 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Documents and Settings\wade shafer\Application Data\gadcom\gadcom.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\wade shafer\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: {4EE29C2B-A862-47E7-A5B7-AB7E64287D11} - c:\windows\system32\urqNDSLD.dll
BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\qoMcaawu.dll
uRun: [gadcom] "c:\documents and settings\wade shafer\application data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [987f933b] rundll32.exe "c:\windows\system32\ogpmttvh.dll",b
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: qoMcaawu - qoMcaawu.dll
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\qoMcaawu.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqNDSLD

============= SERVICES / DRIVERS ===============

R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys

=============== Created Last 30 ================

2008-11-17 13:07 1,483,321 ---sh--- c:\windows\system32\hvttmpgo.ini
2008-11-17 13:06 68,096 a------- c:\windows\system32\ogpmttvh.dll
2008-11-12 17:10 124,928 a------- c:\windows\system32\byaiiz.dll
2008-11-12 17:10 124,928 a------- c:\windows\system32\iqxhjkhw.dll
2008-11-12 16:32 <DIR> --d----- c:\program files\InetGet2
2008-11-11 15:11 <DIR> --d----- c:\program files\AVG
2008-11-11 15:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-11-11 14:53 <DIR> --d----- c:\program files\ewido anti-malware
2008-11-10 12:27 60,928 a------- c:\windows\system32\iemahs.dll
2008-11-10 12:26 <DIR> --d----- c:\program files\OINAnalytics
2008-11-10 12:26 <DIR> --d----- c:\windows\system32\?icrosoft
2008-11-10 12:21 <DIR> --dsh--- c:\windows\d2FkZSBzaGFmZXI
2008-11-10 12:16 <DIR> --d----- c:\windows\muzq
2008-11-10 12:16 <DIR> --d----- c:\program files\common files\muzq
2008-11-10 12:11 <DIR> --d----- c:\program files\iCheck
2008-11-10 12:11 <DIR> --d----- c:\program files\GetPack
2008-11-10 12:01 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Twain
2008-11-10 11:53 124,928 a------- c:\windows\system32\aqlhoc.dll
2008-11-10 11:53 124,928 a------- c:\windows\system32\kqnaidoq.dll
2008-11-10 11:51 1,578,121 ---sh--- c:\windows\system32\nqtqwbhp.ini
2008-11-10 11:51 68,096 a------- c:\windows\system32\phbwqtqn.dll
2008-11-10 11:51 <DIR> --d----- c:\program files\Mjcore
2008-11-08 16:45 16,713 a------- c:\windows\cujoroh.sys
2008-11-08 16:45 14,728 a------- c:\windows\qafyxa._sy
2008-11-08 16:45 18,706 a------- c:\windows\system32\gadysuxan.pif
2008-11-08 16:45 17,674 a------- c:\docume~1\wadesh~1\applic~1\ibak.vbs
2008-11-08 16:45 15,623 a------- c:\docume~1\alluse~1\applic~1\ipyn.bin
2008-11-08 16:45 15,271 a------- c:\program files\common files\icefidih.dll
2008-11-08 16:45 15,216 a------- c:\program files\common files\lebeda.sys
2008-11-08 16:45 14,114 a------- c:\docume~1\wadesh~1\applic~1\ulaluzyx.scr
2008-11-08 16:45 11,147 a------- c:\docume~1\wadesh~1\applic~1\apepidax.com
2008-11-08 16:45 224,075 a------- c:\windows\system32\_scui.cpl
2008-11-08 16:44 125,883 a------- c:\windows\system32\wini10254.exe
2008-11-08 16:31 9,728 a------- c:\windows\brastk.exe
2008-11-08 16:31 6,144 a------- c:\windows\system32\karna.dat
2008-11-08 16:31 6,144 a------- c:\windows\karna.dat
2008-11-08 16:28 27,648 a------- c:\windows\system32\dllcache\beep.sys
2008-11-08 16:28 9,728 a------- c:\windows\system32\brastk.exe
2008-11-08 16:13 124,928 a------- c:\windows\system32\ymmkbq.dll
2008-11-08 16:13 124,928 a------- c:\windows\system32\kpwfeeph.dll
2008-11-08 16:11 935,370 a--sh--- c:\windows\system32\DLSDNqru.ini2
2008-11-08 16:11 935,370 a--sh--- c:\windows\system32\DLSDNqru.ini
2008-11-08 16:11 313,856 a------- c:\windows\system32\urqNDSLD.dll
2008-11-08 16:06 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\gadcom
2008-11-08 16:06 25,600 a------- c:\windows\system32\rqRKCtut.dll
2008-11-08 16:06 25,600 a------- c:\windows\system32\qoMcaawu.dll
2008-11-08 16:06 23,040 a------- c:\windows\system32\msansspc.dll
2008-10-29 14:44 244 a---h--- C:\sqmnoopt16.sqm
2008-10-29 14:44 232 a---h--- C:\sqmdata16.sqm
2008-10-24 09:22 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 11:53 120,320 ---sh--- c:\program files\common files\Yazzle3090OinAdmin.exe
2008-10-20 09:49 232 a---h--- C:\sqmdata15.sqm
2008-10-20 09:49 244 a---h--- C:\sqmnoopt15.sqm

==================== Find3M ====================

2008-11-17 13:55 <DIR> --d----- c:\program files\LimeWire
2008-11-17 13:55 <DIR> --d----- c:\program files\BitLord
2008-11-15 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-15 11:03 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-11 16:21 <DIR> --d----- c:\program files\Trend Micro
2008-10-03 11:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-19 09:30 <DIR> --d----- c:\program files\Motorola Phone Tools
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 06:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-08 04:41 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-09-03 09:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-08-27 02:24 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 02:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 02:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-22 23:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-22 23:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-04-08 11:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BVRP Software
2008-03-27 14:28 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Cool Record Edit Pro
2008-01-22 14:14 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Ulead Systems
2008-01-22 11:34 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Intuit
2008-01-22 11:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2008-01-22 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\COMMON FILES
2007-10-22 10:23 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\ScamBlocker
2006-07-28 10:30 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\iMesh
2006-03-14 13:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\4200Series
2006-03-13 20:40 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\4200Series
2005-09-14 22:37 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\MSN6
2005-09-13 08:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2005-09-07 05:36 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Musicmatch
2004-01-21 21:12 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Jasc
2003-12-20 22:03 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Earthlink
2003-03-21 22:15 <DIR> --d----- c:\docume~1\wadesh~1\applic~1\Symantec
2003-03-06 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2003-02-25 05:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2003-02-25 05:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2003-02-25 05:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 15

13.08 ===============

tetonbob · 11-18-2008, 10:13 PM

Hello -

Even though you see these tools used often, they should not be run unless it's requested by a trained helper.

What happened to your AVG install? It doesn't seem to be active, though I see some signs of it in the logs.

Delete any version of ComboFix you might have.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Double click on combo-fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------

wadethetinter · 11-19-2008, 01:33 PM

Thank you for your help.
AVG had an error and did not install. Also ms windows recovery console had an error and did not install either. the red ball with white x is gone now. So far.

ComboFix 08-11-18.A2 - wade shafer 2008-11-19 13:16:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.133 [GMT -6:00]
Running from: c:\documents and settings\wade shafer\Desktop\Combo-fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\wade shafer\Application Data\gadcom
c:\documents and settings\wade shafer\Application Data\gadcom\gadcom.exe
c:\documents and settings\wade shafer\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\wade shafer\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\wade shafer\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\wade shafer\My Documents\ASEMBL~1
c:\documents and settings\wade shafer\My Documents\ASEMBL~1\n?tepad.exe
c:\program files\Common Files\Yazzle3090OinAdmin.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack24.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\iMeshBar
c:\program files\iMeshBar\bar\History\search
c:\program files\inetget2
c:\program files\INSTALL.LOG
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\windows\brastk.exe
c:\windows\karna.dat
c:\windows\Readme.txt
c:\windows\system32\_scui.cpl
c:\windows\system32\aqlhoc.dll
c:\windows\system32\brastk.exe
c:\windows\system32\byaiiz.dll
c:\windows\system32\cgpeauib.dll
c:\windows\system32\dllcache\beep.sys
c:\windows\SYSTEM32\DLSDNqru.ini
c:\windows\SYSTEM32\DLSDNqru.ini2
c:\windows\SYSTEM32\hvttmpgo.ini
c:\windows\system32\icroso~1
c:\windows\system32\icroso~1\?icrosoft\
c:\windows\system32\icroso~1\services.exe
c:\windows\system32\iemahs.dll
c:\windows\system32\iqxhjkhw.dll
c:\windows\system32\karna.dat
c:\windows\system32\kpwfeeph.dll
c:\windows\system32\kqnaidoq.dll
c:\windows\system32\kthypb.dll
c:\windows\system32\msansspc.dll
c:\windows\system32\nqtqwbhp.ini
c:\windows\system32\phbwqtqn.dll
c:\windows\system32\qgcfkevp.dll
c:\windows\system32\qoMcaawu.dll
c:\windows\system32\rqRKCtut.dll
c:\windows\system32\tocdmmrx.dll
c:\windows\system32\urqNDSLD.dll
c:\windows\system32\wini10254.exe
c:\windows\system32\wtompgyx.dll
c:\windows\system32\xrmmdcot.ini
c:\windows\SYSTEM32\xygpmotw.ini
c:\windows\system32\ymmkbq.dll
c:\windows\system32\zydntj.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 15:15 . 2008-11-18 15:15 5,500 --a------ c:\windows\SYSTEM32\qtvpoqox.dll
2008-11-11 15:11 . 2008-11-11 15:11 <DIR> d-------- c:\program files\AVG
2008-11-11 15:11 . 2008-11-11 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-11 14:53 . 2008-11-15 11:03 <DIR> d-------- c:\program files\ewido anti-malware
2008-11-10 12:26 . 2008-11-10 12:26 <DIR> d-------- c:\program files\OINAnalytics
2008-11-10 12:21 . 2008-11-10 16:53 <DIR> d--hs---- c:\windows\d2FkZSBzaGFmZXI
2008-11-10 12:16 . 2008-11-10 12:16 <DIR> d-------- c:\windows\muzq
2008-11-10 12:16 . 2008-11-10 16:51 <DIR> d-------- c:\program files\Common Files\muzq
2008-11-10 12:01 . 2008-11-15 11:03 <DIR> d-------- c:\documents and settings\wade shafer\Application Data\Twain
2008-11-08 16:45 . 2008-11-08 16:45 18,706 --a------ c:\windows\SYSTEM32\gadysuxan.pif
2008-11-08 16:45 . 2008-11-08 16:45 17,674 --a------ c:\documents and settings\wade shafer\Application Data\ibak.vbs
2008-11-08 16:45 . 2008-11-08 16:45 16,713 --a------ c:\windows\cujoroh.sys
2008-11-08 16:45 . 2008-11-08 16:45 15,623 --a------ c:\documents and settings\All Users\Application Data\ipyn.bin
2008-11-08 16:45 . 2008-11-08 16:45 15,271 --a------ c:\program files\Common Files\icefidih.dll
2008-11-08 16:45 . 2008-11-08 16:45 15,216 --a------ c:\program files\Common Files\lebeda.sys
2008-11-08 16:45 . 2008-11-08 16:45 14,728 --a------ c:\windows\qafyxa._sy
2008-11-08 16:45 . 2008-11-08 16:45 14,114 --a------ c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr
2008-11-08 16:45 . 2008-11-08 16:45 11,147 --a------ c:\documents and settings\wade shafer\Application Data\apepidax.com
2008-10-29 14:44 . 2008-10-29 14:44 244 --ah----- C:\sqmnoopt16.sqm
2008-10-29 14:44 . 2008-10-29 14:44 232 --ah----- C:\sqmdata16.sqm
2008-10-24 09:22 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-20 09:49 . 2008-10-20 09:49 244 --ah----- C:\sqmnoopt15.sqm
2008-10-20 09:49 . 2008-10-20 09:49 232 --ah----- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-17 19:55 --------- d-----w c:\program files\LimeWire
2008-11-17 19:55 --------- d-----w c:\program files\BitLord
2008-11-15 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-11 22:21 --------- d-----w c:\program files\Trend Micro
2008-11-10 18:14 --------- d-----w c:\documents and settings\wade shafer\Application Data\AdobeUM
2008-11-08 22:45 12,702 ----a-w c:\program files\Common Files\fozode.ban
2008-09-19 15:30 --------- d-----w c:\program files\Motorola Phone Tools
2008-09-19 15:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-04-08 21:43 92,064 ----a-w c:\documents and settings\wade shafer\mqdmmdm.sys
2008-04-08 21:43 9,232 ----a-w c:\documents and settings\wade shafer\mqdmmdfl.sys
2008-04-08 21:43 79,328 ----a-w c:\documents and settings\wade shafer\mqdmserd.sys
2008-04-08 21:43 66,656 ----a-w c:\documents and settings\wade shafer\mqdmbus.sys
2008-04-08 21:43 6,208 ----a-w c:\documents and settings\wade shafer\mqdmcmnt.sys
2008-04-08 21:43 5,936 ----a-w c:\documents and settings\wade shafer\mqdmwhnt.sys
2008-04-08 21:43 4,048 ----a-w c:\documents and settings\wade shafer\mqdmcr.sys
2008-04-08 21:43 25,600 ----a-w c:\documents and settings\wade shafer\usbsermptxp.sys
2008-04-08 21:43 22,768 ----a-w c:\documents and settings\wade shafer\usbsermpt.sys
2006-10-02 20:35 86,336 -c--a-w c:\documents and settings\wade shafer\Application Data\GDIPFONTCACHEV1.DAT
2003-04-02 21:20 1,044,168 ----a-w c:\program files\vbrun60sp5.exe
2002-12-20 16:51 48,631 -c--a-w c:\windows\INF\ftserui2.dll
2002-12-20 16:09 22,592 -c--a-w c:\windows\INF\ftserui.dll
2002-12-20 16:08 64,048 -c--a-w c:\windows\INF\ftserial.sys
2002-12-20 16:08 25,316 -c--a-w c:\windows\INF\ftsenum.sys
2002-12-20 15:59 50,396 -c--a-w c:\windows\INF\ftser2k.sys
2002-12-20 15:58 19,313 -c--a-w c:\windows\INF\ftdibus.sys
2001-08-29 00:41 414,208 -c--a-w c:\windows\INF\ftdiunin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.jpeg"= m3jpeg32.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^wade shafer^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\wade shafer\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jsbykcf]
c:\documents and settings\wade shafer\My Documents\a?sembly\n?tepad.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 02:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-11-01 02:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
--a------ 2004-01-22 10:59 151552 c:\program files\Lexmark 4200 Series\Fax\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
--a------ 2004-01-16 04:04 57344 c:\program files\Lexmark 4200 Series\lxbmbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-01-19 10:06 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server]
--a------ 2006-01-19 10:06 102400 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-06-24 17:32 4800512 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
--a------ 2005-09-15 00:49 520192 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Twain]
--a------ 2008-11-11 14:51 61440 c:\documents and settings\wade shafer\Application Data\Twain\Twain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-06-24 17:32 323584 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2USB]
--a------ 2002-07-25 17:21 24576 c:\windows\SYSTEM32\O2USB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [2003-01-22 3104]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2003-03-14 15576]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1441156E-A2A1-4B0E-AF14-B7A3B0727CDA} - c:\windows\system32\urqNDSLD.dll
BHO-{73cf7adf-0bbb-4ac1-8e68-f5115488f03b} - c:\windows\system32\zydntj.dll
MSConfigStartUp-987f933b - c:\windows\system32\phbwqtqn.dll
MSConfigStartUp-Aida - c:\windows\system32\ICROSO~1\services.exe
MSConfigStartUp-Antivirus Pro 2009 - c:\program files\AntivirusPro2009\AntivirusPro2009.exe
MSConfigStartUp-Bart Station - c:\program files\PeoplePC\ISP6500\BIN\PPCOLink.exe
MSConfigStartUp-brastk - c:\windows\system32\brastk.exe
MSConfigStartUp-E6TaskPanel - c:\program files\EARTHLINK TOTALACCESS\TASKPANL.EXE
MSConfigStartUp-GetPack24 - c:\program files\GetPack\GetPack24.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-SfKg6wIP - c:\documents and settings\wade shafer\Application Data\Microsoft\Windows\xlbtep.exe
MSConfigStartUp-SpeedRunner - c:\documents and settings\wade shafer\Application Data\SpeedRunner\SpeedRunner.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-SynTPEnh - c:\program files\Synaptics\SynTP\SynTPEnh.exe
MSConfigStartUp-SynTPLpr - c:\program files\Synaptics\SynTP\SynTPLpr.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\wade shafer\Application Data\Mozilla\Firefox\Profiles\2xszvdmf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 13:41:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\DRIVERS\dcfssvc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\Tablet.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\SYSTEM32\WBEM\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-11-19 13:56:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 19:56:19

Pre-Run: 8,904,830,976 bytes free
Post-Run: 8,794,198,016 bytes free

292 --- E O F --- 2008-10-30 14:33:16

tetonbob · 11-19-2008, 02:54 PM

Quote:

Also ms windows recovery console had an error and did not install either

What was the error message?

wadethetinter · 11-19-2008, 04:59 PM

It just said error: unable to install windows recovery console would u like to continue scan y or n I hit yes. It didnt have any error # or say why. So far no sign of the bug. There is a yellow windows update shield in the tray. Should I leave that alone for now? Thank you very much for your help.

tetonbob · 11-19-2008, 05:50 PM

Leave the Windows Updates for now. Let's try again to install the Recovery Console, as we have more malware removal to do still.

Download the file from this Microsoft page:

For XP Home >> http://www.microsoft.com/downloads/d...displaylang=en

Save it as it is originally named to your Desktop.

Now close all open windows and programs, and disable all antivirus and antispyware programs. This is usually done via a right click on the applications' system tray icon. Get help here for how to disable them, if required.

Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement (EULA) to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:

Please continue as follows:

Ensure all antivirus and antispyware programs are still disabled, so they do not interfere with the running of ComboFix.
Please click Yes to continue scanning for malware.

When the tool is finished, it will produce a log for you.

Please post that log, ComboFix.txt

wadethetinter · 11-20-2008, 10:53 AM

The update ran anyway over nite. hope that didnt mess anything up. Thanks again for your help.

ComboFix 08-11-18.A2 - wade shafer 2008-11-20 11:23:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.192 [GMT -6:00]
Running from: c:\documents and settings\wade shafer\Desktop\Combo-fix.exe
Command switches used :: c:\documents and settings\wade shafer\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-19 13:57 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-19 13:57 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-18 15:15 . 2008-11-18 15:15 5,500 --a------ c:\windows\SYSTEM32\qtvpoqox.dll
2008-11-11 15:11 . 2008-11-11 15:11 <DIR> d-------- c:\program files\AVG
2008-11-11 15:11 . 2008-11-11 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-11 14:53 . 2008-11-15 11:03 <DIR> d-------- c:\program files\ewido anti-malware
2008-11-10 12:26 . 2008-11-10 12:26 <DIR> d-------- c:\program files\OINAnalytics
2008-11-10 12:21 . 2008-11-10 16:53 <DIR> d--hs---- c:\windows\d2FkZSBzaGFmZXI
2008-11-10 12:16 . 2008-11-10 12:16 <DIR> d-------- c:\windows\muzq
2008-11-10 12:16 . 2008-11-10 16:51 <DIR> d-------- c:\program files\Common Files\muzq
2008-11-10 12:01 . 2008-11-15 11:03 <DIR> d-------- c:\documents and settings\wade shafer\Application Data\Twain
2008-11-08 16:45 . 2008-11-08 16:45 18,706 --a------ c:\windows\SYSTEM32\gadysuxan.pif
2008-11-08 16:45 . 2008-11-08 16:45 17,674 --a------ c:\documents and settings\wade shafer\Application Data\ibak.vbs
2008-11-08 16:45 . 2008-11-08 16:45 16,713 --a------ c:\windows\cujoroh.sys
2008-11-08 16:45 . 2008-11-08 16:45 15,623 --a------ c:\documents and settings\All Users\Application Data\ipyn.bin
2008-11-08 16:45 . 2008-11-08 16:45 15,271 --a------ c:\program files\Common Files\icefidih.dll
2008-11-08 16:45 . 2008-11-08 16:45 15,216 --a------ c:\program files\Common Files\lebeda.sys
2008-11-08 16:45 . 2008-11-08 16:45 14,728 --a------ c:\windows\qafyxa._sy
2008-11-08 16:45 . 2008-11-08 16:45 14,114 --a------ c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr
2008-11-08 16:45 . 2008-11-08 16:45 11,147 --a------ c:\documents and settings\wade shafer\Application Data\apepidax.com
2008-10-29 14:44 . 2008-10-29 14:44 244 --ah----- C:\sqmnoopt16.sqm
2008-10-29 14:44 . 2008-10-29 14:44 232 --ah----- C:\sqmdata16.sqm
2008-10-24 09:22 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-20 09:49 . 2008-10-20 09:49 244 --ah----- C:\sqmnoopt15.sqm
2008-10-20 09:49 . 2008-10-20 09:49 232 --ah----- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-17 19:55 --------- d-----w c:\program files\LimeWire
2008-11-17 19:55 --------- d-----w c:\program files\BitLord
2008-11-15 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-11 22:21 --------- d-----w c:\program files\Trend Micro
2008-11-10 18:14 --------- d-----w c:\documents and settings\wade shafer\Application Data\AdobeUM
2008-11-08 22:45 12,702 ----a-w c:\program files\Common Files\fozode.ban
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-08 21:43 92,064 ----a-w c:\documents and settings\wade shafer\mqdmmdm.sys
2008-04-08 21:43 9,232 ----a-w c:\documents and settings\wade shafer\mqdmmdfl.sys
2008-04-08 21:43 79,328 ----a-w c:\documents and settings\wade shafer\mqdmserd.sys
2008-04-08 21:43 66,656 ----a-w c:\documents and settings\wade shafer\mqdmbus.sys
2008-04-08 21:43 6,208 ----a-w c:\documents and settings\wade shafer\mqdmcmnt.sys
2008-04-08 21:43 5,936 ----a-w c:\documents and settings\wade shafer\mqdmwhnt.sys
2008-04-08 21:43 4,048 ----a-w c:\documents and settings\wade shafer\mqdmcr.sys
2008-04-08 21:43 25,600 ----a-w c:\documents and settings\wade shafer\usbsermptxp.sys
2008-04-08 21:43 22,768 ----a-w c:\documents and settings\wade shafer\usbsermpt.sys
2006-10-02 20:35 86,336 -c--a-w c:\documents and settings\wade shafer\Application Data\GDIPFONTCACHEV1.DAT
2003-04-02 21:20 1,044,168 ----a-w c:\program files\vbrun60sp5.exe
2002-12-20 16:51 48,631 -c--a-w c:\windows\INF\ftserui2.dll
2002-12-20 16:09 22,592 -c--a-w c:\windows\INF\ftserui.dll
2002-12-20 16:08 64,048 -c--a-w c:\windows\INF\ftserial.sys
2002-12-20 16:08 25,316 -c--a-w c:\windows\INF\ftsenum.sys
2002-12-20 15:59 50,396 -c--a-w c:\windows\INF\ftser2k.sys
2002-12-20 15:58 19,313 -c--a-w c:\windows\INF\ftdibus.sys
2001-08-29 00:41 414,208 -c--a-w c:\windows\INF\ftdiunin.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-19_13.53.43.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\I386\mrxsmb.sys
+ 2008-11-20 15:01:33 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\SYSTEM32\MRT.exe
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\SYSTEM32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
+ 2008-09-30 22:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 22:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.jpeg"= m3jpeg32.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^wade shafer^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\wade shafer\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jsbykcf]
c:\documents and settings\wade shafer\My Documents\a?sembly\n?tepad.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 02:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-11-01 02:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
--a------ 2004-01-22 10:59 151552 c:\program files\Lexmark 4200 Series\Fax\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
--a------ 2004-01-16 04:04 57344 c:\program files\Lexmark 4200 Series\lxbmbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-01-19 10:06 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server]
--a------ 2006-01-19 10:06 102400 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-06-24 17:32 4800512 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
--a------ 2005-09-15 00:49 520192 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Twain]
--a------ 2008-11-11 14:51 61440 c:\documents and settings\wade shafer\Application Data\Twain\Twain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-06-24 17:32 323584 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2USB]
--a------ 2002-07-25 17:21 24576 c:\windows\SYSTEM32\O2USB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [2003-01-22 3104]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2003-03-14 15576]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\wade shafer\Application Data\Mozilla\Firefox\Profiles\2xszvdmf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 11:25:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-20 11:28:59
ComboFix-quarantined-files.txt 2008-11-20 17:28:49
ComboFix2.txt 2008-11-19 19:56:37

Pre-Run: 8,682,786,816 bytes free
Post-Run: 8,666,853,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

235 --- E O F --- 2008-11-20 15:05:08

tetonbob · 11-20-2008, 11:06 AM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist:

OIN Analytics

Do not reboot if requested.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
c:\windows\SYSTEM32\qtvpoqox.dll
c:\windows\SYSTEM32\gadysuxan.pif
c:\documents and settings\wade shafer\Application Data\ibak.vbs
c:\windows\cujoroh.sys
c:\documents and settings\All Users\Application Data\ipyn.bin
c:\Program Files\Common Files\icefidih.dll
c:\Program Files\Common Files\lebeda.sys
c:\windows\qafyxa._sy
c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr
c:\documents and settings\wade shafer\Application Data\apepidax.com
c:\Program Files\Common Files\fozode.ban

Folder::
c:\Program Files\OINAnalytics
c:\windows\d2FkZSBzaGFmZXI
c:\windows\muzq
c:\Program Files\Common Files\muzq
c:\documents and settings\wade shafer\Application Data\Twain

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Twain]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jsbykcf]

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

See if AVG install will complete now. If it errors, make note of the exact error message.

wadethetinter · 11-20-2008, 01:42 PM

AVG installed and updated perfectly i did not run yet.
Thanks for all your help

ComboFix 08-11-18.A2 - wade shafer 2008-11-20 13:34:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.155 [GMT -6:00]
Running from: c:\documents and settings\wade shafer\Desktop\Combo-fix.exe
Command switches used :: c:\documents and settings\wade shafer\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\ipyn.bin
c:\documents and settings\wade shafer\Application Data\apepidax.com
c:\documents and settings\wade shafer\Application Data\ibak.vbs
c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr
c:\program files\Common Files\fozode.ban
c:\program files\Common Files\icefidih.dll
c:\program files\Common Files\lebeda.sys
c:\windows\cujoroh.sys
c:\windows\qafyxa._sy
c:\windows\SYSTEM32\gadysuxan.pif
c:\windows\SYSTEM32\qtvpoqox.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ipyn.bin
c:\documents and settings\wade shafer\Application Data\apepidax.com
c:\documents and settings\wade shafer\Application Data\ibak.vbs
c:\documents and settings\wade shafer\Application Data\Twain
c:\documents and settings\wade shafer\Application Data\Twain\Twain.exe
c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr
c:\program files\Common Files\fozode.ban
c:\program files\Common Files\icefidih.dll
c:\program files\Common Files\lebeda.sys
c:\program files\Common Files\muzq
c:\program files\Common Files\muzq\muzqa.lck
c:\program files\Common Files\muzq\muzqd\class-barrel
c:\program files\Common Files\muzq\muzqd\vocabulary
c:\program files\Common Files\muzq\muzqh
c:\program files\Common Files\muzq\muzql.lck
c:\program files\Common Files\muzq\muzqm.lck
c:\windows\cujoroh.sys
c:\windows\d2FkZSBzaGFmZXI
c:\windows\muzq
c:\windows\muzq\muzq.dat
c:\windows\muzq\wu
c:\windows\qafyxa._sy
c:\windows\SYSTEM32\gadysuxan.pif
c:\windows\SYSTEM32\qtvpoqox.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-19 13:57 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-19 13:57 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-11 15:11 . 2008-11-11 15:11 <DIR> d-------- c:\program files\AVG
2008-11-11 15:11 . 2008-11-11 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-11 14:53 . 2008-11-15 11:03 <DIR> d-------- c:\program files\ewido anti-malware
2008-10-29 14:44 . 2008-10-29 14:44 244 --ah----- C:\sqmnoopt16.sqm
2008-10-29 14:44 . 2008-10-29 14:44 232 --ah----- C:\sqmdata16.sqm
2008-10-24 09:22 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-20 09:49 . 2008-10-20 09:49 244 --ah----- C:\sqmnoopt15.sqm
2008-10-20 09:49 . 2008-10-20 09:49 232 --ah----- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-17 19:55 --------- d-----w c:\program files\LimeWire
2008-11-17 19:55 --------- d-----w c:\program files\BitLord
2008-11-15 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-11 22:21 --------- d-----w c:\program files\Trend Micro
2008-11-10 18:14 --------- d-----w c:\documents and settings\wade shafer\Application Data\AdobeUM
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-08 21:43 92,064 ----a-w c:\documents and settings\wade shafer\mqdmmdm.sys
2008-04-08 21:43 9,232 ----a-w c:\documents and settings\wade shafer\mqdmmdfl.sys
2008-04-08 21:43 79,328 ----a-w c:\documents and settings\wade shafer\mqdmserd.sys
2008-04-08 21:43 66,656 ----a-w c:\documents and settings\wade shafer\mqdmbus.sys
2008-04-08 21:43 6,208 ----a-w c:\documents and settings\wade shafer\mqdmcmnt.sys
2008-04-08 21:43 5,936 ----a-w c:\documents and settings\wade shafer\mqdmwhnt.sys
2008-04-08 21:43 4,048 ----a-w c:\documents and settings\wade shafer\mqdmcr.sys
2008-04-08 21:43 25,600 ----a-w c:\documents and settings\wade shafer\usbsermptxp.sys
2008-04-08 21:43 22,768 ----a-w c:\documents and settings\wade shafer\usbsermpt.sys
2006-10-02 20:35 86,336 -c--a-w c:\documents and settings\wade shafer\Application Data\GDIPFONTCACHEV1.DAT
2003-04-02 21:20 1,044,168 ----a-w c:\program files\vbrun60sp5.exe
2002-12-20 16:51 48,631 -c--a-w c:\windows\INF\ftserui2.dll
2002-12-20 16:09 22,592 -c--a-w c:\windows\INF\ftserui.dll
2002-12-20 16:08 64,048 -c--a-w c:\windows\INF\ftserial.sys
2002-12-20 16:08 25,316 -c--a-w c:\windows\INF\ftsenum.sys
2002-12-20 15:59 50,396 -c--a-w c:\windows\INF\ftser2k.sys
2002-12-20 15:58 19,313 -c--a-w c:\windows\INF\ftdibus.sys
2001-08-29 00:41 414,208 -c--a-w c:\windows\INF\ftdiunin.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-19_13.53.43.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\I386\mrxsmb.sys
+ 2008-11-20 15:01:33 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\SYSTEM32\MRT.exe
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\SYSTEM32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
+ 2008-09-30 22:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 22:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.jpeg"= m3jpeg32.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^wade shafer^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\wade shafer\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 02:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-11-01 02:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
--a------ 2004-01-22 10:59 151552 c:\program files\Lexmark 4200 Series\Fax\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
--a------ 2004-01-16 04:04 57344 c:\program files\Lexmark 4200 Series\lxbmbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-01-19 10:06 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server]
--a------ 2006-01-19 10:06 102400 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-06-24 17:32 4800512 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
--a------ 2005-09-15 00:49 520192 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-06-24 17:32 323584 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2USB]
--a------ 2002-07-25 17:21 24576 c:\windows\SYSTEM32\O2USB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [2003-01-22 3104]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2003-03-14 15576]

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 13:37:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-20 13:40:30
ComboFix-quarantined-files.txt 2008-11-20 19:40:21
ComboFix2.txt 2008-11-20 17:29:02
ComboFix3.txt 2008-11-19 19:56:37

Pre-Run: 8,666,218,496 bytes free
Post-Run: 8,650,088,448 bytes free

243 --- E O F --- 2008-11-20 15:05:08

tetonbob · 11-20-2008, 02:33 PM

Ok, that's good to know. Before we continue, I'd like a bit more information, please.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

wadethetinter · 11-20-2008, 03:14 PM

4 Warn Alert
ABBYY FineReader 5.0 Sprint Plus
Absolute USB Loader Drivers
Absolute USB Loader Utilities and Drivers v1.33
AccessDirect
Actiontec MD56ORD V92 MDC Modem
Ad-Aware
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Photoshop Elements
Adobe Reader 7.0.5
Adobe SVG Viewer
AOL Instant Messenger
Apple Software Update
AutoUpdate
Avanquest update
Backup Dell-Installed Programs
Britannica Ready Reference
BufferChm
CleanUp!
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
Dell Support
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Digital Camera
Digital Line Detect
DivX Player
DVD Decrypter (Remove Only)
EarthLink LiteScanner
EarthLink MDAC
Easy CD Creator 5 Basic
eSupportQFolder
Free Sound Recorder v6.4
Google Earth
Google Toolbar for Firefox
Google Updater
Help and Support Customization
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet 3900 series
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
HPDeskjet3900Series
HPProductAssistant
InterActual Player
Internet Explorer Q903235
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.1
Java Web Start
K-Lite Codec Pack
KODAK Camera Connection Software
KODAK Camera Connection Software Help
KODAK Memory Albums
KODAK One Touch to Better Pictures
KODAK Picture Software
KODAK Picture Transfer Software
KODAK Software Updater
Lexmark 4200 Series
Lexmark 4200 Series Fax Solutions
Lexmark Fax Solutions
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Picture It! Express 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft XML Parser
mIRC
mobile PhoneTools
Modem Helper
Motorola Driver Installation 3.4.0
Motorola Phone Tools
Mozilla Firefox (2.0.0.18)
MSN Music Assistant
MSSoap
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Musicmatch® Jukebox
NVIDIA Windows 2000/XP Display Drivers
O2UsbCrd
PC-Linq
Pen Tablet
penPalette 1.0
Philips Device Manager
PowerCrypt 2000
procreate(TM) Painter Classic(TM)
QuickBooks Premier Edition 2007
QuickBooks Product Listing Service
Quicken 2002 New User Edition
QuickTime
Reader Rabbit Personalized Preschool
SBMirc
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shockwave
SLD CODEC PACK 1.5.3
SmartFTP Client
SolutionCenter
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Status
SupportSoft Assisted Service
Synaptics TouchPad
TrayApp
Ulead COOL 3D 3.5
Ulead Photo Explorer 8.0 SE Basic
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Media Player (Remove Only)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinUndelete
WordPerfect Office 2002
Yahoo! Messenger

tetonbob · 11-20-2008, 04:38 PM

Thanks.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?

wadethetinter · 11-23-2008, 04:16 PM

Sorry that took so long. the machine is running very slow. it could be i just need to do some house cleaning. thanks again for everything

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 23, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 21, 2008 16:12:31
Records in database: 1399616
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 101969
Threat name: 28
Infected objects: 42
Suspicious objects: 0
Duration of the scan: 26:45:22

File name / Threat name / Threats count
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan.Win32.Qhost.ap 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan.Win32.Qhost.ap 1
C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6e1cedff Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6be6a249.zip Infected: Exploit.Java.Gimsh.a 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Qoobox\Quarantine\C\Documents and Settings\wade shafer\Application Data\gadcom\gadcom.exe.vir Infected: Trojan.Win32.Agent.amus 1
C:\Qoobox\Quarantine\C\Documents and Settings\wade shafer\Application Data\Twain\Twain.exe.vir Infected: Trojan.Win32.Agent.amwr 1
C:\Qoobox\Quarantine\C\Documents and Settings\wade shafer\My Documents\ASEMBL~1\nоtepad.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.jw 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle3090OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack24.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.hbm 1
C:\Qoobox\Quarantine\C\WINDOWS\brastk.exe.vir Infected: Hoax.Win32.Renos.fgo 1
C:\Qoobox\Quarantine\C\WINDOWS\karna.dat.vir Infected: Backdoor.Win32.Small.gjm 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aqlhoc.dll.vir Infected: Trojan.Win32.Monder.yio 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\brastk.exe.vir Infected: Hoax.Win32.Renos.fgo 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\byaiiz.dll.vir Infected: Trojan.Win32.Monder.ywb 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cgpeauib.dll.vir Infected: Trojan.Win32.Monder.zab 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DLLCACHE\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS.vir Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ICROSO~1\services.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iemahs.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.jv 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iqxhjkhw.dll.vir Infected: Trojan.Win32.Monder.ywb 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\karna.dat.vir Infected: Backdoor.Win32.Small.gjm 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kpwfeeph.dll.vir Infected: Trojan.Win32.Monder.ywd 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kqnaidoq.dll.vir Infected: Trojan.Win32.Monder.yio 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kthypb.dll.vir Infected: Trojan.Win32.Monder.zab 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msansspc.dll.vir Infected: Trojan.Win32.Agent.ancx 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\phbwqtqn.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.tscg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qoMcaawu.dll.vir Infected: Trojan.Win32.Monderb.wvi 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rqRKCtut.dll.vir Infected: Trojan.Win32.Monderb.wvi 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tocdmmrx.dll.vir Infected: Trojan.Win32.Monder.zac 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\urqNDSLD.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.amom 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ymmkbq.dll.vir Infected: Trojan.Win32.Monder.ywd 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_scui.cpl.vir Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.bp 1

The selected area was scanned.

tetonbob · 11-23-2008, 06:05 PM

Hi -

Many of those items are in ComboFix quarantine, which will be removed when we're done.

For now...

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe"
"C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe"
"C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6e1cedff"
"C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6be6a249.zip"


) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

Also....

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

For a slow machine:

Please see any of the info in this sticky topic helps.

http://www.techsupportforum.com/secu...ning-slow.html

I see that you have limited physical memory, 383MB RAM, less than 512MB, which is the bare minimum for Windows XP and modern applications. That might be a good place to start to improve system performance.

You can visit Crucial where you can either input your model number or download a small application that will tell you exactly the type of RAM you need. The folks in the Hardware section can help you with that if need be.

Please post back with the results from the fix.bat file, and I'll have what should be final instructions for you.

wadethetinter · 11-24-2008, 11:18 AM

Fix bat said deleted successfully press any key to continue. i hit the space bar and it went away.
thanks again for all your help

tetonbob · 11-24-2008, 11:49 AM

Great. From a malware removal perspective, we should be done here. Any progress with the slow machine issue?

Some final housekeeping and protection instructions for you:

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

wadethetinter · 11-24-2008, 12:36 PM

the machines seems to be running about normal now. I will follow your instructions. to ensure this dont happen again.
Thank you for everything. You all provide a great service to us. I do appreciate it.

tetonbob · 11-24-2008, 01:23 PM

Glad to have helped.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

11-18-2008, 10:13 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,677 OS: 2000 Pro; XP Pro; XP Home	Re: antivirus 2009 Hello - Even though you see these tools used often, they should not be run unless it's requested by a trained helper. What happened to your AVG install? It doesn't seem to be active, though I see some signs of it in the logs. Delete any version of ComboFix you might have. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3 -------------------------------------------------------------------- * IMPORTANT !!! Place combofix.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. Double click on combo-fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-19-2008, 01:33 PM	#3 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 Thank you for your help. AVG had an error and did not install. Also ms windows recovery console had an error and did not install either. the red ball with white x is gone now. So far. ComboFix 08-11-18.A2 - wade shafer 2008-11-19 13:16:59.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.133 [GMT -6:00] Running from: c:\documents and settings\wade shafer\Desktop\Combo-fix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Application Data\NetMon c:\documents and settings\LocalService\Application Data\NetMon\domains.txt c:\documents and settings\LocalService\Application Data\NetMon\log.txt c:\documents and settings\wade shafer\Application Data\gadcom c:\documents and settings\wade shafer\Application Data\gadcom\gadcom.exe c:\documents and settings\wade shafer\Local Settings\Temporary Internet Files\bestwiner.stt c:\documents and settings\wade shafer\Local Settings\Temporary Internet Files\CPV.stt c:\documents and settings\wade shafer\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\wade shafer\My Documents\ASEMBL~1 c:\documents and settings\wade shafer\My Documents\ASEMBL~1\n?tepad.exe c:\program files\Common Files\Yazzle3090OinAdmin.exe c:\program files\GetPack c:\program files\GetPack\dictame.gz c:\program files\GetPack\GetPack24.exe c:\program files\GetPack\trgtame.gz c:\program files\iCheck c:\program files\iCheck\Uninstall.exe c:\program files\iMeshBar c:\program files\iMeshBar\bar\History\search c:\program files\inetget2 c:\program files\INSTALL.LOG c:\program files\Mjcore c:\program files\Mjcore\Mjcore.dll c:\windows\brastk.exe c:\windows\karna.dat c:\windows\Readme.txt c:\windows\system32\_scui.cpl c:\windows\system32\aqlhoc.dll c:\windows\system32\brastk.exe c:\windows\system32\byaiiz.dll c:\windows\system32\cgpeauib.dll c:\windows\system32\dllcache\beep.sys c:\windows\SYSTEM32\DLSDNqru.ini c:\windows\SYSTEM32\DLSDNqru.ini2 c:\windows\SYSTEM32\hvttmpgo.ini c:\windows\system32\icroso~1 c:\windows\system32\icroso~1\?icrosoft\ c:\windows\system32\icroso~1\services.exe c:\windows\system32\iemahs.dll c:\windows\system32\iqxhjkhw.dll c:\windows\system32\karna.dat c:\windows\system32\kpwfeeph.dll c:\windows\system32\kqnaidoq.dll c:\windows\system32\kthypb.dll c:\windows\system32\msansspc.dll c:\windows\system32\nqtqwbhp.ini c:\windows\system32\phbwqtqn.dll c:\windows\system32\qgcfkevp.dll c:\windows\system32\qoMcaawu.dll c:\windows\system32\rqRKCtut.dll c:\windows\system32\tocdmmrx.dll c:\windows\system32\urqNDSLD.dll c:\windows\system32\wini10254.exe c:\windows\system32\wtompgyx.dll c:\windows\system32\xrmmdcot.ini c:\windows\SYSTEM32\xygpmotw.ini c:\windows\system32\ymmkbq.dll c:\windows\system32\zydntj.dll c:\windows\wiaserviv.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 ))))))))))))))))))))))))))))))) . 2008-11-18 15:15 . 2008-11-18 15:15 5,500 --a------ c:\windows\SYSTEM32\qtvpoqox.dll 2008-11-11 15:11 . 2008-11-11 15:11 <DIR> d-------- c:\program files\AVG 2008-11-11 15:11 . 2008-11-11 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-11 14:53 . 2008-11-15 11:03 <DIR> d-------- c:\program files\ewido anti-malware 2008-11-10 12:26 . 2008-11-10 12:26 <DIR> d-------- c:\program files\OINAnalytics 2008-11-10 12:21 . 2008-11-10 16:53 <DIR> d--hs---- c:\windows\d2FkZSBzaGFmZXI 2008-11-10 12:16 . 2008-11-10 12:16 <DIR> d-------- c:\windows\muzq 2008-11-10 12:16 . 2008-11-10 16:51 <DIR> d-------- c:\program files\Common Files\muzq 2008-11-10 12:01 . 2008-11-15 11:03 <DIR> d-------- c:\documents and settings\wade shafer\Application Data\Twain 2008-11-08 16:45 . 2008-11-08 16:45 18,706 --a------ c:\windows\SYSTEM32\gadysuxan.pif 2008-11-08 16:45 . 2008-11-08 16:45 17,674 --a------ c:\documents and settings\wade shafer\Application Data\ibak.vbs 2008-11-08 16:45 . 2008-11-08 16:45 16,713 --a------ c:\windows\cujoroh.sys 2008-11-08 16:45 . 2008-11-08 16:45 15,623 --a------ c:\documents and settings\All Users\Application Data\ipyn.bin 2008-11-08 16:45 . 2008-11-08 16:45 15,271 --a------ c:\program files\Common Files\icefidih.dll 2008-11-08 16:45 . 2008-11-08 16:45 15,216 --a------ c:\program files\Common Files\lebeda.sys 2008-11-08 16:45 . 2008-11-08 16:45 14,728 --a------ c:\windows\qafyxa._sy 2008-11-08 16:45 . 2008-11-08 16:45 14,114 --a------ c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr 2008-11-08 16:45 . 2008-11-08 16:45 11,147 --a------ c:\documents and settings\wade shafer\Application Data\apepidax.com 2008-10-29 14:44 . 2008-10-29 14:44 244 --ah----- C:\sqmnoopt16.sqm 2008-10-29 14:44 . 2008-10-29 14:44 232 --ah----- C:\sqmdata16.sqm 2008-10-24 09:22 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-20 09:49 . 2008-10-20 09:49 244 --ah----- C:\sqmnoopt15.sqm 2008-10-20 09:49 . 2008-10-20 09:49 232 --ah----- C:\sqmdata15.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-18 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-11-17 19:55 --------- d-----w c:\program files\LimeWire 2008-11-17 19:55 --------- d-----w c:\program files\BitLord 2008-11-15 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-15 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-11 22:21 --------- d-----w c:\program files\Trend Micro 2008-11-10 18:14 --------- d-----w c:\documents and settings\wade shafer\Application Data\AdobeUM 2008-11-08 22:45 12,702 ----a-w c:\program files\Common Files\fozode.ban 2008-09-19 15:30 --------- d-----w c:\program files\Motorola Phone Tools 2008-09-19 15:27 --------- d--h--w c:\program files\InstallShield Installation Information 2008-04-08 21:43 92,064 ----a-w c:\documents and settings\wade shafer\mqdmmdm.sys 2008-04-08 21:43 9,232 ----a-w c:\documents and settings\wade shafer\mqdmmdfl.sys 2008-04-08 21:43 79,328 ----a-w c:\documents and settings\wade shafer\mqdmserd.sys 2008-04-08 21:43 66,656 ----a-w c:\documents and settings\wade shafer\mqdmbus.sys 2008-04-08 21:43 6,208 ----a-w c:\documents and settings\wade shafer\mqdmcmnt.sys 2008-04-08 21:43 5,936 ----a-w c:\documents and settings\wade shafer\mqdmwhnt.sys 2008-04-08 21:43 4,048 ----a-w c:\documents and settings\wade shafer\mqdmcr.sys 2008-04-08 21:43 25,600 ----a-w c:\documents and settings\wade shafer\usbsermptxp.sys 2008-04-08 21:43 22,768 ----a-w c:\documents and settings\wade shafer\usbsermpt.sys 2006-10-02 20:35 86,336 -c--a-w c:\documents and settings\wade shafer\Application Data\GDIPFONTCACHEV1.DAT 2003-04-02 21:20 1,044,168 ----a-w c:\program files\vbrun60sp5.exe 2002-12-20 16:51 48,631 -c--a-w c:\windows\INF\ftserui2.dll 2002-12-20 16:09 22,592 -c--a-w c:\windows\INF\ftserui.dll 2002-12-20 16:08 64,048 -c--a-w c:\windows\INF\ftserial.sys 2002-12-20 16:08 25,316 -c--a-w c:\windows\INF\ftsenum.sys 2002-12-20 15:59 50,396 -c--a-w c:\windows\INF\ftser2k.sys 2002-12-20 15:58 19,313 -c--a-w c:\windows\INF\ftdibus.sys 2001-08-29 00:41 414,208 -c--a-w c:\windows\INF\ftdiunin.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= l3codecp.acm "vidc.XVID"= xvid.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "vidc.MJPG"= m3jpeg32.dll "vidc.dmb1"= m3jpeg32.dll "vidc.jpeg"= m3jpeg32.dll "VIDC.HFYU"= huffyuv.dll "VIDC.SP54"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=c:\windows\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^wade shafer^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\wade shafer\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jsbykcf] c:\documents and settings\wade shafer\My Documents\a?sembly\n?tepad.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2002-04-10 02:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 18:12 15360 c:\windows\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp] --a------ 2002-11-01 02:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1] --a------ 2004-01-22 10:59 151552 c:\program files\Lexmark 4200 Series\Fax\fm3032.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series] --a------ 2004-01-16 04:04 57344 c:\program files\Lexmark 4200 Series\lxbmbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] --a------ 2006-01-19 10:06 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server] --a------ 2006-01-19 10:06 102400 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2003-06-24 17:32 4800512 c:\windows\SYSTEM32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM] --a------ 2005-09-15 00:49 520192 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --------- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-04-13 02:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Twain] --a------ 2008-11-11 14:51 61440 c:\documents and settings\wade shafer\Application Data\Twain\Twain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-06-24 17:32 323584 c:\windows\SYSTEM32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2USB] --a------ 2002-07-25 17:21 24576 c:\windows\SYSTEM32\O2USB.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [2003-01-22 3104] S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2003-03-14 15576] . - - - - ORPHANS REMOVED - - - - BHO-{1441156E-A2A1-4B0E-AF14-B7A3B0727CDA} - c:\windows\system32\urqNDSLD.dll BHO-{73cf7adf-0bbb-4ac1-8e68-f5115488f03b} - c:\windows\system32\zydntj.dll MSConfigStartUp-987f933b - c:\windows\system32\phbwqtqn.dll MSConfigStartUp-Aida - c:\windows\system32\ICROSO~1\services.exe MSConfigStartUp-Antivirus Pro 2009 - c:\program files\AntivirusPro2009\AntivirusPro2009.exe MSConfigStartUp-Bart Station - c:\program files\PeoplePC\ISP6500\BIN\PPCOLink.exe MSConfigStartUp-brastk - c:\windows\system32\brastk.exe MSConfigStartUp-E6TaskPanel - c:\program files\EARTHLINK TOTALACCESS\TASKPANL.EXE MSConfigStartUp-GetPack24 - c:\program files\GetPack\GetPack24.exe MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe MSConfigStartUp-SfKg6wIP - c:\documents and settings\wade shafer\Application Data\Microsoft\Windows\xlbtep.exe MSConfigStartUp-SpeedRunner - c:\documents and settings\wade shafer\Application Data\SpeedRunner\SpeedRunner.exe MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe MSConfigStartUp-SynTPEnh - c:\program files\Synaptics\SynTP\SynTPEnh.exe MSConfigStartUp-SynTPLpr - c:\program files\Synaptics\SynTP\SynTPLpr.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\wade shafer\Application Data\Mozilla\Firefox\Profiles\2xszvdmf.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-19 13:41:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\windows\SYSTEM32\DRIVERS\dcfssvc.exe c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\windows\SYSTEM32\nvsvc32.exe c:\windows\SYSTEM32\Tablet.exe c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe c:\windows\SYSTEM32\WBEM\wmiapsrv.exe . ************************************************************************ . Completion time: 2008-11-19 13:56:31 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-19 19:56:19 Pre-Run: 8,904,830,976 bytes free Post-Run: 8,794,198,016 bytes free 292 --- E O F --- 2008-10-30 14:33:16

11-19-2008, 04:59 PM	#5 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 It just said error: unable to install windows recovery console would u like to continue scan y or n I hit yes. It didnt have any error # or say why. So far no sign of the bug. There is a yellow windows update shield in the tray. Should I leave that alone for now? Thank you very much for your help.

11-19-2008, 05:50 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,677 OS: 2000 Pro; XP Pro; XP Home	Re: antivirus 2009 Leave the Windows Updates for now. Let's try again to install the Recovery Console, as we have more malware removal to do still. Download the file from this Microsoft page: For XP Home >> http://www.microsoft.com/downloads/d...displaylang=en Save it as it is originally named to your Desktop. Now close all open windows and programs, and disable all antivirus and antispyware programs. This is usually done via a right click on the applications' system tray icon. Get help here for how to disable them, if required. Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement (EULA) to install the Recovery Console. As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Recovery Console is installed, this blue window will appear: Please continue as follows: Ensure all antivirus and antispyware programs are still disabled, so they do not interfere with the running of ComboFix. Please click Yes to continue scanning for malware. When the tool is finished, it will produce a log for you. Please post that log, ComboFix.txt __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-20-2008, 10:53 AM	#7 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 The update ran anyway over nite. hope that didnt mess anything up. Thanks again for your help. ComboFix 08-11-18.A2 - wade shafer 2008-11-20 11:23:39.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.192 [GMT -6:00] Running from: c:\documents and settings\wade shafer\Desktop\Combo-fix.exe Command switches used :: c:\documents and settings\wade shafer\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 ))))))))))))))))))))))))))))))) . 2008-11-19 13:57 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll 2008-11-19 13:57 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys 2008-11-18 15:15 . 2008-11-18 15:15 5,500 --a------ c:\windows\SYSTEM32\qtvpoqox.dll 2008-11-11 15:11 . 2008-11-11 15:11 <DIR> d-------- c:\program files\AVG 2008-11-11 15:11 . 2008-11-11 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-11 14:53 . 2008-11-15 11:03 <DIR> d-------- c:\program files\ewido anti-malware 2008-11-10 12:26 . 2008-11-10 12:26 <DIR> d-------- c:\program files\OINAnalytics 2008-11-10 12:21 . 2008-11-10 16:53 <DIR> d--hs---- c:\windows\d2FkZSBzaGFmZXI 2008-11-10 12:16 . 2008-11-10 12:16 <DIR> d-------- c:\windows\muzq 2008-11-10 12:16 . 2008-11-10 16:51 <DIR> d-------- c:\program files\Common Files\muzq 2008-11-10 12:01 . 2008-11-15 11:03 <DIR> d-------- c:\documents and settings\wade shafer\Application Data\Twain 2008-11-08 16:45 . 2008-11-08 16:45 18,706 --a------ c:\windows\SYSTEM32\gadysuxan.pif 2008-11-08 16:45 . 2008-11-08 16:45 17,674 --a------ c:\documents and settings\wade shafer\Application Data\ibak.vbs 2008-11-08 16:45 . 2008-11-08 16:45 16,713 --a------ c:\windows\cujoroh.sys 2008-11-08 16:45 . 2008-11-08 16:45 15,623 --a------ c:\documents and settings\All Users\Application Data\ipyn.bin 2008-11-08 16:45 . 2008-11-08 16:45 15,271 --a------ c:\program files\Common Files\icefidih.dll 2008-11-08 16:45 . 2008-11-08 16:45 15,216 --a------ c:\program files\Common Files\lebeda.sys 2008-11-08 16:45 . 2008-11-08 16:45 14,728 --a------ c:\windows\qafyxa._sy 2008-11-08 16:45 . 2008-11-08 16:45 14,114 --a------ c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr 2008-11-08 16:45 . 2008-11-08 16:45 11,147 --a------ c:\documents and settings\wade shafer\Application Data\apepidax.com 2008-10-29 14:44 . 2008-10-29 14:44 244 --ah----- C:\sqmnoopt16.sqm 2008-10-29 14:44 . 2008-10-29 14:44 232 --ah----- C:\sqmdata16.sqm 2008-10-24 09:22 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-20 09:49 . 2008-10-20 09:49 244 --ah----- C:\sqmnoopt15.sqm 2008-10-20 09:49 . 2008-10-20 09:49 232 --ah----- C:\sqmdata15.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-19 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-11-17 19:55 --------- d-----w c:\program files\LimeWire 2008-11-17 19:55 --------- d-----w c:\program files\BitLord 2008-11-15 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-15 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-11 22:21 --------- d-----w c:\program files\Trend Micro 2008-11-10 18:14 --------- d-----w c:\documents and settings\wade shafer\Application Data\AdobeUM 2008-11-08 22:45 12,702 ----a-w c:\program files\Common Files\fozode.ban 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll 2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys 2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll 2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll 2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll 2008-08-27 08:24 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll 2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe 2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2008-08-23 05:54 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2008-04-08 21:43 92,064 ----a-w c:\documents and settings\wade shafer\mqdmmdm.sys 2008-04-08 21:43 9,232 ----a-w c:\documents and settings\wade shafer\mqdmmdfl.sys 2008-04-08 21:43 79,328 ----a-w c:\documents and settings\wade shafer\mqdmserd.sys 2008-04-08 21:43 66,656 ----a-w c:\documents and settings\wade shafer\mqdmbus.sys 2008-04-08 21:43 6,208 ----a-w c:\documents and settings\wade shafer\mqdmcmnt.sys 2008-04-08 21:43 5,936 ----a-w c:\documents and settings\wade shafer\mqdmwhnt.sys 2008-04-08 21:43 4,048 ----a-w c:\documents and settings\wade shafer\mqdmcr.sys 2008-04-08 21:43 25,600 ----a-w c:\documents and settings\wade shafer\usbsermptxp.sys 2008-04-08 21:43 22,768 ----a-w c:\documents and settings\wade shafer\usbsermpt.sys 2006-10-02 20:35 86,336 -c--a-w c:\documents and settings\wade shafer\Application Data\GDIPFONTCACHEV1.DAT 2003-04-02 21:20 1,044,168 ----a-w c:\program files\vbrun60sp5.exe 2002-12-20 16:51 48,631 -c--a-w c:\windows\INF\ftserui2.dll 2002-12-20 16:09 22,592 -c--a-w c:\windows\INF\ftserui.dll 2002-12-20 16:08 64,048 -c--a-w c:\windows\INF\ftserial.sys 2002-12-20 16:08 25,316 -c--a-w c:\windows\INF\ftsenum.sys 2002-12-20 15:59 50,396 -c--a-w c:\windows\INF\ftser2k.sys 2002-12-20 15:58 19,313 -c--a-w c:\windows\INF\ftdibus.sys 2001-08-29 00:41 414,208 -c--a-w c:\windows\INF\ftdiunin.exe . ((((((((((((((((((((((((((((( snapshot@2008-11-19_13.53.43.55 ))))))))))))))))))))))))))))))))))))))))) . + 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll + 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll + 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe + 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll + 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe + 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll + 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\I386\mrxsmb.sys + 2008-11-20 15:01:33 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe - 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\SYSTEM32\MRT.exe + 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\SYSTEM32\MRT.exe - 2007-11-30 11:18:51 17,272 ----a-w c:\windows\SYSTEM32\spmsg.dll + 2008-07-08 13:02:01 17,272 ------w c:\windows\SYSTEM32\spmsg.dll + 2008-09-30 22:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll + 2008-09-30 22:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= l3codecp.acm "vidc.XVID"= xvid.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "vidc.MJPG"= m3jpeg32.dll "vidc.dmb1"= m3jpeg32.dll "vidc.jpeg"= m3jpeg32.dll "VIDC.HFYU"= huffyuv.dll "VIDC.SP54"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=c:\windows\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^wade shafer^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\wade shafer\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jsbykcf] c:\documents and settings\wade shafer\My Documents\a?sembly\n?tepad.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2002-04-10 02:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 18:12 15360 c:\windows\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp] --a------ 2002-11-01 02:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1] --a------ 2004-01-22 10:59 151552 c:\program files\Lexmark 4200 Series\Fax\fm3032.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series] --a------ 2004-01-16 04:04 57344 c:\program files\Lexmark 4200 Series\lxbmbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] --a------ 2006-01-19 10:06 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server] --a------ 2006-01-19 10:06 102400 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2003-06-24 17:32 4800512 c:\windows\SYSTEM32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM] --a------ 2005-09-15 00:49 520192 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --------- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-04-13 02:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Twain] --a------ 2008-11-11 14:51 61440 c:\documents and settings\wade shafer\Application Data\Twain\Twain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-06-24 17:32 323584 c:\windows\SYSTEM32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2USB] --a------ 2002-07-25 17:21 24576 c:\windows\SYSTEM32\O2USB.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [2003-01-22 3104] S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2003-03-14 15576] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\wade shafer\Application Data\Mozilla\Firefox\Profiles\2xszvdmf.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-20 11:25:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-20 11:28:59 ComboFix-quarantined-files.txt 2008-11-20 17:28:49 ComboFix2.txt 2008-11-19 19:56:37 Pre-Run: 8,682,786,816 bytes free Post-Run: 8,666,853,376 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 235 --- E O F --- 2008-11-20 15:05:08

11-20-2008, 01:42 PM	#9 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 AVG installed and updated perfectly i did not run yet. Thanks for all your help ComboFix 08-11-18.A2 - wade shafer 2008-11-20 13:34:41.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.155 [GMT -6:00] Running from: c:\documents and settings\wade shafer\Desktop\Combo-fix.exe Command switches used :: c:\documents and settings\wade shafer\Desktop\CFScript.txt * Created a new restore point FILE :: c:\documents and settings\All Users\Application Data\ipyn.bin c:\documents and settings\wade shafer\Application Data\apepidax.com c:\documents and settings\wade shafer\Application Data\ibak.vbs c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr c:\program files\Common Files\fozode.ban c:\program files\Common Files\icefidih.dll c:\program files\Common Files\lebeda.sys c:\windows\cujoroh.sys c:\windows\qafyxa._sy c:\windows\SYSTEM32\gadysuxan.pif c:\windows\SYSTEM32\qtvpoqox.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\ipyn.bin c:\documents and settings\wade shafer\Application Data\apepidax.com c:\documents and settings\wade shafer\Application Data\ibak.vbs c:\documents and settings\wade shafer\Application Data\Twain c:\documents and settings\wade shafer\Application Data\Twain\Twain.exe c:\documents and settings\wade shafer\Application Data\ulaluzyx.scr c:\program files\Common Files\fozode.ban c:\program files\Common Files\icefidih.dll c:\program files\Common Files\lebeda.sys c:\program files\Common Files\muzq c:\program files\Common Files\muzq\muzqa.lck c:\program files\Common Files\muzq\muzqd\class-barrel c:\program files\Common Files\muzq\muzqd\vocabulary c:\program files\Common Files\muzq\muzqh c:\program files\Common Files\muzq\muzql.lck c:\program files\Common Files\muzq\muzqm.lck c:\windows\cujoroh.sys c:\windows\d2FkZSBzaGFmZXI c:\windows\muzq c:\windows\muzq\muzq.dat c:\windows\muzq\wu c:\windows\qafyxa._sy c:\windows\SYSTEM32\gadysuxan.pif c:\windows\SYSTEM32\qtvpoqox.dll . ((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 ))))))))))))))))))))))))))))))) . 2008-11-19 13:57 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll 2008-11-19 13:57 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys 2008-11-11 15:11 . 2008-11-11 15:11 <DIR> d-------- c:\program files\AVG 2008-11-11 15:11 . 2008-11-11 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-11 14:53 . 2008-11-15 11:03 <DIR> d-------- c:\program files\ewido anti-malware 2008-10-29 14:44 . 2008-10-29 14:44 244 --ah----- C:\sqmnoopt16.sqm 2008-10-29 14:44 . 2008-10-29 14:44 232 --ah----- C:\sqmdata16.sqm 2008-10-24 09:22 . 2008-10-15 10:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-20 09:49 . 2008-10-20 09:49 244 --ah----- C:\sqmnoopt15.sqm 2008-10-20 09:49 . 2008-10-20 09:49 232 --ah----- C:\sqmdata15.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-19 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-11-17 19:55 --------- d-----w c:\program files\LimeWire 2008-11-17 19:55 --------- d-----w c:\program files\BitLord 2008-11-15 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-15 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-11 22:21 --------- d-----w c:\program files\Trend Micro 2008-11-10 18:14 --------- d-----w c:\documents and settings\wade shafer\Application Data\AdobeUM 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll 2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys 2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll 2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll 2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll 2008-08-27 08:24 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll 2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe 2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2008-08-23 05:54 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2008-04-08 21:43 92,064 ----a-w c:\documents and settings\wade shafer\mqdmmdm.sys 2008-04-08 21:43 9,232 ----a-w c:\documents and settings\wade shafer\mqdmmdfl.sys 2008-04-08 21:43 79,328 ----a-w c:\documents and settings\wade shafer\mqdmserd.sys 2008-04-08 21:43 66,656 ----a-w c:\documents and settings\wade shafer\mqdmbus.sys 2008-04-08 21:43 6,208 ----a-w c:\documents and settings\wade shafer\mqdmcmnt.sys 2008-04-08 21:43 5,936 ----a-w c:\documents and settings\wade shafer\mqdmwhnt.sys 2008-04-08 21:43 4,048 ----a-w c:\documents and settings\wade shafer\mqdmcr.sys 2008-04-08 21:43 25,600 ----a-w c:\documents and settings\wade shafer\usbsermptxp.sys 2008-04-08 21:43 22,768 ----a-w c:\documents and settings\wade shafer\usbsermpt.sys 2006-10-02 20:35 86,336 -c--a-w c:\documents and settings\wade shafer\Application Data\GDIPFONTCACHEV1.DAT 2003-04-02 21:20 1,044,168 ----a-w c:\program files\vbrun60sp5.exe 2002-12-20 16:51 48,631 -c--a-w c:\windows\INF\ftserui2.dll 2002-12-20 16:09 22,592 -c--a-w c:\windows\INF\ftserui.dll 2002-12-20 16:08 64,048 -c--a-w c:\windows\INF\ftserial.sys 2002-12-20 16:08 25,316 -c--a-w c:\windows\INF\ftsenum.sys 2002-12-20 15:59 50,396 -c--a-w c:\windows\INF\ftser2k.sys 2002-12-20 15:58 19,313 -c--a-w c:\windows\INF\ftdibus.sys 2001-08-29 00:41 414,208 -c--a-w c:\windows\INF\ftdiunin.exe . ((((((((((((((((((((((((((((( snapshot@2008-11-19_13.53.43.55 ))))))))))))))))))))))))))))))))))))))))) . + 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll + 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll + 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe + 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll + 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe + 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll + 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\I386\mrxsmb.sys + 2008-11-20 15:01:33 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe - 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\SYSTEM32\MRT.exe + 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\SYSTEM32\MRT.exe - 2007-11-30 11:18:51 17,272 ----a-w c:\windows\SYSTEM32\spmsg.dll + 2008-07-08 13:02:01 17,272 ------w c:\windows\SYSTEM32\spmsg.dll + 2008-09-30 22:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll + 2008-09-30 22:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= l3codecp.acm "vidc.XVID"= xvid.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "vidc.MJPG"= m3jpeg32.dll "vidc.dmb1"= m3jpeg32.dll "vidc.jpeg"= m3jpeg32.dll "VIDC.HFYU"= huffyuv.dll "VIDC.SP54"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=c:\windows\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk backup=c:\windows\pss\KODAK Picture Transfer Software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^wade shafer^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\wade shafer\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2002-04-10 02:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 18:12 15360 c:\windows\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp] --a------ 2002-11-01 02:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1] --a------ 2004-01-22 10:59 151552 c:\program files\Lexmark 4200 Series\Fax\fm3032.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series] --a------ 2004-01-16 04:04 57344 c:\program files\Lexmark 4200 Series\lxbmbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] --a------ 2006-01-19 10:06 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server] --a------ 2006-01-19 10:06 102400 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2003-06-24 17:32 4800512 c:\windows\SYSTEM32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM] --a------ 2005-09-15 00:49 520192 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --------- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-04-13 02:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-06-24 17:32 323584 c:\windows\SYSTEM32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2USB] --a------ 2002-07-25 17:21 24576 c:\windows\SYSTEM32\O2USB.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [2003-01-22 3104] S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2003-03-14 15576] Newly Created Service - CATCHME . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-20 13:37:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-20 13:40:30 ComboFix-quarantined-files.txt 2008-11-20 19:40:21 ComboFix2.txt 2008-11-20 17:29:02 ComboFix3.txt 2008-11-19 19:56:37 Pre-Run: 8,666,218,496 bytes free Post-Run: 8,650,088,448 bytes free 243 --- E O F --- 2008-11-20 15:05:08

11-20-2008, 02:33 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,677 OS: 2000 Pro; XP Pro; XP Home	Re: antivirus 2009 Ok, that's good to know. Before we continue, I'd like a bit more information, please. Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\Add-Remove Programs.txt A text file should open. Please post the contents of that file in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-20-2008, 03:14 PM	#11 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 4 Warn Alert ABBYY FineReader 5.0 Sprint Plus Absolute USB Loader Drivers Absolute USB Loader Utilities and Drivers v1.33 AccessDirect Actiontec MD56ORD V92 MDC Modem Ad-Aware Adobe Download Manager 1.2 (Remove Only) Adobe Flash Player 9 ActiveX Adobe Flash Player ActiveX Adobe Flash Player Plugin Adobe Photoshop 7.0 Adobe Photoshop Elements Adobe Reader 7.0.5 Adobe SVG Viewer AOL Instant Messenger Apple Software Update AutoUpdate Avanquest update Backup Dell-Installed Programs Britannica Ready Reference BufferChm CleanUp! Dell Digital Jukebox Driver Dell Modem-On-Hold Dell Picture Studio - Dell Image Expert Dell ResourceCD Dell Solution Center Dell Support Destinations DeviceFunctionQFolder DeviceManagementQFolder Digital Camera Digital Line Detect DivX Player DVD Decrypter (Remove Only) EarthLink LiteScanner EarthLink MDAC Easy CD Creator 5 Basic eSupportQFolder Free Sound Recorder v6.4 Google Earth Google Toolbar for Firefox Google Updater Help and Support Customization Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) HP Deskjet 3900 series HP Image Zone Express HP Imaging Device Functions 5.0 HP Software Update HP Solution Center & Imaging Support Tools 5.0 HPDeskjet3900Series HPProductAssistant InterActual Player Internet Explorer Q903235 InterVideo WinDVD J2SE Runtime Environment 5.0 Update 3 Java 2 Runtime Environment, SE v1.4.1 Java Web Start K-Lite Codec Pack KODAK Camera Connection Software KODAK Camera Connection Software Help KODAK Memory Albums KODAK One Touch to Better Pictures KODAK Picture Software KODAK Picture Transfer Software KODAK Software Updater Lexmark 4200 Series Lexmark 4200 Series Fax Solutions Lexmark Fax Solutions Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.0 Hotfix (KB928367) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft National Language Support Downlevel APIs Microsoft Office PowerPoint Viewer 2003 Microsoft Office XP Media Content Microsoft Office XP Small Business Microsoft Picture It! Express 2000 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Windows XP Video Decoder Checkup Utility Microsoft XML Parser mIRC mobile PhoneTools Modem Helper Motorola Driver Installation 3.4.0 Motorola Phone Tools Mozilla Firefox (2.0.0.18) MSN Music Assistant MSSoap MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 Parser and SDK Musicmatch® Jukebox NVIDIA Windows 2000/XP Display Drivers O2UsbCrd PC-Linq Pen Tablet penPalette 1.0 Philips Device Manager PowerCrypt 2000 procreate(TM) Painter Classic(TM) QuickBooks Premier Edition 2007 QuickBooks Product Listing Service Quicken 2002 New User Edition QuickTime Reader Rabbit Personalized Preschool SBMirc Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Shockwave SLD CODEC PACK 1.5.3 SmartFTP Client SolutionCenter Spybot - Search & Destroy Spybot - Search & Destroy 1.5.2.20 Status SupportSoft Assisted Service Synaptics TouchPad TrayApp Ulead COOL 3D 3.5 Ulead Photo Explorer 8.0 SE Basic Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Viewpoint Media Player (Remove Only) WebFldrs XP WebReg Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool Windows Internet Explorer 7 Windows Live installer Windows Live Messenger Windows Live Sign-in Assistant Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver WinUndelete WordPerfect Office 2002 Yahoo! Messenger

11-20-2008, 04:38 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,677 OS: 2000 Pro; XP Pro; XP Home	Re: antivirus 2009 Thanks. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Please perform this online scan to help look for remnants Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on Settings. Uncheck Mail databases. Next, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. --------------------------------------------------------------------------------------------- How is the machine behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-23-2008, 04:16 PM	#13 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 Sorry that took so long. the machine is running very slow. it could be i just need to do some house cleaning. thanks again for everything -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, November 23, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, November 21, 2008 16:12:31 Records in database: 1399616 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: A:\ C:\ D:\ Scan statistics: Files scanned: 101969 Threat name: 28 Infected objects: 42 Suspicious objects: 0 Duration of the scan: 26:45:22 File name / Threat name / Threats count C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1 C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1 C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1 C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1 C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan.Win32.Qhost.ap 1 C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.PurityScan.q 1 C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.ec 1 C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula 1 C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Apropo.v 1 C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan.Win32.Qhost.ap 1 C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6e1cedff Infected: Exploit.Java.Gimsh.a 1 C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6be6a249.zip Infected: Exploit.Java.Gimsh.a 1 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1 C:\Qoobox\Quarantine\C\Documents and Settings\wade shafer\Application Data\gadcom\gadcom.exe.vir Infected: Trojan.Win32.Agent.amus 1 C:\Qoobox\Quarantine\C\Documents and Settings\wade shafer\Application Data\Twain\Twain.exe.vir Infected: Trojan.Win32.Agent.amwr 1 C:\Qoobox\Quarantine\C\Documents and Settings\wade shafer\My Documents\ASEMBL~1\nоtepad.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.jw 1 C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle3090OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1 C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack24.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.hbm 1 C:\Qoobox\Quarantine\C\WINDOWS\brastk.exe.vir Infected: Hoax.Win32.Renos.fgo 1 C:\Qoobox\Quarantine\C\WINDOWS\karna.dat.vir Infected: Backdoor.Win32.Small.gjm 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aqlhoc.dll.vir Infected: Trojan.Win32.Monder.yio 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\brastk.exe.vir Infected: Hoax.Win32.Renos.fgo 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\byaiiz.dll.vir Infected: Trojan.Win32.Monder.ywb 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cgpeauib.dll.vir Infected: Trojan.Win32.Monder.zab 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DLLCACHE\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.a 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS.vir Infected: Backdoor.Win32.UltimateDefender.a 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ICROSO~1\services.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iemahs.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.jv 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iqxhjkhw.dll.vir Infected: Trojan.Win32.Monder.ywb 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\karna.dat.vir Infected: Backdoor.Win32.Small.gjm 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kpwfeeph.dll.vir Infected: Trojan.Win32.Monder.ywd 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kqnaidoq.dll.vir Infected: Trojan.Win32.Monder.yio 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kthypb.dll.vir Infected: Trojan.Win32.Monder.zab 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msansspc.dll.vir Infected: Trojan.Win32.Agent.ancx 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\phbwqtqn.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.tscg 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qoMcaawu.dll.vir Infected: Trojan.Win32.Monderb.wvi 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rqRKCtut.dll.vir Infected: Trojan.Win32.Monderb.wvi 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tocdmmrx.dll.vir Infected: Trojan.Win32.Monder.zac 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\urqNDSLD.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.amom 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ymmkbq.dll.vir Infected: Trojan.Win32.Monder.ywd 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_scui.cpl.vir Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.bp 1 The selected area was scanned.

11-23-2008, 06:05 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,677 OS: 2000 Pro; XP Pro; XP Home	Re: antivirus 2009 Hi - Many of those items are in ComboFix quarantine, which will be removed when we're done. For now... Open NOTEPAD.exe and copy/paste the text in the codebox below into it: Code: @echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe" "C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe" "C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6e1cedff" "C:\Documents and Settings\wade shafer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6be6a249.zip" ) do ( del /a/f %%g >nul 2>&1 if exist %%g echo.%%g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! pause del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it says Also.... Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- For a slow machine: Please see any of the info in this sticky topic helps. http://www.techsupportforum.com/secu...ning-slow.html I see that you have limited physical memory, 383MB RAM, less than 512MB, which is the bare minimum for Windows XP and modern applications. That might be a good place to start to improve system performance. You can visit Crucial where you can either input your model number or download a small application that will tell you exactly the type of RAM you need. The folks in the Hardware section can help you with that if need be. Please post back with the results from the fix.bat file, and I'll have what should be final instructions for you. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-24-2008, 11:18 AM	#15 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 Fix bat said deleted successfully press any key to continue. i hit the space bar and it went away. thanks again for all your help

11-24-2008, 11:49 AM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,677 OS: 2000 Pro; XP Pro; XP Home	Re: antivirus 2009 Great. From a malware removal perspective, we should be done here. Any progress with the slow machine issue? Some final housekeeping and protection instructions for you: Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-24-2008, 12:36 PM	#17 (permalink)
wadethetinter Registered User Join Date: Mar 2006 Posts: 14 OS: win xp & xp pro	Re: antivirus 2009 the machines seems to be running about normal now. I will follow your instructions. to ensure this dont happen again. Thank you for everything. You all provide a great service to us. I do appreciate it.

11-24-2008, 01:23 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,677 OS: 2000 Pro; XP Pro; XP Home	Re: antivirus 2009 Glad to have helped. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009