PDA

View Full Version : Help, i think i got bad viruses!Smit-Fraud!



Wizit
2008-02-15, 02:09
Ive got some bad viruses that spybot finds but when it says it got rid of it, it doesnt! Heres a hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:55 PM, on 2/14/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DDD8382-29E2-4841-8CA9-127D876F72BB} - C:\WINNT\System32\faxocmo.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WindowsHive] C:\WINNT\System32\rpcc.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 1885 bytes

little eagle
2008-02-20, 04:16
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

Wizit
2008-02-20, 06:25
Ok, finally i get some help.:laugh: Thanks for coming to help.:police: Anyway, here is the logs you asked for.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:05 PM, on 2/19/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\drwtsn32.exe
C:\Program Files\internet explorer\iexplore.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DDD8382-29E2-4841-8CA9-127D876F72BB} - C:\WINNT\System32\faxocmo.dll
O2 - BHO: (no name) - {F292CDE8-87F1-4C16-BC80-C3EBC43F5A21} - C:\WINNT\System32\faxocmo.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 1940 bytes

And the combofix:

ComboFix 08-02-20.2 - Administrator 02/19/2008 21:52:34.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.65 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 21:52 . 02/19/08 09:52p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_20c.dat
2008-02-15 02:10 . 02/15/08 02:10a 156 --a------ C:\WINNT\wininit.ini
2008-02-14 17:46 . 02/14/08 05:46p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 18:16 . 02/13/08 05:54p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-13 18:16 . 02/13/08 06:16p 3,466 --a------ C:\WINNT\unins000.dat
2008-02-07 22:14 . 02/07/08 10:14p <DIR> d-------- C:\WINNT\system32\Macromed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 22:35 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-12-11 22:34 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-12-11 22:34 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-12-11 22:34 129,784 ------w C:\WINNT\system32\pxafs.dll
2007-12-11 22:34 120,056 ------w C:\WINNT\system32\pxcpyi64.exe
2007-12-11 22:34 118,520 ------w C:\WINNT\system32\pxinsi64.exe
2007-12-11 22:34 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINNT\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINNT\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-12-11 22:32 156,992 ----a-w C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-12-11 22:32 12,288 ----a-w C:\WINNT\system32\DivXWMPExtType.dll
2007-08-11 19:41 271 ---h--w C:\Program Files\desktop.ini
2007-08-11 19:41 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 07:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 07:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 07:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 07:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 07:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 07:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DDD8382-29E2-4841-8CA9-127D876F72BB}]
12/07/99 12:00p 99840 --a------ C:\WINNT\System32\faxocmo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [12/07/99 07:00a 186640]

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\System32\drivers\cwbwdm.sys [11/01/99 10:10p]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINNT\System32\DRIVERS\el575nd5.sys [10/19/99 02:50p]
R3 neo20xx;neo20xx;C:\WINNT\System32\DRIVERS\neo20xx.sys [10/18/99 02:39p]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 21:55:37
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/19/2008 21:57:16
ComboFix-quarantined-files.txt 2008-02-20 03:57:14

little eagle
2008-02-20, 13:57
Open notepad and copy/paste the text in the quotebox below into it:




File::
C:\WINNT\System32\faxocmo.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DDD8382-29E2-4841-8CA9-127D876F72BB}]


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log

Wizit
2008-02-21, 00:17
COMBOFIX LOG:

ComboFix 08-02-20.2 - Administrator 02/20/2008 15:55:06.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.69 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\System32\faxocmo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\System32\faxocmo.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 15:55 . 02/20/08 03:55p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_224.dat
2008-02-15 02:10 . 02/15/08 02:10a 156 --a------ C:\WINNT\wininit.ini
2008-02-14 17:46 . 02/14/08 05:46p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 18:16 . 02/13/08 05:54p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-13 18:16 . 02/13/08 06:16p 3,466 --a------ C:\WINNT\unins000.dat
2008-02-07 22:14 . 02/07/08 10:14p <DIR> d-------- C:\WINNT\system32\Macromed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 22:35 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-12-11 22:34 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-12-11 22:34 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-12-11 22:34 129,784 ------w C:\WINNT\system32\pxafs.dll
2007-12-11 22:34 120,056 ------w C:\WINNT\system32\pxcpyi64.exe
2007-12-11 22:34 118,520 ------w C:\WINNT\system32\pxinsi64.exe
2007-12-11 22:34 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINNT\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINNT\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-12-11 22:32 156,992 ----a-w C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-12-11 22:32 12,288 ----a-w C:\WINNT\system32\DivXWMPExtType.dll
2007-08-11 19:41 271 ---h--w C:\Program Files\desktop.ini
2007-08-11 19:41 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 07:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 07:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 07:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 07:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 07:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 07:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [12/07/99 07:00a 186640]

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\System32\drivers\cwbwdm.sys [11/01/99 10:10p]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINNT\System32\DRIVERS\el575nd5.sys [10/19/99 02:50p]
R3 neo20xx;neo20xx;C:\WINNT\System32\DRIVERS\neo20xx.sys [10/18/99 02:39p]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 15:58:55
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/20/2008 16:01:06
ComboFix-quarantined-files.txt 2008-02-20 22:01:02

little eagle
2008-02-21, 04:03
Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

Wizit
2008-02-21, 20:20
Heres the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:28 PM, on 2/21/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 1720 bytes



Theres nothing too bad going on. Its running ok. Its Still Fast:woo: The only thing wierd is that when i try to sign in to my SpyBot forum account i have to click the link in order to log in. It just takes me back to the sign in screen. Any Reason for that?

little eagle
2008-02-22, 03:30
May have some thing to do with the way your browser is set to keep cookies.

Click HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Wizit
2008-02-22, 18:05
OK! I SCANNED AND THERE WAS A TON OF VIRUSES! PLEASE HELP QUICK!

Incident Status Location

Spyware:spyware/shopnav Not disinfected c:\program files\Srng
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\DON\Cookies\don@overture[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\DON\Cookies\don@gostats[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter14.sextracker[3].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\DON\Cookies\don@statcounter[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\DON\Cookies\don@cs.sexcounter[3].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@fastclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\DON\Cookies\don@overture[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter14.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@sextracker[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\DON\Cookies\don@toplist[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\DON\Cookies\don@com[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\DON\Cookies\don@247realmedia[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\DON\Cookies\don@apmebf[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\DON\Cookies\don@cs.sexcounter[2].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\DON\Cookies\don@sexlist[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\DON\Cookies\don@atdmt[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\DON\Cookies\don@questionmarket[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\DON\Cookies\don@tradedoubler[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\DON\Cookies\don@centrport[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\DON\Cookies\don@casalemedia[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@fastclick[4].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\DON\Cookies\don@go[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter12.sextracker[2].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\DON\Cookies\don@sexlist[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@sextracker[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter8.sextracker[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\DON\Cookies\don@overture[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\DON\Cookies\don@cs.sexcounter[4].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\DON\Cookies\don@centrport[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@sextracker[4].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\DON\Cookies\don@revenue[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\DON\Cookies\don@valueclick[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\DON\Cookies\don@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\DON\Cookies\don@apmebf[3].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\DON\Cookies\don@casalemedia[3].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\DON\Cookies\don@paycounter[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\DON\Cookies\don@servedby.advertising[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter14.sextracker[4].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter12.sextracker[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\DON\Cookies\don@sexlist[4].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\DON\Cookies\don@i.screensavers[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\DON\Cookies\don@bluestreak[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter8.sextracker[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\DON\Cookies\don@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\DON\Cookies\don@doubleclick[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\DON\Cookies\don@burstnet[2].txt

Wizit
2008-02-22, 18:06
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\DON\Cookies\don@www.burstbeacon[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\DON\Cookies\don@z1.adserver[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\DON\Cookies\don@tribalfusion[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\DON\Cookies\don@z1.adserver[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\DON\Cookies\don@belnk[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\DON\Cookies\don@questionmarket[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\DON\Cookies\don@as-us.falkag[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@fastclick[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\DON\Cookies\don@advertising[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\DON\Cookies\don@trafficmp[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\DON\Cookies\don@atwola[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\DON\Cookies\don@ad.yieldmanager[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\DON\Cookies\don@bs.serving-sys[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\DON\Cookies\don@casalemedia[4].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\DON\Cookies\don@maxserving[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@media.fastclick[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\DON\Cookies\don@realmedia[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\DON\Cookies\don@apmebf[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\DON\Cookies\don@tribalfusion[3].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\DON\Cookies\don@citi.bridgetrack[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\DON\Cookies\don@ehg-dig.hitbox[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\DON\Cookies\don@adrevolver[3].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@media.fastclick[3].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\DON\Cookies\don@www.burstbeacon[3].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\DON\Cookies\don@trafficmp[3].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\DON\Cookies\don@tribalfusion[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@fastclick[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\DON\Cookies\don@ad.yieldmanager[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\DON\Cookies\don@advertising[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\DON\Cookies\don@adrevolver[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\DON\Cookies\don@casalemedia[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\DON\Cookies\don@burstnet[3].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\DON\Cookies\don@bluestreak[3].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\DON\Cookies\don@z1.adserver[4].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\DON\Cookies\don@statcounter[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\DON\Cookies\don@statcounter[4].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\DON\Cookies\don@targetnet[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\DON\Cookies\don@perf.overture[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\DON\Cookies\don@go[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\DON\Cookies\don@cgi-bin[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\DON\Cookies\don@advertising[5].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\DON\Cookies\don@serving-sys[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\DON\Cookies\don@adrevolver[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\DON\Cookies\don@ehg-dig.hitbox[3].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@fastclick[5].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\DON\Cookies\don@stat.onestat[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\DON\Cookies\don@toplist[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\DON\Cookies\don@cgi-bin[4].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\DON\Cookies\don@www.burstbeacon[4].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\DON\Cookies\don@atwola[3].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\DON\Cookies\don@tribalfusion[4].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\DON\Cookies\don@adtech[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\DON\Cookies\don@revenue[3].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\DON\Cookies\don@cs.sexcounter[5].txt

Wizit
2008-02-22, 18:07
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter1.sextracker[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\DON\Cookies\don@sexlist[5].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter7.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter6.sextracker[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\DON\Cookies\don@statse.webtrendslive[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\DON\Cookies\don@bluestreak[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\DON\Cookies\don@as-us.falkag[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@sextracker[5].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter12.sextracker[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\DON\Cookies\don@adrevolver[5].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\DON\Cookies\don@linksynergy[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\DON\Cookies\don@ads.pointroll[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\DON\Cookies\don@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\DON\Cookies\don@overture[5].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\DON\Cookies\don@questionmarket[4].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\DON\Cookies\don@target[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\DON\Cookies\don@ads.addynamix[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\DON\Cookies\don@landing.domainsponsor[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\DON\Cookies\don@zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\DON\Cookies\don@casalemedia[6].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\DON\Cookies\don@burstnet[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\DON\Cookies\don@ad.yieldmanager[4].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@media.fastclick[4].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\DON\Cookies\don@trafficmp[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\DON\Cookies\don@searchportal.information[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@xxxcounter[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@ads.pointroll[1].txt
Spyware:Cookie/PrivacyGuard Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@yourprivacyguard[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@adultfriendfinder[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Spyware/ShopNav Not disinfected C:\Program Files\Srng\SrngUtil.exe
Spyware:Spyware/ShopNav Not disinfected C:\Program Files\Srng\SNHelper.dll
Virus:Trj/Downloader.RKS Disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\faxocmo.dll.vir
Adware:Adware/AVSystemCare Not disinfected C:\WINNT\SYSTEM32\FAXOCMO.1
Adware:Adware/Popuper Not disinfected C:\WINNT\SYSTEM32\IEPEERSJ.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\Nircmd.exe

little eagle
2008-02-22, 18:55
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

-------------------------------------

Reboot in safe mode, instructions here. (http://forums.security-central.us/showthread.php?t=1903)
Some of these files my have hidden atributes.
Click Here (http://forums.security-central.us/showthread.php?t=30)Should you need instructions for Showing hidden files and folders in Windows.
Once in safe mode, Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file right click then select delete.

Delete the following folder(s) listed in bold.

c:\program files\Srng

------------------------------

Reboot and run Panda's ActiveScan again.

Wizit
2008-02-23, 07:31
alright, heres the log from the panda scan, and its substancially smaller:bigthumb:


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@doubleclick[1].txt
Spyware:Spyware/ShopNav Not disinfected C:\Recycled\Dc1\SrngUtil.exe
Spyware:Spyware/ShopNav Not disinfected C:\Recycled\Dc1\SNHelper.dll
Adware:Adware/AVSystemCare Not disinfected C:\WINNT\SYSTEM32\FAXOCMO.1
Adware:Adware/Popuper Not disinfected C:\WINNT\SYSTEM32\IEPEERSJ.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\Nircmd.exe

little eagle
2008-02-23, 14:18
Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINNT\SYSTEM32\FAXOCMO.1
C:\WINNT\SYSTEM32\IEPEERSJ.DLL


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log.

Wizit
2008-02-23, 20:28
The log results are here:

ComboFix 08-02-20.2 - Administrator 02/23/2008 11:52:41.3 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.66 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\SYSTEM32\FAXOCMO.1
C:\WINNT\SYSTEM32\IEPEERSJ.DLL
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\SYSTEM32\FAXOCMO.1
C:\WINNT\SYSTEM32\IEPEERSJ.DLL

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 11:52 . 02/23/08 11:52a 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_224.dat
2008-02-22 16:18 . 02/22/08 04:18p 277,470 ---h----- C:\WINNT\ShellIconCache
2008-02-21 23:14 . 06/05/07 10:56a 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-02-21 22:32 . 02/21/08 10:32p <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-02-21 22:32 . 02/22/08 05:25p 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-02-21 22:32 . 02/22/08 05:25p 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-02-21 22:32 . 02/22/08 05:25p 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-15 02:10 . 02/15/08 02:10a 156 --a------ C:\WINNT\wininit.ini
2008-02-14 17:46 . 02/14/08 05:46p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 18:16 . 02/13/08 05:54p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-13 18:16 . 02/13/08 06:16p 3,466 --a------ C:\WINNT\unins000.dat
2008-02-07 22:14 . 02/07/08 10:14p <DIR> d-------- C:\WINNT\system32\Macromed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 22:35 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-12-11 22:34 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-12-11 22:34 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-12-11 22:34 129,784 ------w C:\WINNT\system32\pxafs.dll
2007-12-11 22:34 120,056 ------w C:\WINNT\system32\pxcpyi64.exe
2007-12-11 22:34 118,520 ------w C:\WINNT\system32\pxinsi64.exe
2007-12-11 22:34 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINNT\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINNT\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-12-11 22:32 156,992 ----a-w C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-12-11 22:32 12,288 ----a-w C:\WINNT\system32\DivXWMPExtType.dll
2007-08-11 19:41 271 ---h--w C:\Program Files\desktop.ini
2007-08-11 19:41 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 07:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 07:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 07:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 07:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 07:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 07:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [12/07/99 07:00a 186640]

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\System32\drivers\cwbwdm.sys [11/01/99 10:10p]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINNT\System32\DRIVERS\el575nd5.sys [10/19/99 02:50p]
R3 neo20xx;neo20xx;C:\WINNT\System32\DRIVERS\neo20xx.sys [10/18/99 02:39p]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 11:56:31
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/23/2008 11:58:42
ComboFix-quarantined-files.txt 2008-02-23 17:58:38
ComboFix2.txt 2008-02-20 22:01:10

little eagle
2008-02-23, 22:59
Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

That should do it.

Wizit
2008-02-24, 00:21
Um..... it says gmer is not found and it just stops. I still have some things on there. I still have OTMoveIt,ATF-Cleaner, and HiJackThis. It just says it cant find gmer. Is this a problem?

little eagle
2008-02-24, 02:57
Is this a problem?No Keep ATF and use it one a week to clean out temp files. You can delete OTMoveIt if it's still there after rebooting. Hijackthis you can keep, hope we don't need it later :red:

Wizit
2008-02-24, 05:42
Thankyou Thankyou Thankyou!!!!!!!!!!!!!!!!!!!!!
Your are the :bigthumb:MAN!:bigthumb: Thankyou again. You are the best! No virus can out smart you lol.:police: I wont forget your kindness.

Wizit
2008-02-24, 05:44
Theres just one more thing I would like to ask you. To make sure your effort doesnt go to waste, give me tips on some programs i should use to keep my computer safe for :devil:malware:devil:

little eagle
2008-02-24, 05:47
Click here (http://www.nutnworks.com/forums/showthread.php?t=98) Hope this helps.