hijack this log- can run online scans

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Quote:

File::
C:\40.tmp
c:\windows\DUMP60dc.tmp
c:\windows\DUMP5b00.tmp
C:\1A.tmp
C:\19.tmp
C:\18.tmp
C:\17.tmp
C:\16.tmp
C:\15.tmp
C:\14.tmp
C:\13.tmp
C:\8.tmp
C:\12.tmp
C:\F.tmp
C:\E.tmp
C:\11.tmp
C:\10.tmp
C:\7.tmp
C:\3.tmp
C:\D.tmp
C:\C.tmp
C:\4.tmp
C:\6.tmp
C:\5.tmp
FCopy::
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

dito1 · Joined: Nov 15, 2008 Posts: 30

not sure if this makes a difference but i ran this once and was waiting for the log and my son closed out of combofix so i had to run it again. here is the log.

ComboFix 09-04-28.02 - Joe 04/28/2009 20:33.4 - NTFSx86
Running from: c:\documents and settings\Joe\Desktop\Cfforo.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated)

FILE ::
C:\10.tmp
C:\11.tmp
C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\3.tmp
C:\4.tmp
C:\40.tmp
C:\5.tmp
C:\6.tmp
C:\7.tmp
C:\8.tmp
C:\C.tmp
C:\D.tmp
C:\E.tmp
C:\F.tmp
c:\windows\DUMP5b00.tmp
c:\windows\DUMP60dc.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
c:\windows\system32\ntos.exe
c:\windows\system32\ntos.exe . . . . failed to delete
.
---- Previous Run -------
.
C:\10.tmp
C:\11.tmp
C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\3.tmp
C:\4.tmp
C:\40.tmp
C:\5.tmp
C:\6.tmp
C:\7.tmp
C:\8.tmp
C:\C.tmp
C:\D.tmp
C:\E.tmp
C:\F.tmp
c:\windows\DUMP5b00.tmp
c:\windows\DUMP60dc.tmp

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_restore
-------\Service_restore

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 00:38 . 2009-04-29 00:38 15000 ----a-w c:\windows\system32\kjsdiowq8oikf.dll
2009-04-29 00:38 . 2009-04-29 00:38 -------- d-sh--w c:\windows\system32\wsnpoem
2009-04-28 01:57 . 2009-04-28 01:57 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\Identities
2009-04-26 22:36 . 2009-04-26 22:36 -------- d-----w C:\temp
2009-04-26 22:36 . 2009-04-26 22:36 -------- d-----w c:\temp\HP All-in-One Series Web Release
2009-04-26 16:25 . 2009-04-26 16:25 1033 ---ha-w c:\documents and settings\Joey\hpothb07.dat
2009-04-26 16:19 . 2009-04-26 16:19 -------- d-----w c:\documents and settings\Joe\Application Data\Hewlett-Packard
2009-04-26 02:56 . 2009-04-26 02:56 -------- d-----w C:\cfbleep
2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Skinux
2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ArcSoft
2009-04-25 22:22 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\ArcSoft
2009-04-25 22:22 . 2009-04-25 22:22 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Malwarebytes
2009-04-25 01:28 . 2009-04-26 03:17 -------- d-----w c:\documents and settings\Joe\Application Data\Move Networks
2009-04-24 14:10 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-24 14:10 . 2009-04-24 14:10 -------- d-----w c:\program files\Panda Security
2009-04-24 13:53 . 2009-04-24 13:53 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-04-24 13:53 . 2009-04-24 13:53 -------- d-----w c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com
2009-04-24 12:47 . 2009-04-24 12:47 -------- d-----w c:\documents and settings\Joe\Application Data\Malwarebytes
2009-04-24 12:47 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 12:47 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 12:47 . 2009-04-24 12:47 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-24 01:31 . 2009-04-24 01:31 -------- d-----w c:\documents and settings\Joe\Application Data\AVG8
2009-04-23 11:33 . 2009-04-23 11:33 -------- d-----w c:\documents and settings\Joe\Application Data\U3
2009-04-23 01:47 . 2009-04-23 01:47 -------- d-----w C:\_OTMoveIt
2009-04-23 01:21 . 2009-04-23 01:21 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Skinux
2009-04-23 01:20 . 2009-04-23 01:20 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\ArcSoft
2009-04-23 00:02 . 2009-04-23 00:02 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
2009-04-22 20:52 . 2009-04-22 20:52 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-22 20:51 . 2009-04-22 20:51 213120 -c----w c:\windows\system32\dllcache\ndis.sys
2009-04-22 17:42 . 2009-04-22 17:42 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\KodakGallery
2009-04-22 17:42 . 2009-04-22 17:42 -------- d-----w c:\documents and settings\Joe\Application Data\KodakCredentialStore
2009-04-22 17:41 . 2009-04-22 17:41 -------- d-----w c:\documents and settings\Joe\Application Data\Skinux
2009-04-22 12:09 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-22 12:09 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-22 12:09 . 2009-04-22 12:09 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\ArcSoft
2009-04-22 12:04 . 2009-04-23 20:48 -------- d-----w c:\documents and settings\Joe\Application Data\ArcSoft
2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ArcSoft
2009-04-22 12:03 . 2009-04-22 12:03 -------- d-----w c:\program files\ArcSoft
2009-04-22 12:03 . 2009-04-22 12:04 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-22 12:03 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-22 12:03 . 2008-04-13 18:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 12:03 . 2008-04-13 18:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 12:03 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-22 11:58 . 2008-05-02 10:49 62976 -c----w c:\windows\system32\dllcache\cdrom.sys
2009-04-22 11:58 . 2008-05-02 13:25 465920 -c----w c:\windows\system32\dllcache\imapi2fs.dll
2009-04-22 11:58 . 2008-05-02 13:25 465920 ------w c:\windows\system32\imapi2fs.dll
2009-04-22 11:58 . 2008-05-02 13:25 317952 -c----w c:\windows\system32\dllcache\imapi2.dll
2009-04-22 11:58 . 2008-05-02 13:25 317952 ------w c:\windows\system32\imapi2.dll
2009-04-22 11:52 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Kodak
2009-04-22 00:01 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-21 23:59 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 23:59 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 23:59 . 2009-02-06 11:11 131072 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 23:59 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 23:59 . 2009-02-06 10:10 248320 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 23:59 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 23:59 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 23:59 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 23:59 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 23:59 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-21 23:59 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-21 23:59 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-21 23:58 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-21 23:58 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-21 23:57 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-21 23:57 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-21 23:57 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-21 23:53 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-21 23:53 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-04-21 23:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 23:52 . 2008-04-21 12:08 236032 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-21 23:48 . 2009-04-21 23:48 15890 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2009-04-21 23:47 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys
2009-04-21 23:47 . 2008-04-13 19:17 83072 ----a-w c:\windows\system32\drivers\wdmaud.sys
2009-04-21 23:47 . 2008-04-13 18:45 52864 ----a-w c:\windows\system32\drivers\DMusic.sys
2009-04-21 23:47 . 2008-04-13 18:45 56576 ----a-w c:\windows\system32\drivers\swmidi.sys
2009-04-21 23:47 . 2008-04-13 16:39 142592 ----a-w c:\windows\system32\drivers\aec.sys
2009-04-21 23:47 . 2008-04-13 18:45 172416 ----a-w c:\windows\system32\drivers\kmixer.sys
2009-04-21 23:47 . 2008-04-13 18:45 2944 ----a-w c:\windows\system32\drivers\drmkaud.sys
2009-04-21 23:47 . 2008-04-13 19:15 60800 ----a-w c:\windows\system32\drivers\sysaudio.sys
2009-04-21 23:47 . 2006-03-21 00:54 1052672 ----a-w c:\windows\system32\stlang.dll
2009-04-21 23:47 . 2006-03-20 20:00 303104 ----a-w c:\windows\stsystra.exe
2009-04-21 23:47 . 2008-04-13 18:45 60160 ----a-w c:\windows\system32\drivers\drmk.sys
2009-04-21 23:47 . 2006-03-20 20:04 112128 ----a-w c:\windows\system32\staco.dll
2009-04-21 23:38 . 2009-04-21 23:39 -------- dc-h--w c:\documents and settings\All Users.WINDOWS\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-21 23:14 . 2004-08-04 02:29 25471 ------w c:\windows\system32\drivers\watv10nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 22271 ------w c:\windows\system32\drivers\watv06nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11871 ------w c:\windows\system32\drivers\wadv09nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11935 ------w c:\windows\system32\drivers\wadv11nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11807 ------w c:\windows\system32\drivers\wadv07nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11295 ------w c:\windows\system32\drivers\wadv08nt.sys
2009-04-21 23:11 . 2004-08-04 02:29 63488 ------w c:\windows\system32\drivers\atinxsxx.sys
2009-04-21 22:57 . 2008-07-09 07:38 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-04-21 22:56 . 2009-04-21 22:56 -------- d-s---w c:\documents and settings\Joe\UserData
2009-04-21 22:24 . 2009-04-21 22:24 -------- d-----w c:\program files\Dell
2009-04-21 22:09 . 2008-04-13 18:39 7552 ----a-w c:\windows\system32\drivers\mskssrv.sys
2009-04-21 22:09 . 2008-04-13 18:39 4992 ----a-w c:\windows\system32\drivers\mspqm.sys
2009-04-21 22:09 . 2008-04-13 18:39 5376 ----a-w c:\windows\system32\drivers\mspclock.sys
2009-04-21 22:09 . 2001-08-17 17:57 16128 -c--a-w c:\windows\system32\dllcache\modemcsa.sys
2009-04-21 22:09 . 2001-08-17 17:57 16128 ----a-w c:\windows\system32\drivers\MODEMCSA.sys
2009-04-21 22:09 . 2008-04-14 00:11 4096 ----a-w c:\windows\system32\ksuser.dll
2009-04-21 22:09 . 2009-04-21 22:09 -------- d-----w c:\program files\CONEXANT
2009-04-21 22:03 . 2009-04-21 22:03 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\DIGStream
2009-04-21 22:03 . 2009-04-21 22:03 126 ----a-w c:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-04-21 22:03 . 2009-04-21 22:55 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\ApplicationHistory
2009-04-21 22:03 . 2009-04-21 22:03 -------- d-----w c:\program files\GemMaster
2009-04-21 22:03 . 2007-09-17 12:07 376832 ----a-w c:\windows\system32\nvudisp.exe
2009-04-21 22:03 . 2009-04-21 22:03 -------- d-----w c:\program files\EnglishOtto
2009-04-21 21:57 . 2009-04-26 02:54 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-04-21 21:57 . 2009-04-25 22:22 -------- d-sh--w c:\documents and settings\LocalService.NT AUTHORITY
2009-04-21 21:55 . 2009-04-28 20:55 13880 ----a-w c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 21:45 . 2009-04-24 22:25 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-04-21 21:45 . 2009-04-24 22:26 -------- d-sh--w c:\documents and settings\NetworkService.NT AUTHORITY
2009-04-21 21:42 . 2004-08-10 11:00 36864 -c--a-w c:\windows\system32\dllcache\quser.exe
2009-04-21 21:41 . 2004-08-10 11:00 514587 -c--a-w c:\windows\system32\dllcache\edb500.dll
2009-04-21 21:40 . 2009-04-21 21:40 -------- d-----w c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Microsoft
2009-04-21 21:39 . 2009-04-21 22:06 -------- d-sh--w c:\documents and settings\All Users.WINDOWS\DRM
2009-04-21 21:37 . 2009-04-21 21:37 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-21 21:35 . 2008-04-14 00:13 40840 ----a-w c:\windows\system32\drivers\termdd.sys
2009-04-21 21:35 . 2008-04-13 18:32 196224 ----a-w c:\windows\system32\drivers\rdpdr.sys
2009-04-21 21:32 . 2009-04-21 21:32 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Trend Micro
2009-04-21 21:18 . 2009-04-22 01:37 13484 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-21 21:18 . 2009-04-24 22:27 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-21 21:18 . 2009-04-22 12:09 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 00:38 . 2004-08-10 11:00 462336 ------w c:\windows\system32\ntos.exe
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\10.tmp
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\F.tmp
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\E.tmp
2009-04-29 00:38 . 2009-04-29 00:38 38 ----a-w C:\C.tmp
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\D.tmp
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\B.tmp
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\A.tmp
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\9.tmp
2009-04-29 00:38 . 2009-04-29 00:38 0 ----a-w C:\8.tmp
2009-04-29 00:38 . 2009-04-29 00:38 34663 ----a-w C:\7.tmp
2009-04-29 00:38 . 2009-04-29 00:38 54784 ----a-w C:\6.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\24.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\23.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\22.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\21.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\20.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\1F.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\1E.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\1D.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\1C.tmp
2009-04-28 21:02 . 2009-04-28 21:02 0 ----a-w C:\1B.tmp
2009-04-28 11:29 . 2008-04-23 12:12 -------- d-----w c:\program files\Trend Micro
2009-04-25 17:40 . 2005-03-30 01:21 2145280 ---ha-w c:\windows\system32\ntoskrnl.exe
2009-04-24 13:53 . 2008-11-15 17:20 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-24 13:53 . 2008-11-15 17:20 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 12:47 . 2008-11-18 03:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 20:51 . 2004-08-10 11:00 213120 ------w c:\windows\system32\drivers\ndis.sys
2009-04-22 12:09 . 2009-03-25 22:43 -------- d-----w c:\program files\iTunes
2009-04-22 12:04 . 2008-04-22 12:14 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 12:02 . 2008-04-27 21:57 -------- d-----w c:\program files\Common Files\Kodak
2009-04-21 23:43 . 2009-04-21 21:39 87747 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-21 22:06 . 2008-04-22 09:51 -------- d-----w c:\program files\RGB
2009-04-21 22:03 . 2008-04-22 09:50 -------- d-----w c:\program files\ESPNMotion
2009-04-21 22:03 . 2008-04-22 09:50 -------- d-----w c:\program files\DIGStream
2009-04-21 21:40 . 2004-08-10 11:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-21 21:17 . 2008-07-15 05:01 -------- d-----w c:\program files\Safari
2009-04-21 12:17 . 2008-04-24 14:33 -------- d-----w c:\program files\Ahead
2009-04-21 00:38 . 2008-07-17 05:07 -------- d-----w c:\program files\SPSSGP
2009-04-21 00:30 . 2008-06-09 05:14 -------- d-----w c:\program files\Microsoft Works
2009-04-21 00:16 . 2008-08-02 15:15 -------- d-----w c:\program files\Boardmaker with SD Pro
2009-04-13 23:35 . 2008-06-09 05:41 19442 ----a-w c:\documents and settings\Joey\Application Data\wklnhst.dat
2009-04-03 12:52 . 2004-08-10 11:00 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-02 23:08 . 2009-04-21 21:43 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-02 23:08 . 2009-04-21 21:43 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 23:08 . 2009-04-21 21:43 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-29 19:31 . 2008-09-06 20:41 65248 ----a-w c:\documents and settings\Joey\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 22:43 . 2009-03-25 22:43 -------- d-----w c:\program files\iPod
2009-03-25 22:43 . 2008-04-22 14:26 -------- d-----w c:\program files\Common Files\Apple
2009-03-25 22:41 . 2009-03-25 22:41 -------- d-----w c:\program files\Bonjour
2009-03-25 09:10 . 2009-02-17 14:13 1324 ----a-w c:\documents and settings\Joey\Local Settings\Application Data\d3d9caps.tmp
2009-03-19 02:13 . 2009-03-19 02:13 -------- d-----w c:\program files\Zone Labs
2009-03-19 02:11 . 2009-03-19 02:11 -------- d-----w c:\program files\Alwil Software
2009-03-07 01:56 . 2009-03-07 01:56 65248 ----a-w c:\documents and settings\Beata\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-10 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 02:17 . 2009-04-21 21:38 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2009-04-21 21:38 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2009-04-21 21:38 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-06 00:50 . 2009-03-06 00:50 -------- d-----w c:\program files\JumpStart
2009-03-06 00:50 . 2009-03-06 00:50 -------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-03-06 00:50 . 2008-04-22 12:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-03 23:12 . 2009-04-21 21:38 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-02 00:20 . 2008-05-03 18:49 -------- d-----w c:\program files\Google
2009-02-26 12:35 . 2008-04-22 14:19 65248 ----a-w c:\documents and settings\Joey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 08:10 . 2006-03-04 03:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-10 11:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 10:39 . 2004-08-10 11:00 55808 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-10 11:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-07-21 03:18 . 2008-07-21 03:18 251 ----a-w c:\program files\wt3d.ini
.

------- Sigcheck -------

[-] 2004-08-10 11:00 34816 73638095376F85943A492B672726F0C3 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 34816 6E459BE75587AABFC6ED5BC5D1131840 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 34816 1A5CD2861195499FBEE224DEE47C3BD6 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2008-04-14 00:12 34816 CE13AE101B4A21E74BFD5C2022E85F2C c:\windows\system32\svchost.exe

[-] 2004-08-10 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-04-22 20:51 213120 D9C9981C9E83DB13FFC803AEDF5CB57E c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-22 20:51 213120 1CD9BDD460658BB768618AF445B4A1C4 c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 00:12 1054208 36C280DF671D9F6BECD46AAD13B30711 c:\windows\explorer.exe
[-] 2004-08-10 11:00 1052672 F49FBC4489EEDAAC9E2CAAE906C839E2 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1054208 E3BFC5975119C52E1290E4B0DEDB76A0 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1054208 7997C3EF507C0D88476947868BCD5686 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe

[-] 2004-08-10 11:00 35840 868C3D7E7108B77C1A248954E2AB7955 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 35840 39EE0BB8028B752B26B1C540EE0705E4 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 35840 BFE7C42A6D99085FD0F70C25B317EA39 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2008-04-14 00:12 35840 9CE5A9751DFE8810DD30CF2F86F52DDE c:\windows\system32\ctfmon.exe

[-] 2004-08-10 11:00 78336 D3D66695112A61659D5D90397AD1DC73 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 78336 01001F6328235BBDBC07D08CCFD4A43C c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 78336 A33777D011510FE8BBA01D2F1CBFC15B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2008-04-14 00:12 78336 C2FC8046C59CF1C26EE283E15F6DF0A6 c:\windows\system32\spoolsv.exe

[-] 2004-08-10 11:00 45056 2E666D08CBF4B47D836E86A2D762D47B c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 46592 19962F68665826C76AE5825F9C01227D c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 46592 598E3AEB4F0E476189382BF06F350265 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2008-04-14 00:12 46592 19962F68665826C76AE5825F9C01227D c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot.DeleteThis@2009-04-26_03.07.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 00:38 . 2009-04-29 00:38 15001 c:\windows\temp\u44icsr.exe
+ 2009-04-29 00:38 . 2009-04-29 00:38 15000 c:\windows\temp\jhsgi4josjkfg.exe
+ 2009-04-29 00:38 . 2009-04-29 00:38 34817 c:\windows\temp\3601661250.exe
- 2009-04-21 21:30 . 2009-04-21 21:38 57856 c:\windows\Installer\mfcm80u.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 57856 c:\windows\Installer\mfcm80u.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 69632 c:\windows\Installer\mfcm80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 69632 c:\windows\Installer\mfcm80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 96256 c:\windows\Installer\atl80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 96256 c:\windows\Installer\atl80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 124168 c:\windows\Installer\TmDbg32.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 626688 c:\windows\Installer\msvcr80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 626688 c:\windows\Installer\msvcr80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 548864 c:\windows\Installer\msvcp80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 548864 c:\windows\Installer\msvcp80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 479232 c:\windows\Installer\msvcm80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 479232 c:\windows\Installer\msvcm80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 156936 c:\windows\Installer\libexpat.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 1093120 c:\windows\Installer\mfc80u.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 1093120 c:\windows\Installer\mfc80u.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 1101824 c:\windows\Installer\mfc80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 1101824 c:\windows\Installer\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 79872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 208896]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Resurections"="c:\windows\TEMP\u44icsr.exe" [2009-04-29 15001]
"Diagnostic Manager"="c:\windows\TEMP\3601661250.exe" [2009-04-29 34817]

c:\documents and settings\Joey\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 404480]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 49152]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 303104]
NETGEAR WPN311 Wireless Assistant.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2005-2-22 4538368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{B2BA40A2-74F0-42BD-F434-12345A2C8953}"= "c:\windows\system32\kjsdiowq8oikf.dll" [2009-04-29 15000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,c:\windows\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-19 09:45 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - ACDaemon
*Deregistered* - ACS
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ehRecvr
*Deregistered* - ehSched
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDC8021X
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - pavboot
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - tmpreflt
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\h757j2am.default\
FF - plugin: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\h757j2am.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 20:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\kjsdiowq8oikf.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\temp\BN3.tmp
c:\windows\system32\wscntfy.exe
c:\docume~1\Joe\LOCALS~1\temp\1111693954.exe
.
**************************************************************************
.
Completion time: 2009-04-29 20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 00:41
ComboFix2.txt 2009-04-28 01:52
ComboFix3.txt 2009-04-26 03:11
ComboFix4.txt 2008-11-20 23:40

Pre-Run: 31,112,253,440 bytes free
Post-Run: 31,105,077,248 bytes free

555 --- E O F --- 2009-04-28 07:00

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Do you have your Windows XP CD with SP3? We need to extract a clean userinit.exe file back to the system32 folder. Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Otherwise, it will auto-close after it's done. If you don't have the CD with SP3, extract the files manually by downloading SP3 here. Save it to your c: drive. Go to Start > Run and copy/paste in C:\WindowsXP-KB936929-SP3-x86-ENU.exe /x and hit OK. Extract the files to a folder. Then look for userinit.ex_ and copy it directly to your C: drive.

Next restart your computer and keep a close eye on the screen when it starts booting up. You should see a window where it shows Windows XP Media Center Edition and Microsoft Windows Recovery Console. You want to hit your arrow key to select Microsoft Windows Recovery Console. Make sure you do this quickly (hit the arrow or any other arrow keys) as you will only have 2 seconds to do so before Windows starts up...which will then require you to restart and do this all over again. Once you select the recovery console, follow the on screen instructions. You may select 1 and hit ENTER when prompted which partition to work on. If prompted for a password enter the administrator password you created originally on this computer or just hit ENTER key for no password. Now at the prompt, type in each of the following hitting the ENTER key after each new line:

cd\Windows\system32
ren userinit.exe userinit.exe.old
expand C:\userinit.ex_ c:\Windows\system32\userinit.exe
exit

Hit F3 to exit or Ctrl+Alt+Del to restart it. Run ComboFix manually by double clicking on it and post the new log here.

dito1 · Joined: Nov 15, 2008 Posts: 30

i keep getting a blue screen everytime i run the recovery console

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

You will need to boot from the XP CD in that case. See the instructions here. Follow option #2.

dito1 · Joined: Nov 15, 2008 Posts: 30

it couldnt find the files or did not recognize the commands.

dito1 · Joined: Nov 15, 2008 Posts: 30

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/30/2009 4:49:04 PM
mbam-log-2009-04-30 (16-49-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221106
Time elapsed: 1 hour(s), 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Joe\reader_s.exe (Trojan.Agent) -> No action taken.
C:\31.tmp (Heuristics.Malware) -> No action taken.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Joe\Local Settings\temp\564023318.exe (Trojan.Downloader) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:57 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\TEMP\VRT16.tmp
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN1F.tmp
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Joe\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Joe\reader_s.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (file missing)

--
End of file - 4816 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 9 Cool

.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
** You may change the above options back after your log is clean. If we ask you to fix something that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Open c:\boot.ini and remove the following line:

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Save the file and close it. Follow the instructions here and use the SP2 recovery console download. Drag it and drop it into ComboFix. Post the log here. Also see if you can get into the Recovery Console now after a restart. Just hold down the down arrow key until you see it scrolling through the two options to select which boot you want.

dito1 · Joined: Nov 15, 2008 Posts: 30

can't run combofix right now was able to do malware bytes, super antispyware in safe mode, and panda active scan and hjt here are the logs.

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/1/2009 11:29:27 PM
mbam-log-2009-05-01 (23-29-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 229513
Time elapsed: 40 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP36\A0021330.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN1D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\31.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-05-02 09:10:20
PROTECTIONS: 1
MALWARE: 17
SUSPECTS: 323
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Trend Micro AntiVirus 17.1.1250 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
00582267 W32/Sality.AO Virus No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP28\A0013198.EXE
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0019217.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0019216.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0019363.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\IABC4WF7\abb[1].txt
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP36\A0021334.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020339.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0018278.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0019362.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP36\A0022360.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0018206.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0018205.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0018198.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0018197.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP32\A0017130.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP36\A0022344.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP36\A0022339.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP24\A0009944.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP24\A0009947.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP24\A0009948.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP24\A0009949.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP36\A0021409.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP25\A0011004.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP25\A0011005.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP32\A0017061.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020298.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020315.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020338.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP36\A0020413.exe
00737291 Trj/Spammer.AME Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020297.exe
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\12.tmp
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\17.tmp
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\26.tmp
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\57.tmp
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\6.tmp
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\27.tmp.vir
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\26.tmp.vir
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\25.tmp.vir
00814651 Trj/Downloader.VUF Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\14.tmp.vir
00815392 Trj/Spammer.AMI Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP25\A0011006.EXE
00815437 Trj/Clicker.AOB Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP25\A0012148.EXE
00815437 Trj/Clicker.AOB Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020314.EXE
00815437 Trj/Clicker.AOB Virus/Trojan No 1 Yes Yes C:\_OTMoveIt\MovedFiles\04232009_212436\WINDOWS\system32\3361\SVCHOST.EXE
00815437 Trj/Clicker.AOB Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020337.EXE
00815437 Trj/Clicker.AOB Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP21\A0006548.EXE
00816097 Trj/Agent.MAP Virus/Trojan No 1 Yes Yes C:\_OTMoveIt\MovedFiles\04232009_212436\program Files\ThunMail\testabd.dll
00816183 Trj/Spammer.AMJ Virus/Trojan No 1 Yes Yes C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\em[1].htm
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP28\A0013200.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP25\A0012494.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP29\A0013656.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP29\A0013803.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP25\A0012468.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP29\A0013835.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Joe\My Documents\LimeWire\Incomplete\T-5898284-trend micro antivirus incl crack by TSRh.zip[crack_by_TSRh/crack.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Joe\My Documents\LimeWire\Incomplete\T-5898284-trend micro antivirus incl crack by TSRh.zip[setup.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\24.tmp.vir
05393060 Trj/RlsLoup.B Virus/Trojan No 1 Yes Yes C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\IABC4WF7\cs[1].htm
05422105 Trj/Downloader.MDW Virus/Trojan No 1 Yes Yes C:\WINDOWS\system32\dllcache\ndis.sys
05422105 Trj/Downloader.MDW Virus/Trojan Yes 2 Yes Yes C:\WINDOWS\system32\Drivers\NDIS.sys
05444680 Generic Trojan Virus/Trojan No 0 Yes Yes C:\WINDOWS\temp\BN1C.tmp
05471485 Trj/Downloader.MDW Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP35\A0020403.sys
05478089 Generic Trojan Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP24\A0007959.old
05483342 Generic Backdoor Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP25\A0010052.sys
05485860 Trj/Downloader.MDW Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{CB995963-F978-49AC-A819-005B7CF56730}\RP21\A0006711.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location I!
;===================================================================================================================================================================================
No C:\WINDOWS\System32\alg.exe I!
No C:\WINDOWS\system32\alg.exe I!
No C:\WINDOWS\system32\mnmsrvc.exe I!
No C:\WINDOWS\system32\msdtc.exe I!
No C:\WINDOWS\system32\scardsvr.exe I!
No C:\WINDOWS\system32\smlogsvc.exe I!
No C:\WINDOWS\system32\ups.exe I!
No C:\cfbleep\Attrib.cfexe I!
No C:\cfbleep\ComboFix.exe I!
No C:\cfbleep\hidec.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\aspnet_regiis.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\ilasm.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\installutil.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\spdwnwxp.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\spnpinst.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\telnet.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\update\fixccs.exe I!
No C:\Documents and Settings\Joe\Desktop\folder\i386\update\spnpinst.exe I!
No C:\Documents and Settings\Joe\Desktop\New Folder\GooredFix.exe I!
No C:\Documents and Settings\Joe\Local Settings\temp\1782068480.exe I!
No C:\Documents and Settings\Joe\Local Settings\temp\2546719652.exe I!
No C:\Documents and Settings\Joe\Local Settings\temp\825436948.exe I!
No C:\Documents and Settings\Joe\Local Settings\temp\cmd.execf I!
No C:\kgayofb.exe I!
No C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe I!
No C:\Program Files\microsoft money 2006\MNYCoreFiles\mnycopymar.exe I!
No C:\Program Files\Microsoft Works\WkDStore.exe I!
No C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe I!
No C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe I!
No C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe I!
No C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe I!
No C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe I!
No C:\Program Files\Outlook Express\wab.exe I!
No C:\Program Files\Safari\Safari.resources\WebAppLauncher.exe I!
No C:\Program Files\Windows Media Player\wmlaunch.exe I!
No C:\Program Files\Windows Media Player\wmpenc.exe I!
No C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\sc.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\alg.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\aspnet_regiis.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\at.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\auditusr.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\bootcfg.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\cacls.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\cleanmgr.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\comrereg.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\davcdata.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\dcomcnfg.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\dmremote.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\dpnsvr.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\driverquery.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\drvqry.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\dxdiag.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\eventtriggers.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\evtrig.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\fltmc.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\fontview.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\forcedos.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\getmac.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\help.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\hh.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\iexpress.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\iisrstas.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\magnify.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\migregdb.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\migwiz.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\mnmsrvc.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\mqbkup.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\msdtc.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\msoobe.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\mspaint.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\mstsc.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\netsh.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\odbcad32.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\perfmon.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\ping.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\progman.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\proxycfg.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\rcimlby.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\rdsaddin.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\reg.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\rexec.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\rsh.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\rstrui.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\scardsvr.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\secedit.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\setup.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\shmgrate.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\smbinst.exe I!
No C:\WINDOWS\$NtServicePackUninstall$\sndrec32.exe

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

What's the problem running it? How about if you rename it first? Delete ComboFix and download it again. But before you even save it, rename it to dito1.exe instead. Then save it to your desktop and run it.

dito1 · Joined: Nov 15, 2008 Posts: 30

i've tried all the renaming and downloading it from other computers already. i got the same error i got before about their being a virus (virut) and it could not run.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.

Download the FixVirut tool and save it to your desktop. Double click on that file to see if it can remove the virut infection.

Try running ComboFix again. If it still gives you problems, rename it from ComboFix.exe to ComboFix.com instead and then run it.

dito1 · Joined: Nov 15, 2008 Posts: 30

was able to do the fixvirut tool but no luck with combofix. and i tried a bunch of things renaming, getting from anther comp, etc. any ideas? or will i have to do a reinstall?

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Did FixVirut find anything?

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.

For ComboFix, is it not working at all or only when you try to drag that recovery console utility into it? Try downloading it again, and before saving, rename it to dito1.com and save it to the desktop. Double click on it and see if that runs.

dito1 · Joined: Nov 15, 2008 Posts: 30

it said it fixed 2 things. combofix did not work at all. i tried several things (downloading from different sites, renaming, using a different computer and a combination of all of these and nothing worked) many .exe files still were not working. itunes, trend antivirus, kodak, nero etc. i just deleted the partitions and did a complete reinstall (i think) things seem to be working ok right now. should i go through the steps and do a hjt log and post it?

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

If you did a clean Windows install, it should be clean now. Otherwise, you may post the HijackThis log here for a quick review.