1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved AV Sites Blocked, No Task Mgr or Regedit

Discussion in 'Malware and Virus Removal Archive' started by gsievers, 2009/01/27.

  1. 2009/01/27
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    [Resolved] AV Sites Blocked, No Task Mgr or Regedit

    Trying to regain full access on this PC. Anti-virus and Microsoft sites blocked. Task manager and registry editor is disabled. All of the above symptoms are non-existent in Safe Mode.

    Steps taken so far:

    Ran online scan from BitDefender.
    Installed XP SP3.
    Ran Malwarebyte's Anti-Malware.


    DDS (Ver_09-01-07.01) - NTFSx86
    Run by Cad at 21:04:21.43 on Tue 01/27/2009
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.263 [GMT -6:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Pwrchute\ups.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SYSTMEM.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\system32\HPJETDSC.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Cad\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.dellnet.com
    mDefault_Page_URL = hxxp://www.dellnet.com
    mStart Page = hxxp://www.dellnet.com
    uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
    mWinlogon: Shell=Explorer.exe %PROGRAMFILES%\SYSTMEM.EXE
    mWinlogon: SFCDisable=-99 (0xffffff9d)
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: MoneySide: {d6a116e7-5906-42e4-87f6-e7e15936415e} - c:\program files\microsoft money\system\mnyside.dll
    uRun: [HP JetDiscovery] HPJETDSC.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [DVDSentry] c:\windows\system32\DSentry.exe
    mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe "
    mRun: [BuildBU] c:\dell\bldbubg.exe
    mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
    mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
    mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
    mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe "
    mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
    mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe "
    mRun: [<NO NAME>]
    mRun: [POINTER] point32.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SYSTMEM.EXE] c:\program files\\SYSTMEM.EXE
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [vptray] c:\program files\navnt\vptray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    uPolicies-system: DisableTaskMgr = 1 (0x1)
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    dPolicies-system: DisableRegistryTools = 1 (0x1)
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
    Trusted Zone: microsoft.com\www
    Trusted Zone: symantec.com\www
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

    ============= SERVICES / DRIVERS ===============

    R4 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
    R4 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
    R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-4-30 23296]
    S4 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-4-30 225375]
    S4 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-4-30 94208]
    S4 ptlpw;Monitor Network;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]

    =============== Created Last 30 ================

    2009-01-27 20:19 <DIR> --d----- c:\docume~1\cad\applic~1\Malwarebytes
    2009-01-27 20:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-01-27 20:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-01-27 20:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-01-27 20:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-01-27 20:14 0 a------- c:\windows\VPC32.INI
    2009-01-27 20:13 120,379 a------- c:\windows\system32\SYMEVNT.386
    2009-01-27 20:13 57,696 a------- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-01-27 20:13 36,864 a------- c:\windows\system32\S32EVNT1.DLL
    2009-01-27 20:13 4,032 a------- c:\windows\system32\SYMEVNT1.DLL
    2009-01-27 20:13 <DIR> --d----- c:\windows\system32\CBA
    2009-01-27 20:13 <DIR> --d----- c:\program files\Symantec
    2009-01-27 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
    2009-01-27 20:13 <DIR> --d----- c:\program files\NavNT
    2009-01-27 20:13 <DIR> --d----- c:\program files\common files\Symantec Shared
    2009-01-27 20:03 31,768 a------- c:\windows\system32\wucltui.dll.mui
    2009-01-27 20:03 18,456 a------- c:\windows\system32\wuaueng.dll.mui
    2009-01-27 20:03 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
    2009-01-27 20:03 <DIR> --d----- c:\windows\system32\SoftwareDistribution
    2009-01-27 19:55 33,367 a------- C:\z8g5q3d3n2s9.exe
    2009-01-27 19:38 <DIR> --d----- c:\windows\system32\scripting
    2009-01-27 19:38 <DIR> --d----- c:\windows\l2schemas
    2009-01-27 19:38 <DIR> --d----- c:\windows\system32\en
    2009-01-27 19:38 <DIR> --d----- c:\windows\system32\bits
    2009-01-27 19:38 <DIR> --d----- c:\windows\peernet
    2009-01-27 19:28 19,569 a------- c:\windows\002509_.tmp
    2009-01-27 19:27 26,488 a------- c:\windows\system32\spupdsvc.exe
    2009-01-27 19:24 <DIR> --d----- c:\windows\EHome
    2009-01-03 05:03 659,968 ---shr-- c:\program files\SYSTMEM.EXE

    ==================== Find3M ====================

    2009-01-27 20:32 3,103 a------- c:\windows\system32\HPANT.DAT
    2009-01-27 19:43 83,307 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
    2009-01-14 10:29 91,792 ac------ c:\docume~1\cad\applic~1\GDIPFONTCACHEV1.DAT
    2008-12-22 09:38 117,364 a------- c:\windows\hpoins11.dat
    2002-08-29 04:00 94,784 -c-sh--- c:\windows\TWAIN.DLL
    2008-04-14 05:42 50,688 ---sh--- c:\windows\twain_32.dll
    2002-08-29 04:00 161,612 a--shr-- c:\windows\system32\esdezpb.dll
    2008-04-14 05:41 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
    2008-04-14 05:42 57,344 ---sh--- c:\windows\system32\msvcirt.dll
    2008-04-14 05:42 413,696 a--sh--- c:\windows\system32\msvcp60.dll
    2008-04-14 05:42 343,040 a--sh--- c:\windows\system32\msvcrt.dll
    2008-04-14 05:42 551,936 ---sh--- c:\windows\system32\oleaut32.dll
    2008-04-14 05:42 84,992 ---sh--- c:\windows\system32\olepro32.dll
    2008-04-14 05:42 11,776 ---sh--- c:\windows\system32\regsvr32.exe

    ============= FINISH: 21:04:37.68 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-01-07.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/2/2003 2:38:52 PM
    System Uptime: 1/27/2009 8:33:08 PM (1 hours ago)

    Motherboard: Dell Computer Corp. | | 0J0592
    Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2524/533mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 56 GiB total, 39.822 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ROOT\UNKNOWN\0001
    Manufacturer:
    Name:
    PNP Device ID: ROOT\UNKNOWN\0001
    Service:

    ==== System Restore Points ===================

    RP1: 1/3/2009 12:45:14 AM - System Checkpoint
    RP2: 1/4/2009 1:11:05 AM - System Checkpoint
    RP3: 1/5/2009 1:14:03 AM - System Checkpoint
    RP4: 1/6/2009 2:14:00 AM - System Checkpoint
    RP5: 1/7/2009 3:14:00 AM - System Checkpoint
    RP6: 1/8/2009 2:26:55 PM - System Checkpoint
    RP7: 1/9/2009 2:55:06 PM - System Checkpoint
    RP8: 1/10/2009 3:07:46 PM - System Checkpoint
    RP9: 1/11/2009 3:59:25 PM - System Checkpoint
    RP10: 1/12/2009 4:59:26 PM - System Checkpoint
    RP11: 1/13/2009 5:55:03 PM - System Checkpoint
    RP12: 1/14/2009 6:55:04 PM - System Checkpoint
    RP13: 1/15/2009 7:20:45 PM - System Checkpoint
    RP14: 1/16/2009 8:16:01 PM - System Checkpoint
    RP15: 1/17/2009 8:22:56 PM - System Checkpoint
    RP16: 1/18/2009 9:22:56 PM - System Checkpoint
    RP17: 1/19/2009 10:20:36 PM - System Checkpoint
    RP18: 1/20/2009 11:13:02 PM - System Checkpoint
    RP19: 1/22/2009 12:13:01 AM - System Checkpoint
    RP20: 1/23/2009 1:13:01 AM - System Checkpoint
    RP21: 1/24/2009 2:13:01 AM - System Checkpoint
    RP22: 1/26/2009 8:21:06 PM - Restore Operation
    RP23: 1/26/2009 8:40:03 PM - Restore Operation
    RP24: 1/27/2009 7:57:06 PM - Installed Windows Defender
    RP25: 1/27/2009 8:13:09 PM - Installed Norton AntiVirus Corporate Edition

    ==== Installed Programs ======================

    6300
    6300_Help
    6300Trb
    ACDSee
    Adobe Acrobat 5.0
    Adobe Acrobat 7.0 Professional
    Adobe Flash Player 10 ActiveX
    Adobe Photoshop 7.0.1
    AiO_Scan_CDA
    AiOSoftwareNPI
    America Online
    AnswerWorks Runtime
    AOL Coach Version 1.0(Build:20020823.1)
    Autodesk Architectural Desktop 3.3
    BCM V.92 56K Modem
    BufferChm
    CP_CalendarTemplates1
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Panorama1Config
    cp_PosterPrintConfig
    CueTour
    CustomerResearchQFolder
    DAO
    Dell Picture Studio - Dell Image Expert
    Dell Solution Center
    Dell Support
    Destinations
    DeviceManagementQFolder
    DiMAGE Viewer
    DocProc
    DocProcQFolder
    DocumentViewer
    DocumentViewerQFolder
    DVDSentry
    EarthLink Free Trial
    Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
    Easy CD Creator 5 Basic
    ELNKInst
    eSupportQFolder
    exPressit S.E. 2.1
    Fax_CDA
    FullDPAppQFolder
    Help and Support Customization
    HP Customer Participation Program 7.0
    HP Document Viewer 7.0
    HP Imaging Device Functions 7.0
    HP Photo Imaging Software
    HP Photo Printing Software
    HP Photosmart Premier Software 6.5
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Share-to-Web
    HP Software Update
    HP Solution Center 7.0
    HPPhotoSmartExpress
    HPProductAssistant
    InstantShareDevices
    InstantShareDevicesMFC
    Intel(R) PRO Ethernet Adapter and Software
    Intel(R) PROSet II
    JetAdmin v3.42
    LiveUpdate 1.6 (Symantec Corporation)
    Malwarebytes' Anti-Malware
    MarketResearch
    McAfee.com SecurityCenter
    McAfee.com VirusScan Online
    Microsoft .NET Framework (English)
    Microsoft .NET Framework (English) v1.0.3705
    Microsoft .NET Framework 1.1
    Microsoft Encarta Encyclopedia Standard 2003
    Microsoft IntelliPoint 4.1
    Microsoft Money 2003
    Microsoft Money 2003 System Pack
    Microsoft Picture It! Photo 7.0
    Microsoft Streets and Trips 2002
    Microsoft Word 2002
    Microsoft Works 2003 Setup Launcher
    Microsoft Works 4.0
    Microsoft Works 7.0
    Microsoft Works Suite Add-in for Microsoft Word
    Modem Helper
    MUSICMATCH Jukebox
    NewCopy_CDA
    Norton AntiVirus Corporate Edition
    NVIDIA Windows 2000/XP Display Drivers
    OCR Software by I.R.I.S 7.0
    Paint Shop Pro 7
    PanoStandAlone
    PhotoGallery
    PowerChute plus 5.2.1
    PowerDVD
    ProductContextNPI
    Qualxserve Service Agreement
    QuickTime
    RandMap
    Readme
    RealOne Player
    Scan
    ScannerCopy
    Shockwave
    SkinsHP1
    SlideShow
    SolutionCenter
    Sonic_PrimoSDK
    Status
    StoneCAD 4.02
    Toolbox
    TrayApp
    Unload
    Viewpoint Media Player (Remove Only)
    WebFldrs XP
    WebReg
    Windows Defender
    Windows XP Service Pack 3
    Works Suite OS Pack

    ==== Event Viewer Messages From Past Week ========

    1/26/2009 8:26:32 PM, error: Service Control Manager [7023] - The Monitor Network service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
    1/26/2009 8:23:52 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments " " in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    1/26/2009 8:20:49 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    1/25/2009 4:31:31 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Service Controler service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/25/2009 4:31:31 PM, error: Service Control Manager [7031] - The Service Controler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
    1/26/2009 8:34:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/26/2009 8:34:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    1/26/2009 8:35:57 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    1/26/2009 8:35:57 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/26/2009 8:35:57 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/26/2009 8:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
    1/26/2009 8:43:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    1/26/2009 8:44:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Fips Processor
    1/27/2009 7:51:20 PM, error: Service Control Manager [7023] - The Portable Media Serial Number service terminated with the following error: The specified module could not be found.
    1/27/2009 7:57:59 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    1/27/2009 8:01:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Fips intelppm
    1/27/2009 8:03:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

    ==== End Of File ===========================
     
  2. 2009/01/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS gsievers :)

    Please visit the following webpage for instructions for downloading and running ComboFix

    How to use ComboFix


    Download ComboFix by sUBs from here, saving the file to your desktop.


    Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click ComboFix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    **NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.
     

  3. to hide this advert.

  4. 2009/01/31
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    I can now access RegEdit and my Task Manager.

    Access to Microsoft, Symantec, etc. still limited.


    ComboFix Log:

    ComboFix 09-01-31.01 - Cad 2009-01-31 13:24:22.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.325 [GMT -6:00]
    Running from: c:\documents and settings\Cad\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\encapi32.dll
    c:\windows\system32\webcl32.dll
    F:\autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
    .

    2009-01-31 13:20 . 2009-01-31 13:22 45,101 --a------ c:\documents and settings\Cad\xdshd.exe
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\Cad\Application Data\Malwarebytes
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-27 20:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2009-01-27 20:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
    2009-01-27 20:14 . 2009-01-27 20:14 0 --a------ c:\windows\VPC32.INI
    2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\windows\SYSTEM32\CBA
    2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\program files\Symantec
    2009-01-27 20:13 . 2009-01-27 20:32 <DIR> d-------- c:\program files\NavNT
    2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\program files\Common Files\Symantec Shared
    2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
    2009-01-27 20:13 . 2001-09-24 02:29 120,379 --a------ c:\windows\SYSTEM32\SYMEVNT.386
    2009-01-27 20:13 . 2001-09-24 02:29 57,696 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
    2009-01-27 20:13 . 2001-09-24 02:29 36,864 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
    2009-01-27 20:13 . 2001-09-24 02:29 4,032 --a------ c:\windows\SYSTEM32\SYMEVNT1.DLL
    2009-01-27 20:03 . 2008-10-16 14:09 43,544 --a------ c:\windows\SYSTEM32\wups2.dll
    2009-01-27 20:03 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
    2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
    2009-01-27 20:03 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
    2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Defender
    2009-01-27 19:55 . 2009-01-27 20:44 33,367 --a------ C:\z8g5q3d3n2s9.exe
    2009-01-27 19:38 . 2009-01-27 19:39 <DIR> d-------- c:\windows\SYSTEM32\scripting
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\en
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\bits
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\peernet
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\l2schemas
    2009-01-27 19:28 . 2006-12-29 00:31 19,569 --a------ c:\windows\002509_.tmp
    2009-01-27 19:27 . 2007-08-10 20:46 26,488 --a------ c:\windows\SYSTEM32\spupdsvc.exe
    2009-01-27 19:24 . 2009-01-27 19:24 <DIR> d-------- c:\windows\EHome
    2009-01-26 20:44 . 2009-01-26 21:29 <DIR> d-------- c:\windows\BDOSCAN8
    2009-01-26 20:43 . 2009-01-26 20:43 <DIR> d---s---- c:\documents and settings\Administrator\UserData
    2009-01-03 05:03 . 2009-01-03 05:02 659,968 -r-hs---- c:\program files\SYSTMEM.EXE
    2008-12-23 14:28 . 2008-12-23 14:28 54 --a------ c:\windows\cdplayer.ini
    2008-12-22 09:38 . 2008-12-22 09:46 <DIR> d-------- c:\documents and settings\Cad\Application Data\HP
    2008-12-22 09:36 . 2008-12-22 09:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
    2008-12-22 09:23 . 2008-12-22 09:23 <DIR> d-------- C:\bin
    2008-12-22 09:21 . 2008-12-22 09:21 <DIR> d-------- c:\program files\Common Files\Sonic Shared
    2008-12-22 09:21 . 2008-12-22 09:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
    2008-12-22 09:18 . 2008-12-22 09:21 <DIR> d-------- c:\program files\Common Files\HP
    2008-12-22 09:16 . 2008-12-22 09:16 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
    2008-12-22 09:14 . 2006-03-03 22:03 282,680 --a------ c:\windows\SYSTEM32\HPZidr12.dll
    2008-12-22 09:14 . 2006-03-03 22:02 204,800 --a------ c:\windows\SYSTEM32\HPZipr12.dll
    2008-12-22 09:14 . 2006-03-03 22:02 94,208 --a------ c:\windows\SYSTEM32\HPZipt12.dll
    2008-12-22 09:14 . 2006-03-03 22:03 69,632 --a------ c:\windows\SYSTEM32\HPZipm12.exe
    2008-12-22 09:14 . 2006-03-03 22:03 65,536 --a------ c:\windows\SYSTEM32\HPZinw12.exe
    2008-12-22 09:14 . 2006-03-03 22:02 57,344 --a------ c:\windows\SYSTEM32\HPZisn12.dll
    2008-12-22 09:12 . 2008-12-22 09:16 <DIR> d-------- c:\program files\HP
    2008-12-22 09:10 . 2006-01-04 03:12 77,824 -ra------ c:\windows\SYSTEM32\HPZIDS01.dll
    2008-12-22 09:10 . 2006-04-12 18:04 49,664 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZid412.sys
    2008-12-22 09:10 . 2006-04-10 15:03 38,400 --a------ c:\windows\SYSTEM32\hpz3l054.dll
    2008-12-22 09:10 . 2006-04-12 18:04 16,496 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZipr12.sys
    2008-12-22 09:09 . 2006-04-12 18:02 827,392 -ra------ c:\windows\SYSTEM32\hpotiop2.dll
    2008-12-22 09:09 . 2006-04-12 18:02 659,456 -ra------ c:\windows\SYSTEM32\hpowiax2.dll
    2008-12-22 09:09 . 2006-04-12 18:04 282,624 -ra------ c:\windows\SYSTEM32\HPZc3212.dll
    2008-12-22 09:09 . 2006-04-12 18:02 254,026 -ra------ c:\windows\SYSTEM32\hpovst09.dll
    2008-12-22 09:09 . 2008-04-14 00:17 25,856 --a------ c:\windows\SYSTEM32\DRIVERS\usbprint.sys
    2008-12-22 09:09 . 2006-04-12 18:04 21,568 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZius12.sys
    2008-12-22 09:09 . 2008-04-14 00:15 15,104 --a------ c:\windows\SYSTEM32\DRIVERS\usbscan.sys
    2008-12-22 09:08 . 2008-12-22 09:38 117,364 --a------ c:\windows\hpoins11.dat
    2008-12-22 09:08 . 2008-04-14 00:15 32,128 --a------ c:\windows\SYSTEM32\DRIVERS\usbccgp.sys
    2008-12-15 12:47 . 2007-08-19 07:59 2,370,413 --a------ c:\windows\DSC_0009.JPG

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-14 16:29 91,792 -c--a-w c:\documents and settings\Cad\Application Data\GDIPFONTCACHEV1.DAT
    2009-01-12 18:32 --------- d-----w c:\program files\America Online 8.0
    2009-01-12 18:30 --------- d-----w c:\program files\Autodesk Architectural Desktop 3
    2008-12-30 14:43 --------- d-----w c:\documents and settings\Cad\Application Data\MSN6
    2008-12-22 15:16 --------- d-----w c:\program files\Hewlett-Packard
    2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
    2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
    2008-10-16 20:12 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
    2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
    2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
    2008-04-14 11:42 50,688 --sh--w c:\windows\twain_32.dll
    2002-08-29 10:00 161,612 --sha-r c:\windows\SYSTEM32\esdezpb.dll
    2008-04-14 11:41 1,028,096 --sh--w c:\windows\SYSTEM32\mfc42.dll
    2008-04-14 11:42 57,344 --sh--w c:\windows\SYSTEM32\msvcirt.dll
    2008-04-14 11:42 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
    2008-04-14 11:42 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
    2008-04-14 11:42 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
    2008-04-14 11:42 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
    2008-04-14 11:42 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP JetDiscovery "= "HPJETDSC.EXE" [2000-03-28 c:\windows\SYSTEM32\hpjetdsc.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "NvQTwk" [X]
    "DVDSentry "= "c:\windows\System32\DSentry.exe" [2002-08-14 28672]
    "AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
    "BuildBU "= "c:\dell\bldbubg.exe" [2002-07-12 53248]
    "DwlClient "= "c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 225280]
    "Microsoft Works Update Detection "= "c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
    "Share-to-Web Namespace Daemon "= "c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
    "CXMon "= "c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
    "MCUpdateExe "= "c:\progra~1\McAfee.com\Agent\mcupdate.exe" [2002-09-04 151552]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-04-30 151597]
    "vptray "= "c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
    "BCMSMMSG "= "BCMSMMSG.exe" [2003-02-24 c:\windows\BCMSMMSG.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-05 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    --a------ 2002-09-06 17:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    --a------ 2002-09-04 09:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a--c--- 2003-04-30 16:36 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
    --a--c--- 2002-10-04 14:09 139264 c:\program files\McAfee.com\VSO\mcvsshld.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify "=dword:00000001
    "AntiVirusDisableNotify "=dword:00000001
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6926:TCP "= 6926:TCP:mglkq

    R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
    S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-04-30 23296]
    S4 ptlpw;Monitor Network;c:\windows\system32\svchost.exe -k netsvcs [2002-08-29 14336]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ptlpw

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
    c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-31 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
    - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

    2009-01-31 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
    - c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

    2009-01-31 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
    - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

    2009-01-31 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
    - c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

    2009-01-31 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-POINTER - point32.exe
    MSConfigStartUp-ConMgr - c:\program files\EarthLink 5.0\conmgr.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.dellnet.com
    uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    Trusted Zone: microsoft.com\www
    Trusted Zone: symantec.com\www
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-31 13:27:08
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???????X???????????????P???? ?w? ?w)??p????????(???s????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X???????? "@?e?????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ptlpw]
    "ServiceDll "= "c:\windows\System32\esdezpb.dll "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(692)
    c:\windows\system32\NavLogon.dll
    .
    Completion time: 2009-01-31 13:31:27
    ComboFix-quarantined-files.txt 2009-01-31 19:30:24

    Pre-Run: 42,651,054,080 bytes free
    Post-Run: 42,649,886,720 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    215
     
  5. 2009/01/31
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please upload the following files to my submission channel for analysis. Leave a link back to this topic.

    c:\documents and settings\Cad\xdshd.exe
    C:\z8g5q3d3n2s9.exe
    c:\program files\SYSTMEM.EXE

    Thanks!
     
  6. 2009/02/01
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    xdshd.exe & z8g5q3d3n2s9.exe uploaded.

    systmem.exe file not found. Did a search...no such file.

    Please let me know what steps I need to take to restore access to AV/security websites.

    Thanks.
     
  7. 2009/02/02
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Files received, thank you. Please highlight and copy the bolded command below.

    attrib -r -h -s "c:\program files\SYSTMEM.EXE "

    Now click Start>Run and type cmd then hit Enter to open a command window.
    Right click in the command window and select paste, then hit Enter to execute the command.
    Close the command window, then try uploading the systmem.exe file again.
     
  8. 2009/02/03
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    systmem.exe uploaded.

    Awaiting the next step.

    Thanks.
     
  9. 2009/02/04
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Thanks! All three are infected.

    Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    http://www.windowsbbs.com/malware-virus-removal/80965-active-av-sites-blocked-no-task-mgr-regedit.html#post441749
    Collect::
    c:\documents and settings\Cad\xdshd.exe
    C:\z8g5q3d3n2s9.exe
    c:\program files\SYSTMEM.EXE
    c:\windows\System32\esdezpb.dll
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
     "6926:TCP "=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
    NetSvcs::
    ptlpw
    Driver::
    ptlpw
    
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    **NOTE - Allow ComboFix to update if prompted.

    Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. If the upload fails you will be be presented with instructions for uploading it manually. Please do so and let me know the results. This will assist the author in adding the files for removal in future updates. Thanks!
     
  10. 2009/02/04
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    Did not remember if I was supposed to allow ComboFix to update after I drug the txt file over, so I checked no. I didn't print the instructions you had given out and I didn't want to start an IE window to double check what my response was supposed to be with ComboFix running. Let me know if I need to re-run ComboFix.

    Log file as requested:

    ComboFix 09-01-31.01 - Cad 2009-02-04 19:34:56.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.293 [GMT -6:00]
    Running from: c:\documents and settings\Cad\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Cad\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\SYSTMEM.EXE
    c:\windows\System32\esdezpb.dll
    C:\z8g5q3d3n2s9.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_PTLPW
    -------\Service_ptlpw


    ((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
    .

    2009-02-04 19:32 . 2009-02-04 19:32 45,101 --a------ c:\windows\x6cdshd.exe
    2009-02-04 19:30 . 2009-02-04 19:30 45,101 --a------ c:\windows\xrdshd.exe
    2009-02-03 19:36 . 2009-02-03 19:36 41,005 --a------ c:\windows\xcdshd.exe
    2009-01-31 13:20 . 2009-02-03 19:34 41,005 --a------ c:\windows\xdshd.exe
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\Cad\Application Data\Malwarebytes
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-27 20:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2009-01-27 20:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
    2009-01-27 20:14 . 2009-01-27 20:14 0 --a------ c:\windows\VPC32.INI
    2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\windows\SYSTEM32\CBA
    2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\program files\Symantec
    2009-01-27 20:13 . 2009-01-27 20:32 <DIR> d-------- c:\program files\NavNT
    2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\program files\Common Files\Symantec Shared
    2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
    2009-01-27 20:13 . 2001-09-24 02:29 120,379 --a------ c:\windows\SYSTEM32\SYMEVNT.386
    2009-01-27 20:13 . 2001-09-24 02:29 57,696 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
    2009-01-27 20:13 . 2001-09-24 02:29 36,864 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
    2009-01-27 20:13 . 2001-09-24 02:29 4,032 --a------ c:\windows\SYSTEM32\SYMEVNT1.DLL
    2009-01-27 20:03 . 2008-10-16 14:09 43,544 --a------ c:\windows\SYSTEM32\wups2.dll
    2009-01-27 20:03 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
    2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
    2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
    2009-01-27 20:03 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
    2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Defender
    2009-01-27 19:38 . 2009-01-27 19:39 <DIR> d-------- c:\windows\SYSTEM32\scripting
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\en
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\bits
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\peernet
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\l2schemas
    2009-01-27 19:28 . 2006-12-29 00:31 19,569 --a------ c:\windows\002509_.tmp
    2009-01-27 19:27 . 2007-08-10 20:46 26,488 --a------ c:\windows\SYSTEM32\spupdsvc.exe
    2009-01-27 19:24 . 2009-01-27 19:24 <DIR> d-------- c:\windows\EHome
    2009-01-26 20:44 . 2009-01-26 21:29 <DIR> d-------- c:\windows\BDOSCAN8
    2009-01-26 20:43 . 2009-01-26 20:43 <DIR> d---s---- c:\documents and settings\Administrator\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-14 16:29 91,792 -c--a-w c:\documents and settings\Cad\Application Data\GDIPFONTCACHEV1.DAT
    2009-01-12 18:32 --------- d-----w c:\program files\America Online 8.0
    2009-01-12 18:30 --------- d-----w c:\program files\Autodesk Architectural Desktop 3
    2008-12-30 14:43 --------- d-----w c:\documents and settings\Cad\Application Data\MSN6
    2008-12-22 15:46 --------- d-----w c:\documents and settings\Cad\Application Data\HP
    2008-12-22 15:36 --------- d-----w c:\documents and settings\All Users\Application Data\HP
    2008-12-22 15:21 --------- d-----w c:\program files\Common Files\Sonic Shared
    2008-12-22 15:21 --------- d-----w c:\program files\Common Files\HP
    2008-12-22 15:21 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
    2008-12-22 15:16 --------- d-----w c:\program files\HP
    2008-12-22 15:16 --------- d-----w c:\program files\Hewlett-Packard
    2008-12-22 15:16 --------- d-----w c:\program files\Common Files\Hewlett-Packard
    2008-04-14 11:42 50,688 --sh--w c:\windows\twain_32.dll
    2008-04-14 11:41 1,028,096 --sh--w c:\windows\SYSTEM32\mfc42.dll
    2008-04-14 11:42 57,344 --sh--w c:\windows\SYSTEM32\msvcirt.dll
    2008-04-14 11:42 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
    2008-04-14 11:42 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
    2008-04-14 11:42 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
    2008-04-14 11:42 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
    2008-04-14 11:42 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2009-01-31_13.28.49.35 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
    + 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
    + 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
    - 2009-01-28 03:17:58 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
    + 2009-02-05 01:38:08 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
    - 2008-04-14 11:42:12 430,592 ------w c:\windows\SYSTEM32\wuapi.dll
    + 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
    - 2008-04-14 11:42:12 32,256 ------w c:\windows\SYSTEM32\wups.dll
    + 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP JetDiscovery "= "HPJETDSC.EXE" [2000-03-28 c:\windows\SYSTEM32\hpjetdsc.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "NvQTwk" [X]
    "DVDSentry "= "c:\windows\System32\DSentry.exe" [2002-08-14 28672]
    "AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
    "BuildBU "= "c:\dell\bldbubg.exe" [2002-07-12 53248]
    "DwlClient "= "c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 225280]
    "Microsoft Works Update Detection "= "c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
    "Share-to-Web Namespace Daemon "= "c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
    "CXMon "= "c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
    "MCUpdateExe "= "c:\progra~1\McAfee.com\Agent\mcupdate.exe" [2002-09-04 151552]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-04-30 151597]
    "vptray "= "c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
    "BCMSMMSG "= "BCMSMMSG.exe" [2003-02-24 c:\windows\BCMSMMSG.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-05 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    --a------ 2002-09-06 17:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    --a------ 2002-09-04 09:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a--c--- 2003-04-30 16:36 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
    --a--c--- 2002-10-04 14:09 139264 c:\program files\McAfee.com\VSO\mcvsshld.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify "=dword:00000001
    "AntiVirusDisableNotify "=dword:00000001
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=

    R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
    S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-04-30 23296]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-05 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
    - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

    2009-02-05 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
    - c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

    2009-02-05 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
    - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

    2009-02-05 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
    - c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

    2009-02-05 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.dellnet.com
    uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    Trusted Zone: microsoft.com\www
    Trusted Zone: symantec.com\www
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-02-04 19:39:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???????X???????????????P???? ?w? ?w)??p????????(???s????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X???????? "@?e?????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(696)
    c:\windows\system32\NavLogon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\NavNT\defwatch.exe
    c:\program files\NavNT\rtvscan.exe
    c:\windows\SYSTEM32\nvsvc32.exe
    c:\windows\wanmpsvc.exe
    c:\windows\SYSTEM32\MSGSYS.EXE
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    .
    **************************************************************************
    .
    Completion time: 2009-02-04 19:45:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-02-05 01:45:02
    ComboFix2.txt 2009-01-31 19:31:28

    Pre-Run: 42,638,336,000 bytes free
    Post-Run: 42,565,816,320 bytes free

    200
     
  11. 2009/02/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

    Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
    c:\windows\x6cdshd.exe
    c:\windows\xrdshd.exe
    c:\windows\xcdshd.exe
    c:\windows\xdshd.exe
    
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
     
  12. 2009/02/10
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    Log file as requested.


    ComboFix 09-02-10.01 - Cad 2009-02-10 19:18:14.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.294 [GMT -6:00]
    Running from: c:\documents and settings\Cad\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Cad\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\windows\x6cdshd.exe
    c:\windows\xcdshd.exe
    c:\windows\xdshd.exe
    c:\windows\xrdshd.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\x6cdshd.exe
    c:\windows\xcdshd.exe
    c:\windows\xdshd.exe
    c:\windows\xrdshd.exe

    .
    ((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
    .

    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\Cad\Application Data\Malwarebytes
    2009-01-27 20:19 . 2009-01-27 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-27 20:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2009-01-27 20:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
    2009-01-27 20:14 . 2009-01-27 20:14 0 --a------ c:\windows\VPC32.INI
    2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\windows\SYSTEM32\CBA
    2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\program files\Symantec
    2009-01-27 20:13 . 2009-01-27 20:32 <DIR> d-------- c:\program files\NavNT
    2009-01-27 20:13 . 2009-01-27 20:13 <DIR> d-------- c:\program files\Common Files\Symantec Shared
    2009-01-27 20:13 . 2009-01-27 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
    2009-01-27 20:13 . 2001-09-24 02:29 120,379 --a------ c:\windows\SYSTEM32\SYMEVNT.386
    2009-01-27 20:13 . 2001-09-24 02:29 57,696 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
    2009-01-27 20:13 . 2001-09-24 02:29 36,864 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
    2009-01-27 20:13 . 2001-09-24 02:29 4,032 --a------ c:\windows\SYSTEM32\SYMEVNT1.DLL
    2009-01-27 20:03 . 2008-10-16 14:09 43,544 --a------ c:\windows\SYSTEM32\wups2.dll
    2009-01-27 20:03 . 2008-10-16 14:09 31,768 --a------ c:\windows\SYSTEM32\wucltui.dll.mui
    2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuaucpl.cpl.mui
    2009-01-27 20:03 . 2008-10-16 14:07 23,576 --a------ c:\windows\SYSTEM32\wuapi.dll.mui
    2009-01-27 20:03 . 2008-10-16 14:07 18,456 --a------ c:\windows\SYSTEM32\wuaueng.dll.mui
    2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Defender
    2009-01-27 19:38 . 2009-01-27 19:39 <DIR> d-------- c:\windows\SYSTEM32\scripting
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\en
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\SYSTEM32\bits
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\peernet
    2009-01-27 19:38 . 2009-01-27 19:38 <DIR> d-------- c:\windows\l2schemas
    2009-01-27 19:28 . 2006-12-29 00:31 19,569 --a------ c:\windows\002509_.tmp
    2009-01-27 19:27 . 2007-08-10 20:46 26,488 --a------ c:\windows\SYSTEM32\spupdsvc.exe
    2009-01-27 19:24 . 2009-01-27 19:24 <DIR> d-------- c:\windows\EHome
    2009-01-26 20:44 . 2009-01-26 21:29 <DIR> d-------- c:\windows\BDOSCAN8
    2009-01-26 20:43 . 2009-01-26 20:43 <DIR> d---s---- c:\documents and settings\Administrator\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-14 16:29 91,792 -c--a-w c:\documents and settings\Cad\Application Data\GDIPFONTCACHEV1.DAT
    2009-01-12 18:32 --------- d-----w c:\program files\America Online 8.0
    2009-01-12 18:30 --------- d-----w c:\program files\Autodesk Architectural Desktop 3
    2008-12-30 14:43 --------- d-----w c:\documents and settings\Cad\Application Data\MSN6
    2008-12-22 15:46 --------- d-----w c:\documents and settings\Cad\Application Data\HP
    2008-12-22 15:36 --------- d-----w c:\documents and settings\All Users\Application Data\HP
    2008-12-22 15:21 --------- d-----w c:\program files\Common Files\Sonic Shared
    2008-12-22 15:21 --------- d-----w c:\program files\Common Files\HP
    2008-12-22 15:21 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
    2008-12-22 15:16 --------- d-----w c:\program files\HP
    2008-12-22 15:16 --------- d-----w c:\program files\Hewlett-Packard
    2008-12-22 15:16 --------- d-----w c:\program files\Common Files\Hewlett-Packard
    2008-04-14 11:42 50,688 --sh--w c:\windows\twain_32.dll
    2008-04-14 11:41 1,028,096 --sh--w c:\windows\SYSTEM32\mfc42.dll
    2008-04-14 11:42 57,344 --sh--w c:\windows\SYSTEM32\msvcirt.dll
    2008-04-14 11:42 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
    2008-04-14 11:42 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
    2008-04-14 11:42 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
    2008-04-14 11:42 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
    2008-04-14 11:42 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2009-01-31_13.28.49.35 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
    - 2000-08-31 14:00:00 286,720 ----a-w c:\windows\SWREG.exe
    + 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe
    + 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
    + 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
    - 2009-01-28 03:17:58 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
    + 2009-02-05 01:53:46 3,103 ----a-w c:\windows\SYSTEM32\HPANT.DAT
    - 2008-04-14 11:42:12 430,592 ------w c:\windows\SYSTEM32\wuapi.dll
    + 2008-10-16 20:12:20 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
    - 2008-04-14 11:42:12 32,256 ------w c:\windows\SYSTEM32\wups.dll
    + 2008-10-16 20:08:58 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP JetDiscovery "= "HPJETDSC.EXE" [2000-03-28 c:\windows\SYSTEM32\hpjetdsc.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "NvQTwk" [X]
    "DVDSentry "= "c:\windows\System32\DSentry.exe" [2002-08-14 28672]
    "AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
    "BuildBU "= "c:\dell\bldbubg.exe" [2002-07-12 53248]
    "DwlClient "= "c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 225280]
    "Microsoft Works Update Detection "= "c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
    "Share-to-Web Namespace Daemon "= "c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
    "CXMon "= "c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
    "MCUpdateExe "= "c:\progra~1\McAfee.com\Agent\mcupdate.exe" [2002-09-04 151552]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-04-30 151597]
    "vptray "= "c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
    "BCMSMMSG "= "BCMSMMSG.exe" [2003-02-24 c:\windows\BCMSMMSG.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-05 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    --a------ 2002-09-06 17:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    --a------ 2002-09-04 09:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a--c--- 2003-04-30 16:36 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
    --a--c--- 2002-10-04 14:09 139264 c:\program files\McAfee.com\VSO\mcvsshld.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify "=dword:00000001
    "AntiVirusDisableNotify "=dword:00000001
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=

    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
    S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-04-30 23296]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-11 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
    - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

    2009-02-11 c:\windows\Tasks\McAfee.com Update Check (D4SWGR21-Administrator).job
    - c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

    2009-02-11 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
    - c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]

    2009-02-11 c:\windows\Tasks\McAfee.com Update Check (DEL7-Cad).job
    - c:\progra~1\McAfee.com\Agent [2004-11-18 14:09]

    2009-02-11 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.dellnet.com
    uInternet Connection Wizard,ShellNext = hxxp://www.mcafee.com/myaccount/default.asp?area=myaccount&oemid=1790-642
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    Trusted Zone: microsoft.com\www
    Trusted Zone: symantec.com\www
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-02-10 19:21:15
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???????X???????????????P???? ?w? ?w)??p????????(???s????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X???????? "@?e?????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(692)
    c:\windows\system32\NavLogon.dll
    .
    Completion time: 2009-02-10 19:24:14
    ComboFix-quarantined-files.txt 2009-02-11 01:23:09
    ComboFix2.txt 2009-02-05 01:45:40
    ComboFix3.txt 2009-01-31 19:31:28

    Pre-Run: 42,546,884,608 bytes free
    Post-Run: 42,534,551,552 bytes free

    189
     
  13. 2009/02/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks good. Lets see if we've missed anything. Please do an online scan with Kaspersky Online Scanner

    Click Accept, when prompted to download and install the program files and database of malware definitions.
    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.


    Post the Kaspersky log here.
    Let me know if any problems persist.
     
  14. 2009/02/11
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Wednesday, February 11, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Wednesday, February 11, 2009 23:44:40
    Records in database: 1784406
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan statistics:
    Files scanned: 63709
    Threat name: 19
    Infected objects: 43
    Suspicious objects: 0
    Duration of the scan: 01:22:25


    File name / Threat name / Threats count
    C:\Qoobox\Quarantine\C\WINDOWS\x6cdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
    C:\Qoobox\Quarantine\C\WINDOWS\xcdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
    C:\Qoobox\Quarantine\C\WINDOWS\xdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
    C:\Qoobox\Quarantine\C\WINDOWS\xrdshd.exe.vir Infected: Backdoor.Win32.Bifrose.alvm 1
    C:\Qoobox\Quarantine\[4]-Submit_2009-02-04@19.34.zip Infected: Backdoor.Win32.SdBot.jdh 1
    C:\Qoobox\Quarantine\[4]-Submit_2009-02-04@19.34.zip Infected: Net-Worm.Win32.Kido.em 1
    C:\Qoobox\Quarantine\[4]-Submit_2009-02-04@19.34.zip Infected: Backdoor.Win32.Poison.rgj 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001775.exe Infected: Trojan.Win32.Qhost.kzn 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001776.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001777.exe Infected: Trojan.Win32.Agent.bfno 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001778.exe Infected: Backdoor.Win32.SdBot.jly 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001779.exe Infected: Backdoor.Win32.SdBot.jtm 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001780.exe Infected: Backdoor.Win32.SdBot.jqo 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001782.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001783.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001784.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001785.exe Infected: Trojan.Win32.Buzus.aejq 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001786.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001787.exe Infected: Backdoor.Win32.VanBot.oj 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001788.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001789.exe Infected: Backdoor.Win32.IRCBot.xt 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001790.exe Infected: Trojan.Win32.Buzus.aejq 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001791.exe Infected: Trojan.Win32.Buzus.aejq 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001792.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001793.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001794.exe Infected: Backdoor.Win32.Rbot.rgk 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001795.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001796.exe Infected: Trojan.Win32.Inject.nfi 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001797.exe Infected: P2P-Worm.Win32.Agent.mo 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001798.exe Infected: Trojan-Dropper.Win32.VB.imc 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001799.exe Infected: Backdoor.Win32.SdBot.joq 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP23\A0001800.exe Infected: P2P-Worm.Win32.Agent.mo 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP24\A0004574.exe Infected: Backdoor.Win32.Poison.rgj 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP25\A0004594.exe Infected: Backdoor.Win32.Poison.rgj 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004674.exe Infected: Trojan.Win32.VB.jke 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004765.exe Infected: Trojan.Win32.VB.jke 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004777.exe Infected: Trojan.Win32.VB.jke 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP26\A0004789.exe Infected: Trojan.Win32.VB.jke 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP27\A0004837.exe Infected: Worm.Win32.AutoRun.ewp 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004901.exe Infected: Backdoor.Win32.Bifrose.alvm 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004902.exe Infected: Backdoor.Win32.Bifrose.alvm 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004903.exe Infected: Backdoor.Win32.Bifrose.alvm 1
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP28\A0004904.exe Infected: Backdoor.Win32.Bifrose.alvm 1

    The selected area was scanned.
     
  15. 2009/02/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks great! Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
    Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

    Delete dds.com from the desktop.
    You can delete any other logs that were created/saved too.
    Empty the recycle bin when done.

    That should finish things up.
     
  16. 2009/02/13
    gsievers

    gsievers Inactive Thread Starter

    Joined:
    2009/01/27
    Messages:
    8
    Likes Received:
    0
    Got it. Thanks for all your help.
     
  17. 2009/02/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.