maybe rootkit virus

[Ried]

What tool or program is telling you they are a threat?

[robbb]

What should i do with these threat files in system32. Do you want to see them. I could put them in a folder and attach them. Please help me.

[Ried]

I have asked you numerous times already, and am only going to ask one more time...

What program is telling you these are a threat.

[robbb]

I said that no program said this and that the file themselves say threat. One of the files is called threat678y.klg and another is called threat685y.pk2. There are 40 of these files in system32 and they all appeared at the same time that I got a virus Nov 12 08. Are these okay even though one of them threat437y.klg was a threat and was deleted. Please bare with me as I don't have a lot of computer experience and don't want to infect other computers. thx

[Ried]

Ah, I'm understanding you now. My apologies.

Open Notepad and copy/paste the contents in the quote box below, into Notepad.

Quote:

if exist log.txt del /s/q log.txt
vfind -ltf "%windir%\threat*.*" >log.txt
notepad log.txt

Save this as look.bat Choose to "Save type as - All Files"
It should look like this:

Double click on look.bat & allow it to run. Then post the log which it produces

[robbb]

----a-w 5,331 2008-11-12 21:40:56 C:\Windows\System32\threat121y.d05
----a-w 5,244 2008-11-12 21:40:57 C:\Windows\System32\threat157y.9o
----a-w 16,589 2008-11-12 21:40:56 C:\Windows\System32\threat163y.pkg
----a-w 16,501 2008-11-12 21:40:57 C:\Windows\System32\threat199y.63
----a-w 17,603 2008-11-12 21:40:57 C:\Windows\System32\threat237y.d03
----a-w 17,515 2008-11-12 21:40:57 C:\Windows\System32\threat273y.tdt
----a-w 12,945 2008-11-12 21:40:57 C:\Windows\System32\threat279y.d05
----a-w 12,857 2008-11-12 21:40:58 C:\Windows\System32\threat315y.9o
----a-w 7,349 2008-11-12 21:40:57 C:\Windows\System32\threat322y.pkl
----a-w 7,261 2008-11-12 21:40:58 C:\Windows\System32\threat358y.zip
----a-w 2,691 2008-11-12 21:40:57 C:\Windows\System32\threat365y.d01
----a-w 9,901 2008-11-12 21:40:57 C:\Windows\System32\threat369y.tdt
----a-w 7,173 2008-11-12 21:40:58 C:\Windows\System32\threat394y.pkd
----a-w 2,603 2008-11-12 21:40:58 C:\Windows\System32\threat401y.ppp
----a-w 9,814 2008-11-12 21:40:58 C:\Windows\System32\threat405y.pkl
----a-w 9,726 2008-11-12 21:40:58 C:\Windows\System32\threat441y.ure
----a-w 5,156 2008-11-12 21:40:58 C:\Windows\System32\threat448y.bin
----a-w 5,068 2008-11-12 21:40:58 C:\Windows\System32\threat484y.d06
----a-w 16,413 2008-11-12 21:40:58 C:\Windows\System32\threat490y.pk
----a-w 16,325 2008-11-12 21:40:58 C:\Windows\System32\threat526y.pk1
----a-w 16,237 2008-11-12 21:40:59 C:\Windows\System32\threat562y.jar
----a-w 17,427 2008-11-12 21:40:58 C:\Windows\System32\threat564y.pkl
----a-w 17,339 2008-11-12 21:40:58 C:\Windows\System32\threat600y.ure
----a-w 12,769 2008-11-12 21:40:58 C:\Windows\System32\threat606y.dat
----a-w 17,251 2008-11-12 21:40:59 C:\Windows\System32\threat636y.cab
----a-w 12,681 2008-11-12 21:40:58 C:\Windows\System32\threat642y.pk0
----a-w 12,593 2008-11-12 21:40:59 C:\Windows\System32\threat678y.klg
----a-w 7,085 2008-11-12 21:40:58 C:\Windows\System32\threat685y.pk2
----a-w 6,998 2008-11-12 21:40:59 C:\Windows\System32\threat721y.arc
----a-w 18,343 2008-11-12 21:40:58 C:\Windows\System32\threat728y.pk3
----a-w 9,638 2008-11-12 21:40:59 C:\Windows\System32\threat732y.cab
----a-w 2,779 2008-11-12 21:40:56 C:\Windows\System32\threat74y.cab
----a-w 18,255 2008-11-12 21:40:59 C:\Windows\System32\threat764y.rar
----a-w 9,550 2008-11-12 21:40:59 C:\Windows\System32\threat768y.d01
----a-w 4,980 2008-11-12 21:40:59 C:\Windows\System32\threat775y.jad
----a-w 9,989 2008-11-12 21:40:56 C:\Windows\System32\threat78y.d03
----a-w 4,892 2008-11-12 21:41:00 C:\Windows\System32\threat811y.d02
----a-w 16,149 2008-11-12 21:41:00 C:\Windows\System32\threat853y.dtt
----a-w 17,163 2008-11-12 21:41:01 C:\Windows\System32\threat927y.d01

[Ried]

I don't believe them to be anything sinister. If you review the time and dates of their arrival, they appear to be part of WiniGuard's scanning database. (WiniGuard being the rogue malware scanner that entered your system)

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\Windows\System32\threat121y.d05
C:\Windows\System32\threat157y.9o
C:\Windows\System32\threat163y.pkg
C:\Windows\System32\threat199y.63
C:\Windows\System32\threat237y.d03
C:\Windows\System32\threat273y.tdt
C:\Windows\System32\threat279y.d05
C:\Windows\System32\threat315y.9o
C:\Windows\System32\threat322y.pkl
C:\Windows\System32\threat358y.zip
C:\Windows\System32\threat365y.d01
C:\Windows\System32\threat369y.tdt
C:\Windows\System32\threat394y.pkd
C:\Windows\System32\threat401y.ppp
C:\Windows\System32\threat405y.pkl
C:\Windows\System32\threat441y.ure
C:\Windows\System32\threat448y.bin
C:\Windows\System32\threat484y.d06
C:\Windows\System32\threat490y.pk
C:\Windows\System32\threat526y.pk1
C:\Windows\System32\threat562y.jar
C:\Windows\System32\threat564y.pkl
C:\Windows\System32\threat600y.ure
C:\Windows\System32\threat606y.dat
C:\Windows\System32\threat636y.cab
C:\Windows\System32\threat642y.pk0
C:\Windows\System32\threat678y.klg
C:\Windows\System32\threat685y.pk2
C:\Windows\System32\threat721y.arc
C:\Windows\System32\threat728y.pk3
C:\Windows\System32\threat732y.cab
C:\Windows\System32\threat74y.cab
C:\Windows\System32\threat764y.rar
C:\Windows\System32\threat768y.d01
C:\Windows\System32\threat775y.jad
C:\Windows\System32\threat78y.d03
C:\Windows\System32\threat811y.d02
C:\Windows\System32\threat853y.dtt
C:\Windows\System32\threat927y.d01
c:\windows\System32\866_data.zip
c:\windows\System32\images875.zip
c:\windows\System32\uninstall2b4.bin
c:\windows\System32\701_data.bin
c:\windows\System32\709part.bin

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

Please post the ComboFix.txt so I may confirm the deletions.

[robbb]

ComboFix 08-11-28.02 - Harry 2008-11-30 11:10:11.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.160 [GMT -8:00]
Running from: c:\users\Harry\Desktop\ComboFix.exe
Command switches used :: c:\users\Harry\Desktop\cfscript.txt

FILE ::
c:\windows\System32\701_data.bin
c:\windows\System32\709part.bin
c:\windows\System32\866_data.zip
c:\windows\System32\images875.zip
c:\windows\System32\threat121y.d05
c:\windows\System32\threat157y.9o
c:\windows\System32\threat163y.pkg
c:\windows\System32\threat199y.63
c:\windows\System32\threat237y.d03
c:\windows\System32\threat273y.tdt
c:\windows\System32\threat279y.d05
c:\windows\System32\threat315y.9o
c:\windows\System32\threat322y.pkl
c:\windows\System32\threat358y.zip
c:\windows\System32\threat365y.d01
c:\windows\System32\threat369y.tdt
c:\windows\System32\threat394y.pkd
c:\windows\System32\threat401y.ppp
c:\windows\System32\threat405y.pkl
c:\windows\System32\threat441y.ure
c:\windows\System32\threat448y.bin
c:\windows\System32\threat484y.d06
c:\windows\System32\threat490y.pk
c:\windows\System32\threat526y.pk1
c:\windows\System32\threat562y.jar
c:\windows\System32\threat564y.pkl
c:\windows\System32\threat600y.ure
c:\windows\System32\threat606y.dat
c:\windows\System32\threat636y.cab
c:\windows\System32\threat642y.pk0
c:\windows\System32\threat678y.klg
c:\windows\System32\threat685y.pk2
c:\windows\System32\threat721y.arc
c:\windows\System32\threat728y.pk3
c:\windows\System32\threat732y.cab
c:\windows\System32\threat74y.cab
c:\windows\System32\threat764y.rar
c:\windows\System32\threat768y.d01
c:\windows\System32\threat775y.jad
c:\windows\System32\threat78y.d03
c:\windows\System32\threat811y.d02
c:\windows\System32\threat853y.dtt
c:\windows\System32\threat927y.d01
c:\windows\System32\uninstall2b4.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\701_data.bin
c:\windows\System32\709part.bin
c:\windows\System32\866_data.zip
c:\windows\System32\images875.zip
c:\windows\System32\threat121y.d05
c:\windows\System32\threat157y.9o
c:\windows\System32\threat163y.pkg
c:\windows\System32\threat199y.63
c:\windows\System32\threat237y.d03
c:\windows\System32\threat273y.tdt
c:\windows\System32\threat279y.d05
c:\windows\System32\threat315y.9o
c:\windows\System32\threat322y.pkl
c:\windows\System32\threat358y.zip
c:\windows\System32\threat365y.d01
c:\windows\System32\threat369y.tdt
c:\windows\System32\threat394y.pkd
c:\windows\System32\threat401y.ppp
c:\windows\System32\threat405y.pkl
c:\windows\System32\threat441y.ure
c:\windows\System32\threat448y.bin
c:\windows\System32\threat484y.d06
c:\windows\System32\threat490y.pk
c:\windows\System32\threat526y.pk1
c:\windows\System32\threat562y.jar
c:\windows\System32\threat564y.pkl
c:\windows\System32\threat600y.ure
c:\windows\System32\threat606y.dat
c:\windows\System32\threat636y.cab
c:\windows\System32\threat642y.pk0
c:\windows\System32\threat678y.klg
c:\windows\System32\threat685y.pk2
c:\windows\System32\threat721y.arc
c:\windows\System32\threat728y.pk3
c:\windows\System32\threat732y.cab
c:\windows\System32\threat74y.cab
c:\windows\System32\threat764y.rar
c:\windows\System32\threat768y.d01
c:\windows\System32\threat775y.jad
c:\windows\System32\threat78y.d03
c:\windows\System32\threat811y.d02
c:\windows\System32\threat853y.dtt
c:\windows\System32\threat927y.d01
c:\windows\System32\uninstall2b4.bin

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-29 15:38 . 2008-11-29 15:39 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 15:38 . 2008-11-29 15:39 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 15:38 . 2008-11-29 15:39 <DIR> d-------- c:\program files\iTunes
2008-11-29 15:36 . 2008-11-29 15:36 <DIR> d-------- c:\program files\QuickTime
2008-11-28 20:42 . 2008-11-28 20:42 <DIR> d-------- c:\users\All Users\Avg8
2008-11-28 20:42 . 2008-11-28 20:42 <DIR> d-------- c:\programdata\Avg8
2008-11-28 15:56 . 2008-11-28 20:36 <DIR> d-------- C:\Qoobox fromcombofix
2008-11-21 09:00 . 2008-11-21 10:29 <DIR> d-------- C:\rsit
2008-11-20 16:04 . 2008-11-21 08:39 250 --a------ c:\windows\gmer.ini
2008-11-20 09:08 . 2008-11-20 09:08 <DIR> d-------- c:\users\All Users\Windows Genuine Advantage
2008-11-20 07:32 . 2008-09-17 20:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-11-20 07:32 . 2008-09-17 20:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-11-19 19:01 . 2008-09-09 19:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-19 19:01 . 2008-09-04 21:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-19 19:01 . 2008-08-26 17:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-19 14:03 . 2008-11-19 14:05 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-18 16:07 . 2008-11-18 16:07 99 --a------ c:\windows\WININIT.INI
2008-11-17 21:19 . 2008-11-17 21:19 148,296 --ah----- c:\windows\System32\mlfcache.dat
2008-11-13 15:19 . 2008-11-13 15:19 <DIR> d-------- c:\program files\Alwil Software
2008-11-13 15:19 . 2008-11-18 10:02 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2008-11-12 13:40 . 2008-11-12 13:40 18,420 --a------ c:\windows\System32\resource491.6O7
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\System32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\System32\QuickTime.qts
2008-10-29 07:23 . 2008-08-11 19:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-15 17:12 . 2008-09-17 21:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-15 17:12 . 2008-09-17 21:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-15 17:12 . 2008-09-17 18:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-15 17:12 . 2008-10-01 17:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-15 17:12 . 2008-10-01 19:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-15 17:12 . 2008-08-26 17:06 288,768 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 05:16 --------- d-----w c:\users\Harry\AppData\Roaming\Skype
2008-11-30 02:17 --------- d-----w c:\users\Harry\AppData\Roaming\skypePM
2008-11-29 23:38 --------- d-----w c:\program files\iPod
2008-11-29 23:38 --------- d-----w c:\program files\Common Files\Apple
2008-11-29 23:30 --------- d-----w c:\program files\Safari
2008-11-14 23:44 --------- d-----w c:\users\Harry\AppData\Roaming\uTorrent
2008-10-22 15:27 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-28 17:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-28 17:23 --------- d-----w c:\programdata\PC Drivers HeadQuarters
2008-09-28 17:23 --------- d-----w c:\program files\PC Drivers HeadQuarters
2008-09-28 15:58 --------- d-----w c:\program files\TeVeo
2008-09-28 15:58 --------- d-----w c:\program files\HomeConnect
2008-09-28 15:58 --------- d-----w c:\program files\3Com PC Digital WebCam Lite
2008-09-28 15:56 --------- d-----w c:\program files\ArcSoft
2008-09-24 21:47 32 ----a-w c:\users\All Users\ezsid.dat
2008-09-24 21:47 32 ----a-w c:\programdata\ezsid.dat
2008-08-29 17:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-08-02 03:26 36,864 ----a-w c:\windows\System32\cdd.dll
2008-05-26 21:20 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-15 768520]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-05 c:\windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-17 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VQC2"= vqdecode.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2202586810-2236196959-55598472-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{55FA8D98-00EE-46D4-80F6-B2FE8E7C8C8D}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{EF222906-87A4-4828-9F6B-D7BB099B5C73}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{4C9D47C0-EEF7-4203-8B67-FB56A04C48B9}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{1055584B-7CE5-4C0D-85DF-5830B30182F0}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{B865A331-0198-4E67-8AB0-0829040F707B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FFF9EBCC-F1FB-45DC-A85F-F986FB6DFA59}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EC433046-11D0-4C16-948F-AAA0FE160F72}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{C9845F71-2301-405D-A405-D60128F455DB}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{F0640AF7-F4F7-4C1B-9DA5-EA1EBD3AB2E9}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"TCP Query User{DB0664D2-A1A6-486E-8BBA-FD2DBCBF0AB2}c:\\program files\\shareaza\\shareaza.exe"= UDP:c:\program files\shareaza\shareaza.exe:Shareaza Ultimate File Sharing
"UDP Query User{2EF4F163-0111-4EC1-AB90-96EFF4C4DFC0}c:\\program files\\shareaza\\shareaza.exe"= TCP:c:\program files\shareaza\shareaza.exe:Shareaza Ultimate File Sharing
"{7BFC3039-AB90-4AEB-A59A-DE1B444497C4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{BB4D9FCB-E215-4CC6-B3FB-D05D07E2FEDA}c:\\phxtitanium\\mirc.exe"= UDP:c:\phxtitanium\mirc.exe:mIRC
"UDP Query User{14678838-5BBC-4097-A30C-1E739A06C787}c:\\phxtitanium\\mirc.exe"= TCP:c:\phxtitanium\mirc.exe:mIRC
"TCP Query User{DC0F1FF8-FBDE-4F12-9B98-70DC911A8336}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{7B61C991-3D70-475B-9FE7-0F40A9A4AF14}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{32C6FF70-D9C1-428E-AEF0-C3BE9CF98489}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{411CF3C9-C0AC-433E-90BE-37AF673168F4}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{A64CEFBF-EDDA-4D10-A350-B6F0F232D294}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{03E89DC8-49E5-46D1-A07F-8ADEF55CC440}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2033C4F4-F2FD-4B43-A03F-5DA2EFDDAF65}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{ADDEDCE4-DA61-48FE-AE43-5E1723DA809D}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{21747B56-E846-4A14-80E0-E61321466985}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{F240B5A1-B302-4AB8-AA33-4D047B7BB7C0}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{6714E47D-9404-4699-A103-1BEE5858A661}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{4A1789C4-56D9-4ACB-BC23-40D77F80DAD7}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{34992DA2-912F-4181-96D8-64F05B4DD3FE}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"TCP Query User{C4A21DFB-45CF-47CA-AA02-16F8474D5EFD}c:\\program files\\teveo\\teveolive\\teveolive.exe"= UDP:c:\program files\teveo\teveolive\teveolive.exe:TeVeoLive
"UDP Query User{0D709E88-B35D-4C78-861D-9DDB079D3C35}c:\\program files\\teveo\\teveolive\\teveolive.exe"= TCP:c:\program files\teveo\teveolive\teveolive.exe:TeVeoLive
"{DC67434A-7245-4416-8BD4-EE1E54E891DE}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{93BD91A6-1C4D-4BF8-B267-76D4BF443620}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-13 110160]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-01-27 11:59:37 13560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-13 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-11-13 51792]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-25 179712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-01-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 11:13:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\eNetHook.dll

- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\eNetHook.dll
.
Completion time: 2008-11-30 11:15:41
ComboFix-quarantined-files.txt 2008-11-30 19:15:38
ComboFix2.txt 2008-11-29 04:36:15

Pre-Run: 14,326,145,024 bytes free
Post-Run: 14,247,374,848 bytes free

274 --- E O F --- 2008-11-27 16:30:28
Thanks

[Ried]

Everything seems to have gone as planned. Are there any other concerns before I provide instructions for tidying up the system?

[robbb]

no thanks. please provide final instructions thx

[Ried]

Then we shall proceed.

First, I need you to rename C:\Qoobox fromcombofix

back to C:\Qoobox or ComboFix will not be able to tidy up after itself properly.

-----------------------------------------

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

Vista UAC does protect

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[robbb]

thanks for all your help. much appreciated Combofix/u does not run and there was already a c:// qoobox so i merged them. I hope that is okay as when i tried to change the name there was already one there.

[Ried]

Please try again. There is a space between ComboFix and /u.

Let me know if that worked for you.

[robbb]

didn't work with the space either i copied pasted it and tried typing it combofix /u

[Ried]

Let's do this..delete the existing ComboFix.exe from your desktop and download a fresh copy from here

Be sure to save it to your desktop.

Now try again to invoke the command ComboFix /u

[robbb]

it worked but why is it important to uninstall combofix and was it okay to merge the qooboxs together? Is it okay to have the programs you mentioned like spywareblaster and mcafee site advisor and iespyad installed and running with avast and adaware which i already have Do these new programs interfere with my school course sites or banking sites?

[Ried]

As long as you placed the renamed Qoobox folder inside of the original Qoobox folder, all will be fine.

It's important to uninstall ComboFix so it may clear out the backups and quarantines created by the fix, as well as remove the files it needed to place on your system in order to do what it does so efficiently.

No, those programs will not conflict with your currently installed protection. They do not fall under the category of 'Active Protection' as they do not 'watch' for any other malware. You install them, and that's it. The protection is in place to block malware that is listed in their databases.

If there is any interference reaching sites for your schoolwork, it would be because a particular site you are trying to reach is in their database of 'bad sites'.

[robbb]

Thanks again for all your help and time.See ya

[Ried]

You're welcome.

Take care.