Hidden Rootkit problem...How to delete files?

GMER results Part 3

---- Threads - GMER 1.0.13 ----

Thread 4:2608 A807FAB0
Thread 4:2476 A843CAB0

---- Files - GMER 1.0.13 ----

ADS C:\Documents and Settings\LocalService\Favorites\McAfee :favicon
ADS C:\Documents and Settings\Mom\Favorites\Perret:favicon
ADS C:\Documents and Settings\Mom\Favorites\SecondSpin.com :favicon
ADS C:\Documents and Settings\Mom\Favorites\We Buy Houses, Cash Home Buyers, Fast Home Offers:favicon
File C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49(1).mp3
File C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren
File C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good(1).mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren
File C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren

---- EOF - GMER 1.0.13 ----

 

Run gmer again and when it completes, right click each of the following and select 'Delete File'.

C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49(1).mp3
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good(1).mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren

Right click each of the following and you should have an option to 'Delete Service'. Do so.

System32\Drivers\1dd6a6de.sys
System32\Drivers\0c11b6d8.sys

Close gmer when complete and let me know the results.

 

Results

System32\Drivers\1dd6a6de.sys
System32\Drivers\0c11b6d8.sys

They both are gone, but it's not from being able to do what you said in your post with the "Delete Service ". Because the "Delete Service" was not available, I don't know why they are both gone to be honest.

The MP3 files (and folder) are still there, even after I did the delete with the gmer.

Sorry I didn't get back to you sooner. My son was on the computer this afternoon, and then all of a sudden my Bitdefender stopped working, while trying to figure out why it wasn't working I looked in the quarantine and there was a trojan in there (trojan.js.zlob.a). So I was busy trying to get that fixed.

In the midst of all of that, I had downloaded Spy hunter, and it detected 2 trojans, the one I knew about via Bitdefender, plus another one, but it didn't tell me where it was located. Trojan.Vundo. (plus alot of tracking cookies).

I then downloaded Spybot Search and Destroy and it didn't detect the Trojan.Vundo, mainly wild tangent and tracking cookies as well as Spy hunter. After I did the fix all with Spybot, I was finally able to get Bitdefender up and running again and could then delete the trojan.js.zlob.a.

So busy day here.

So, we still can't seem to get rid of those files/folder. Any ideas on what to do next? I really do appreciate all of your help! As I'm so baffled and ready to pull my hair out over all of this! But hopefully we'll get all of this figured out and my computer "normal" again.

Thanks,
Whoababy

 

Delete the current version of ComboFix you have and grab a fresh copy from here, saving the file to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Rootkit::
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49(1).mp3 
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren 
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good(1).mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren 
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren 

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Combofix log

ComboFix 07-12-31.4 - Mom 2007-12-31 8:40:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.163 [GMT -5:00]
Running from: C:\Documents and Settings\Mom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mom\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49(1).mp3
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Funk #49.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good(1).mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..\Joe Walsh - Life's Been Good.mp3.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren.bd.ren

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 08:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 17:36 . 2007-12-30 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 17:13 . 2007-12-30 18:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-30 07:56 . 2007-12-30 19:58 250 --a------ C:\WINDOWS\gmer.ini
2007-12-28 09:58 . 2007-12-28 09:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 09:58 . 2007-12-28 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 09:37 . 2007-12-28 09:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 08:17 . 2007-12-28 08:17 <DIR> d-------- C:\Deckard
2007-12-22 16:10 . 2007-12-22 16:10 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-22 07:01 . 2007-12-22 07:01 <DIR> d--hs---- C:\found.001
2007-12-17 12:36 . 2007-12-31 08:54 121 --a------ C:\WINDOWS\bdagent.INI
2007-12-17 12:35 . 2007-12-17 12:35 <DIR> d-------- C:\Program Files\BitDefender
2007-12-17 12:35 . 2007-12-17 12:35 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\Bitdefender
2007-12-17 12:35 . 2007-12-17 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-12-17 12:31 . 2007-12-17 12:35 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-22 09:08 . 2007-11-22 09:08 <DIR> d-------- C:\Program Files\iTunes
2007-11-22 09:08 . 2007-12-31 08:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-22 09:08 . 2007-11-22 09:08 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-21 21:23 . 2007-11-21 21:23 <DIR> d--hs---- C:\found.000
2007-11-19 19:50 . 2007-11-19 19:50 <DIR> d-------- C:\Program Files\Microsoft Expedia Streets & Trips
2007-11-17 11:36 . 2007-11-22 17:07 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\FMA
2007-11-17 11:09 . 2007-11-17 11:09 <DIR> d-------- C:\Program Files\Susteen
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-13 12:26 . 2007-11-13 12:26 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-13 12:26 . 2007-11-13 12:26 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-13 12:23 . 2007-11-13 12:23 <DIR> d-------- C:\Program Files\Codemasters
2007-11-09 14:10 . 2007-11-09 14:10 <DIR> d-------- C:\Program Files\IZArc
2007-11-09 09:32 . 2007-11-09 09:32 <DIR> d-------- C:\Program Files\MRConverter
2007-11-09 09:32 . 2005-07-02 16:33 520,192 --a------ C:\WINDOWS\system32\AVmmfecd.exe
2007-11-09 09:32 . 2004-06-02 14:18 438,272 --a------ C:\WINDOWS\system32\AVawbecd.exe
2007-11-09 09:32 . 2004-06-02 14:23 380,928 --a------ C:\WINDOWS\system32\AVawbdcd.exe
2007-11-09 09:32 . 2002-01-09 11:52 266,240 --a------ C:\WINDOWS\system32\AVamrecd.exe
2007-11-09 09:32 . 2004-01-08 11:38 208,896 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-11-09 09:32 . 2006-06-24 22:53 90,112 --a------ C:\WINDOWS\system32\AVMiniWeb.exe
2007-11-09 09:25 . 2007-11-09 09:32 <DIR> d-------- C:\Program Files\DjToneXpress
2007-11-06 11:19 . 2007-11-06 11:19 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-11-06 11:18 . 2007-11-06 11:18 <DIR> d-------- C:\Program Files\AOL Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 13:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2007-12-25 02:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 01:30 --------- d-----w C:\Program Files\LimeWire
2007-12-17 22:16 --------- d-----w C:\Program Files\RegCure
2007-12-17 22:16 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-12-17 22:16 --------- d-----w C:\Program Files\bfgclient
2007-12-17 22:16 --------- d-----w C:\Program Files\Avanquest update
2007-12-17 17:54 87,952 ------w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-12-17 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-17 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-22 14:08 --------- d-----w C:\Program Files\iPod
2007-11-22 14:06 --------- d-----w C:\Program Files\QuickTime
2007-11-21 13:23 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 21:51 --------- d-----w C:\Program Files\PayPal
2007-11-20 12:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-20 12:29 --------- d-----w C:\Program Files\MSN Games
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 12:53 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2007-10-30 12:53 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2007-10-29 15:26 --------- d-----w C:\Program Files\Apple Software Update
2007-10-27 22:48 92,064 ----a-w C:\Documents and Settings\Mom\mqdmmdm.sys
2007-10-27 22:48 9,232 ----a-w C:\Documents and Settings\Mom\mqdmmdfl.sys
2007-10-27 22:48 79,328 ----a-w C:\Documents and Settings\Mom\mqdmserd.sys
2007-10-27 22:48 66,656 ----a-w C:\Documents and Settings\Mom\mqdmbus.sys
2007-10-27 22:48 6,208 ----a-w C:\Documents and Settings\Mom\mqdmcmnt.sys
2007-10-27 22:48 5,936 ----a-w C:\Documents and Settings\Mom\mqdmwhnt.sys
2007-10-27 22:48 4,048 ----a-w C:\Documents and Settings\Mom\mqdmcr.sys
2007-10-27 22:48 25,600 ----a-w C:\Documents and Settings\Mom\usbsermptxp.sys
2007-10-27 22:48 22,768 ----a-w C:\Documents and Settings\Mom\usbsermpt.sys
2007-09-08 12:18 315,392 ----a-w C:\WINDOWS\HideWin.exe
2006-10-22 13:31 251 -c--a-w C:\Program Files\wt3d.ini
2007-08-03 00:13 152 -csh--r C:\WINDOWS\system32\6FEB862DEE.sys
2007-08-03 00:13 6,686 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{DC0F2F93-27FA-4F84-ACAA-9416F90B9511}
{381FFDE8-2394-4F90-B10D-FC6124A40F8C}

[HKEY_CLASSES_ROOT\clsid\{381ffde8-2394-4f90-b10d-fc6124a40f8c}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-03 09:08 26112]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"AcctMgr "= "C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 14:41 586896]
"OBD2_TekLink_Start "= "C:\Program Files\OBD2 TekLink\2100D.exe" [2005-04-18 09:28 40960]
"Motive SmartBridge "= "C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe" [2006-04-21 15:41 438359]
"MimBoot "= "C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-09-18 12:46 8192]
"mm_server "= "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe" [2006-09-18 12:46 102400]
"PhilipsRemote "= "C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe" [2006-09-18 12:46 745472]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 08:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 08:12 90112]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"BitDefender Antiphishing Helper "= "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent "= "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2007-12-17 12:54 319488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-03 09:04:59]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 17:23:00]
Microsoft Works Calendar Reminders.lnk - C:\WINDOWS\Installer\{9944aa9e-362d-11d3-81ab-00c04fb932ba}\1960F8A9.exe [2006-03-10 09:42:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme
"HideShutdownScripts "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "= 1 (0x1)
"NoRecentDocsMenu "= 1 (0x1)
"MaxRecentDocs "= 99 (0x63)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HughesNet Tools.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6 "=

R1 bdftdif;bdftdif;C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys [2007-12-17 12:46]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-12-17 12:54]
R3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\DRIVERS\bdfsfltr.sys [2007-08-02 16:03]
R3 BDSelfPr;BDSelfPr;C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys [2007-08-08 13:12]
R3 scan;BitDefender Threat Scanner;C:\WINDOWS\System32\svchost.exe [2004-08-10 06:00]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;C:\DOCUME~1\Mom\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys []
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 13:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 18:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QWNXDUMCP;QWNXDUMCP;C:\DOCUME~1\Mom\LOCALS~1\Temp\QWNXDUMCP.exe [2007-12-30 08:12]
S3 SUSCOM;Susteen Serial port driver;C:\WINDOWS\system32\DRIVERS\SUSCOM.SYS [2002-10-22 13:58]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 15:04]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 15:04]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 15:04]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 15:04]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 15:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 03:40:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-31 06:00:01 C:\WINDOWS\Tasks\dfrg.job "
- C:\WINDOWS\system32\dfrg.msc
"2007-12-31 04:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job "
- C:\WINDOWS\system32\cleanmgr.exe
"2007-12-31 13:58:29 C:\WINDOWS\Tasks\RegCure Program Check.job "
- C:\Program Files\RegCure\RegCure.exe
"2007-12-31 13:00:01 C:\WINDOWS\Tasks\RegCure.job "
- C:\Program Files\RegCure\RegCure.exe
"2007-12-31 13:19:11 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job "
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 08:58:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath "=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
Completion time: 2007-12-31 9:05:58 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 14:05:53
C:\qoobox\ComboFix2.txt 2007-12-29 15:34:20
C:\qoobox\ComboFix3.txt 2007-12-29 14:08:21
C:\qoobox\ComboFix4.txt 2007-12-29 13:56:47
.
2007-12-13 12:20:41 --- E O F ---

 

Folder still there

Just wanted to let you know, that even after doing all of that, the folder is still there.

Beats the heck out of me!

 

Yes, the folder is still there but the 'Other Deletions' section of the log shows that the files have been deleted. Can you access the folder now? Scan the folder with BitDefender and see if it still reports infections.

Please create and post a fresh HijackThis log.

 

HijackThis log

Nope, can't access the folder, Bitdefender scan came back clean.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:30 AM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\OBD2 TekLink\2100D.exe
C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\mace.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/home/home.do?sls=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [OBD2_TekLink_Start] C:\Program Files\OBD2 TekLink\2100D.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [mm_server] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe "
O4 - HKLM\..\Run: [PhilipsRemote] "C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe "
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Intel Corporation - (no file)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QWNXDUMCP - Unknown owner - C:\DOCUME~1\Mom\LOCALS~1\Temp\QWNXDUMCP.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 10080 bytes

 

TeaTimer will need to be disabled for HijackThis to work.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident ".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Reboot.

Scan again with HijackThis and place a check next to the following entries. Close all other windows, then click Fix Checked.

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


Now lets see if ComboFix can nuke that folder. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Folder::
C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\Joe Walsh's Greatest Hits- Little Did He Know..

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

You can re-enable TeaTimer now too.

 

Combofix log

ComboFix 07-12-31.4 - Mom 2007-12-31 11:54:28.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT -5:00]
Running from: C:\Documents and Settings\Mom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mom\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 10:33 . 2007-12-31 10:33 <DIR> d-------- C:\Program Files\SereneScreen
2007-12-31 10:33 . 2005-01-12 16:33 2,797,568 --a------ C:\WINDOWS\system32\MA2_5.scr
2007-12-31 08:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 17:36 . 2007-12-30 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 17:13 . 2007-12-30 18:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-30 07:56 . 2007-12-30 19:58 250 --a------ C:\WINDOWS\gmer.ini
2007-12-28 09:58 . 2007-12-28 09:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 09:58 . 2007-12-28 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 09:37 . 2007-12-28 09:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 08:17 . 2007-12-28 08:17 <DIR> d-------- C:\Deckard
2007-12-22 16:10 . 2007-12-22 16:10 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-22 07:01 . 2007-12-22 07:01 <DIR> d--hs---- C:\found.001
2007-12-17 12:36 . 2007-12-31 12:02 121 --a------ C:\WINDOWS\bdagent.INI
2007-12-17 12:35 . 2007-12-17 12:35 <DIR> d-------- C:\Program Files\BitDefender
2007-12-17 12:35 . 2007-12-17 12:35 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\Bitdefender
2007-12-17 12:35 . 2007-12-17 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-12-17 12:31 . 2007-12-17 12:35 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-22 09:08 . 2007-11-22 09:08 <DIR> d-------- C:\Program Files\iTunes
2007-11-22 09:08 . 2007-12-31 11:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-22 09:08 . 2007-11-22 09:08 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-21 21:23 . 2007-11-21 21:23 <DIR> d--hs---- C:\found.000
2007-11-19 19:50 . 2007-11-19 19:50 <DIR> d-------- C:\Program Files\Microsoft Expedia Streets & Trips
2007-11-17 11:36 . 2007-11-22 17:07 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\FMA
2007-11-17 11:09 . 2007-11-17 11:09 <DIR> d-------- C:\Program Files\Susteen
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-13 12:26 . 2007-11-13 12:26 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-13 12:26 . 2007-11-13 12:26 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-13 12:23 . 2007-11-13 12:23 <DIR> d-------- C:\Program Files\Codemasters
2007-11-09 14:10 . 2007-11-09 14:10 <DIR> d-------- C:\Program Files\IZArc
2007-11-09 09:32 . 2007-11-09 09:32 <DIR> d-------- C:\Program Files\MRConverter
2007-11-09 09:32 . 2005-07-02 16:33 520,192 --a------ C:\WINDOWS\system32\AVmmfecd.exe
2007-11-09 09:32 . 2004-06-02 14:18 438,272 --a------ C:\WINDOWS\system32\AVawbecd.exe
2007-11-09 09:32 . 2004-06-02 14:23 380,928 --a------ C:\WINDOWS\system32\AVawbdcd.exe
2007-11-09 09:32 . 2002-01-09 11:52 266,240 --a------ C:\WINDOWS\system32\AVamrecd.exe
2007-11-09 09:32 . 2004-01-08 11:38 208,896 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-11-09 09:32 . 2006-06-24 22:53 90,112 --a------ C:\WINDOWS\system32\AVMiniWeb.exe
2007-11-09 09:25 . 2007-11-09 09:32 <DIR> d-------- C:\Program Files\DjToneXpress
2007-11-06 11:19 . 2007-11-06 11:19 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-11-06 11:18 . 2007-11-06 11:18 <DIR> d-------- C:\Program Files\AOL Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2007-12-25 02:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 01:30 --------- d-----w C:\Program Files\LimeWire
2007-12-17 22:16 --------- d-----w C:\Program Files\RegCure
2007-12-17 22:16 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-12-17 22:16 --------- d-----w C:\Program Files\bfgclient
2007-12-17 22:16 --------- d-----w C:\Program Files\Avanquest update
2007-12-17 17:54 87,952 ------w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-12-17 17:46 77,824 ----a-w C:\WINDOWS\system32\xcomm.dll
2007-12-17 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-17 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-22 14:08 --------- d-----w C:\Program Files\iPod
2007-11-22 14:06 --------- d-----w C:\Program Files\QuickTime
2007-11-21 13:23 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 21:51 --------- d-----w C:\Program Files\PayPal
2007-11-20 12:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-20 12:29 --------- d-----w C:\Program Files\MSN Games
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 22:34 89,088 ----a-w C:\WINDOWS\system32\atl71.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 12:53 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2007-10-30 12:53 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 15:26 --------- d-----w C:\Program Files\Apple Software Update
2007-10-27 22:48 92,064 ----a-w C:\Documents and Settings\Mom\mqdmmdm.sys
2007-10-27 22:48 9,232 ----a-w C:\Documents and Settings\Mom\mqdmmdfl.sys
2007-10-27 22:48 79,328 ----a-w C:\Documents and Settings\Mom\mqdmserd.sys
2007-10-27 22:48 66,656 ----a-w C:\Documents and Settings\Mom\mqdmbus.sys
2007-10-27 22:48 6,208 ----a-w C:\Documents and Settings\Mom\mqdmcmnt.sys
2007-10-27 22:48 5,936 ----a-w C:\Documents and Settings\Mom\mqdmwhnt.sys
2007-10-27 22:48 4,048 ----a-w C:\Documents and Settings\Mom\mqdmcr.sys
2007-10-27 22:48 25,600 ----a-w C:\Documents and Settings\Mom\usbsermptxp.sys
2007-10-27 22:48 22,768 ----a-w C:\Documents and Settings\Mom\usbsermpt.sys
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-09-08 12:18 315,392 ----a-w C:\WINDOWS\HideWin.exe
2006-10-22 13:31 251 -c--a-w C:\Program Files\wt3d.ini
2007-08-03 00:13 152 -csh--r C:\WINDOWS\system32\6FEB862DEE.sys
2007-08-03 00:13 6,686 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{DC0F2F93-27FA-4F84-ACAA-9416F90B9511}
{381FFDE8-2394-4F90-B10D-FC6124A40F8C}

[HKEY_CLASSES_ROOT\clsid\{381ffde8-2394-4f90-b10d-fc6124a40f8c}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-03 09:08 26112]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"AcctMgr "= "C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 14:41 586896]
"OBD2_TekLink_Start "= "C:\Program Files\OBD2 TekLink\2100D.exe" [2005-04-18 09:28 40960]
"Motive SmartBridge "= "C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe" [2006-04-21 15:41 438359]
"MimBoot "= "C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-09-18 12:46 8192]
"mm_server "= "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe" [2006-09-18 12:46 102400]
"PhilipsRemote "= "C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe" [2006-09-18 12:46 745472]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 08:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 08:12 90112]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"BitDefender Antiphishing Helper "= "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent "= "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2007-12-17 12:54 319488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-03 09:04:59]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 17:23:00]
Microsoft Works Calendar Reminders.lnk - C:\WINDOWS\Installer\{9944aa9e-362d-11d3-81ab-00c04fb932ba}\1960F8A9.exe [2006-03-10 09:42:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme
"HideShutdownScripts "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "= 1 (0x1)
"NoRecentDocsMenu "= 1 (0x1)
"MaxRecentDocs "= 99 (0x63)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HughesNet Tools.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6 "=

R1 bdftdif;bdftdif;C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys [2007-12-17 12:46]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-12-17 12:54]
R3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\DRIVERS\bdfsfltr.sys [2007-08-02 16:03]
R3 BDSelfPr;BDSelfPr;C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys [2007-08-08 13:12]
R3 scan;BitDefender Threat Scanner;C:\WINDOWS\System32\svchost.exe [2004-08-10 06:00]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;C:\DOCUME~1\Mom\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys []
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 13:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 18:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QWNXDUMCP;QWNXDUMCP;C:\DOCUME~1\Mom\LOCALS~1\Temp\QWNXDUMCP.exe []
S3 SUSCOM;Susteen Serial port driver;C:\WINDOWS\system32\DRIVERS\SUSCOM.SYS [2002-10-22 13:58]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 15:04]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 15:04]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 15:04]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 15:04]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 15:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 03:40:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-31 06:00:01 C:\WINDOWS\Tasks\dfrg.job "
- C:\WINDOWS\system32\dfrg.msc
"2007-12-31 04:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job "
- C:\WINDOWS\system32\cleanmgr.exe
"2007-12-31 16:47:48 C:\WINDOWS\Tasks\RegCure Program Check.job "
- C:\Program Files\RegCure\RegCure.exe
"2007-12-31 13:00:01 C:\WINDOWS\Tasks\RegCure.job "
- C:\Program Files\RegCure\RegCure.exe
"2007-12-31 13:19:11 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job "
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 12:03:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath "=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
Completion time: 2007-12-31 12:06:53
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 17:06:48
C:\qoobox\ComboFix2.txt 2007-12-31 14:05:58
C:\qoobox\ComboFix3.txt 2007-12-29 15:34:20
C:\qoobox\ComboFix4.txt 2007-12-29 14:08:21
C:\qoobox\ComboFix5.txt 2007-12-29 13:56:47
.
2007-12-13 12:20:41 --- E O F ---

Folder is still there though.

 

Lets try another application. Download MoveOnBoot and install it. Run it and select Delete Actions>Delete Folder(s). Another window will open. Click The button next to the window (three dots on it) and browse to then select the folder to remove. Click OK then OK again. The main wiindow should show the action to perform as 'Delete on Reboot' and folder to remove. Close MoveOnBoot and restart your computer.

 

Still there

Did all that and that stupid folder is still there! Ha ha Ok, it's either laugh or scream, and I'm choosing laugh!

That folder is persistent, to say the least!

 

Wow. Please paste the following command into a command window then hit enter.

dir "C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh" /x /s> "%userprofile%\desktop\dir.txt "

Post the contents of dir.txt on your desktop.

 

Volume in drive C has no label.
Volume Serial Number is BC69-C97F

Directory of C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh

2007-12-23 07:19 <DIR> .
2007-12-23 07:19 <DIR> ..
2007-12-30 21:12 <DIR> JOEWAL~3 Joe Walsh's Greatest Hits- Little Did He Know..
2007-12-28 09:50 <DIR> THEBES~1 The Best of Joe Walsh
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\The Best of Joe Walsh

2007-12-28 09:50 <DIR> .
2007-12-28 09:50 <DIR> ..
2007-10-26 13:42 5,130,240 ROCKYM~1.MP3 Rocky Mountain Way.mp3
1 File(s) 5,130,240 bytes

Total Files Listed:
1 File(s) 5,130,240 bytes
6 Dir(s) 96,097,218,560 bytes free

 

You'll need to do this in safe mode, so save these instructions to text.

Reboot to safe mode by tapping F8 when your computer restarts, then selecting Safe Mode from the Advanced Start Menu.
Logon to the Mom account.
Open a command window and paste the following command then hit enter.

rmdir "C:\Documents and Settings\Mom\My Documents\My Music\Joe Walsh\JOEWAL~3 "

See if the folder has been removed.

If the folder remains, right click on it and select Properties.
Select the Security tab then click Advanced.
Select the Owner tab.
Select 'computername\Administrators' in the list, check the box to Replace owner on subcontainers and objects, then click Apply and OK.
Back on the Properties dialog, select Administrators in the list then check Full Control in the Allow field below.
If Adminstrators is not listed, click Add, type Adminstrators then click Check Names. Click OK and give Full control.
Click OK to close the properties box and attempt to delete the folder manually.

If denied, repeat the above steps to transfer ownership to 'computername\Mom', then give Mom full control and try deleting again.

 

Hi Dave,
I never got a chance to do your previous suggestion. Because I noticed a yellow triangle at the bottom by the clock, I placed my mouse over it and it said there was a corrupted windows file, but wouldn't let me see what it was. I then printed out what you suggested to do and then went to restart my computer and I got a bunch of error messages, saying this file was corrupted, that file was corrupted etc. I clicked ok on all of them and was waiting for it to boot up so I could start it in safe mode, as per your suggestion, and I got the blue screen of death. It wouldn't load Windows period, not in normal mode, not in safe mode, not at all. I tried everything I could think of to get it to boot up. So I had to end up formatting my hard drive and reinstalling everything.

That was a nice New Year's Day thing! Ha ha (it's a laugh or scream thing again!) So that's where I'm at, reformatted, reinstalling and updating everything.

I did want to let you know and not leave you hanging on what was going on and happening with this issue. I do greatly appreciate all the help you've given me!

And no, I didn't reinstall that file! Ha ha

Thanks again!
Whoababy

 

I'm sorry to hear things went south on you.

Bright side ...... you have a fresh clean install to start the year off.