Virtumonde will not die

[peku006]

Hi Richue

I made a mistake:banghead:...it is not necessary to download the GMER....
thanks to Shaba :flowers:..........again

here’s what we do next.

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
wlubdewd

File::
c:\windows\system32\drivers\wlubdewd.sys
c:\windows\system32\rtqwryr.dll
C:\WINDOWS\System32\kqfpqyei.dll
C:\WINDOWS\System32\uxehitb.dll
C:\WINDOWS\System32\rtqwryr.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]

FCopy::
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Application Data\tcbjmqlj

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks peku006

 

[Richue]

Here is gmerroot:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 13:30:39
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B0BD9 7 Bytes JMP 82FB5AF8

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

And gmerauto

GMER 1.0.15.14966 - http://www.gmer.net
Autostart scan 2009-04-28 13:33:05
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
avgrsstarter@DLLName = avgrsstx.dll
igfxcui@DLLName = igfxdev.dll
tqqujzct@DLLName = rtqwryr.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
avg8emc@ = C:\PROGRA~1\AVG\AVG8\avgemc.exe
avg8wd@ = C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
hpqwmiex@ = C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@hpWirelessAssistantC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe = C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@igfxhkcmdC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@igfxpersC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@High Definition Audio Property Page ShortcutCHDAudPropShortcut.exe = CHDAudPropShortcut.exe
@SynTPEnhC:\Program Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
@ISUSPM Startup"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
@ISUSScheduler"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
@QlbCtrl%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start /*file not found*/ = %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start /*file not found*/
@CpqsetC:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe ? ??L?@ ??hX? `?@ L?@ = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe ? ??L?@ ??hX? `?@ L?@
@RecGuardC:\Windows\SMINST\RecGuard.exe = C:\Windows\SMINST\RecGuard.exe
@SynTPStartC:\Program Files\Synaptics\SynTP\SynTPStart.exe = C:\Program Files\Synaptics\SynTP\SynTPStart.exe
@CANON DR2080C SVCrundll32.exe DR2KSVC.dll,EntryPointUserMessage = rundll32.exe DR2KSVC.dll,EntryPointUserMessage
@AVG8_TRAYC:\PROGRA~1\AVG\AVG8\avgtray.exe = C:\PROGRA~1\AVG\AVG8\avgtray.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Program Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll
@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*ShellViewRTF*/C:\WINDOWS\system32\ShellvRTF.dll = C:\WINDOWS\system32\ShellvRTF.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG8 Shell Extension*/C:\Program Files\AVG\AVG8\avgse.dll = C:\Program Files\AVG\AVG8\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG8 Find Extension*/(null) =

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}C:\Program Files\AVG\AVG8\avgssie.dll = C:\Program Files\AVG\AVG8\avgssie.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
@{A057A204-BACC-4D26-9990-79A187E2698E}C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL = C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
@{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}c:\windows\system32\rtqwryr.dll = c:\windows\system32\rtqwryr.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
linkscanner@CLSID = C:\Program Files\AVG\AVG8\avgpp.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

---- EOF - GMER 1.0.15 ----
Sorry for the delay, it was a lengthy scan. I just read your last post and will follow through.

 

[Richue]

Hello Peku006, Here is the Combofix.txt

ComboFix 09-04-25.A3 - Rob 04/28/2009 13:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.110 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\wlubdewd.sys
c:\windows\System32\kqfpqyei.dll
c:\windows\System32\rtqwryr.dll
c:\windows\System32\uxehitb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\wlubdewd.sys
c:\windows\System32\kqfpqyei.dll
c:\windows\System32\rtqwryr.dll
c:\windows\System32\uxehitb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WLUBDEWD
-------\Service_wlubdewd


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-27 18:47 . 2009-04-27 18:47 -------- d-----w C:\_OTScanIt
2009-04-27 12:07 . 2009-04-27 12:07 -------- d-----w C:\_OTMoveIt
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-28 13:48 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 18:47 . 2004-08-04 21:00 23424 ----a-w c:\windows\system32\drivers\qerpuylv.sys
2009-04-27 20:17 . 2009-04-27 20:17 2502 ----a-w C:\avenger.txt
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:09 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_15.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-10 13:29 . 2009-04-27 20:17 270984 c:\windows\system32\FNTCACHE.DAT
- 2006-05-10 13:29 . 2009-04-24 03:58 270984 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-27 20:12 . 2009-04-27 20:12 241664 c:\windows\ERDNT\4-27-2009\Users\00000002\UsrClass.dat
+ 2009-04-27 20:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-27-2009\ERDNT.EXE
+ 2009-04-27 20:12 . 2009-04-27 20:12 7102464 c:\windows\ERDNT\4-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - WLUBDEWD

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 13:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hX??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-04-28 13:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 18:54
ComboFix2.txt 2009-04-26 19:40
ComboFix3.txt 2009-04-26 15:06

Pre-Run: 35,038,318,592 bytes free
Post-Run: 34,941,464,576 bytes free

239
That looked promising!

 

[peku006]

Hi Richue

finally they are gone......:bow:

We will run one online scan to be sure that there is nothing left.

1 - Update Java

Please download JavaRa and unzip it to your desktop.

• Double-click on JavaRa.exe to start the program.
• Click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
• A log file will pop up. Please save it to a convenient location.

Download the latest version of Java Runtime Environment (JRE) 6 Update 13.

• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Then from your desktop double-click on the download to install the newest version.

2 - Clean temp files

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

3 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006

 

[Richue]

Hello Peku006, I am having problems with step 1 , every time I run Javara.exe and click on remove older versions,I get Microsoft error "Javara has encountered a problem and needs to close...". Rebooting did not help. I am also still getting warning message that autochk file could not be found skipping autocheck. this comes up momentarily right before login screen. I did not try to proceed past step 1.
Thanks richue

 

[Richue]

Hi Peku006, one other thing, I see JRE 6 Update 13 on the link you supplied but I do not see anything regarding "allows end-users to run Java applications". I want to make sure I download the correct one.
Thanks richue

 

[peku006]

Hi Richue

I am having problems with step 1

you can uninstall them manually
Control Panel-> add/remove programs , and uninstall any old versions

I want to make sure I download the correct one.

it is this

JDK 6 Update 13 with JavaFX SDK
For your convenience, Sun has bundled Update 13 of the JDK (the Java development platform) and the JavaFX 1.1 SDK, which provides the JavaFX functionality needed to develop RIAs directly. Each product included is subject to its own license.

Thanks peku006

 

[Richue]

Hello again Peku006,

Here is Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 14:13:39
Records in database: 2092713
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 89335
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:59:16


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_wlubdewd_.sys.zip Infected: Trojan.Win32.BHO.ext 1

The selected area was scanned.

And the Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:58 AM, on 4/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6798 bytes

Still get error about file sytemroot......system32/autochk.exe not found.

Sorry I did not write down entire path.

Thank ypu so much,
richue

 

[peku006]

Hi Richue

Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Application Data\tcbjmqlj

Quit::

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.

Thanks peku006

 

[Richue]

Hello Peku006,

Combofix created this log:


ComboFix 09-04-25.A3 - Rob 04/29/2009 11:49.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.169 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 12:34 . 2009-04-29 12:34 -------- d-----w c:\program files\JavaFX
2009-04-29 12:29 . 2009-04-29 12:29 -------- d-----w c:\program files\Sun
2009-04-29 12:29 . 2009-04-29 12:29 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-29 12:29 . 2009-04-29 12:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 12:27 . 2009-04-29 12:29 -------- d-----w c:\program files\Java
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1C.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1B.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1A.tmp
2009-04-27 18:47 . 2009-04-27 18:47 -------- d-----w C:\_OTScanIt
2009-04-27 12:07 . 2009-04-27 12:07 -------- d-----w C:\_OTMoveIt
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-29 14:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 12:11 . 2009-04-28 22:27 1375 ----a-w C:\JavaRa.log
2009-04-28 18:47 . 2004-08-04 21:00 23424 ----a-w c:\windows\system32\drivers\qerpuylv.sys
2009-04-27 20:17 . 2009-04-27 20:17 2502 ----a-w C:\avenger.txt
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_15.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 16:12 . 2009-04-29 16:12 16384 c:\windows\temp\Perflib_Perfdata_e4.dat
+ 2009-04-29 12:34 . 2009-04-29 12:34 10134 c:\windows\Installer\{7396F7C8-EDD8-4473-BF6A-2CE4996716E1}\SystemFolder_msiexec.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 148888 c:\windows\system32\javaws.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\javaw.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\java.exe
- 2006-05-10 13:29 . 2009-04-24 03:58 270984 c:\windows\system32\FNTCACHE.DAT
+ 2006-05-10 13:29 . 2009-04-27 20:17 270984 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-27 20:12 . 2009-04-27 20:12 241664 c:\windows\ERDNT\4-27-2009\Users\00000002\UsrClass.dat
+ 2009-04-27 20:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-27-2009\ERDNT.EXE
+ 2009-04-27 20:12 . 2009-04-27 20:12 7102464 c:\windows\ERDNT\4-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-29 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 11:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????J??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-29 11:54
ComboFix-quarantined-files.txt 2009-04-29 16:53
ComboFix2.txt 2009-04-28 18:54
ComboFix3.txt 2009-04-26 19:40
ComboFix4.txt 2009-04-26 15:06

Pre-Run: 34,428,092,416 bytes free
Post-Run: 34,478,981,120 bytes free

220


I did not see a dequarantine_log.txt

Thank you,
richue

 

[peku006]

HiRichue

CFScript.txt Failed......
delete the old CFScript.txt (s) from your desktop and we're going to make a new one

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Application Data\tcbjmqlj

Quit::

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.



next yours "autochk.exe not found" error

Click Erunt.exe to backup your registry to the folder of your choice

Open Notepad and copy the contents of the following box to a new file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"AutoChkTimeOut"=dword:0000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\
00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCScan"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6c,00,\
65,00,61,00,6e,00,6d,00,67,00,72,00,2e,00,65,00,78,00,65,00,20,00,2f,00,44,\
00,20,00,25,00,63,00,00,00

Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this ->

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

After that, Reboot.

Logs look good. How's the computer running now? Any problems?

Thanks peku006

 

[Richue]

Hello Peku006,

Computer running fine, no apparent problems. Autochk problem solved. Looks like CFScript.txt failed again. Here is the log produced:

ComboFix 09-04-25.A3 - Rob 04/29/2009 13:07.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.182 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 12:34 . 2009-04-29 12:34 -------- d-----w c:\program files\JavaFX
2009-04-29 12:29 . 2009-04-29 12:29 -------- d-----w c:\program files\Sun
2009-04-29 12:29 . 2009-04-29 12:29 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-29 12:29 . 2009-04-29 12:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 12:27 . 2009-04-29 12:29 -------- d-----w c:\program files\Java
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1C.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1B.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1A.tmp
2009-04-27 18:47 . 2009-04-27 18:47 -------- d-----w C:\_OTScanIt
2009-04-27 12:07 . 2009-04-27 12:07 -------- d-----w C:\_OTMoveIt
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-29 14:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 12:11 . 2009-04-28 22:27 1375 ----a-w C:\JavaRa.log
2009-04-28 18:47 . 2004-08-04 21:00 23424 ----a-w c:\windows\system32\drivers\qerpuylv.sys
2009-04-27 20:17 . 2009-04-27 20:17 2502 ----a-w C:\avenger.txt
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_15.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 18:05 . 2009-04-29 18:05 16384 c:\windows\temp\Perflib_Perfdata_8c.dat
+ 2009-04-29 12:34 . 2009-04-29 12:34 10134 c:\windows\Installer\{7396F7C8-EDD8-4473-BF6A-2CE4996716E1}\SystemFolder_msiexec.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 148888 c:\windows\system32\javaws.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\javaw.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\java.exe
+ 2006-05-10 13:29 . 2009-04-27 20:17 270984 c:\windows\system32\FNTCACHE.DAT
- 2006-05-10 13:29 . 2009-04-24 03:58 270984 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-29 18:00 . 2009-04-29 18:00 249856 c:\windows\ERDNT\4-29-2009\Users\00000002\UsrClass.dat
+ 2009-04-29 18:00 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-29-2009\ERDNT.EXE
+ 2009-04-27 20:12 . 2009-04-27 20:12 241664 c:\windows\ERDNT\4-27-2009\Users\00000002\UsrClass.dat
+ 2009-04-27 20:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-27-2009\ERDNT.EXE
+ 2009-04-29 18:00 . 2009-04-29 18:00 7102464 c:\windows\ERDNT\4-29-2009\Users\00000001\NTUSER.DAT
+ 2009-04-27 20:12 . 2009-04-27 20:12 7102464 c:\windows\ERDNT\4-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-29 148888]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 13:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????J??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-29 13:11
ComboFix-quarantined-files.txt 2009-04-29 18:11
ComboFix2.txt 2009-04-29 17:58
ComboFix3.txt 2009-04-29 16:54
ComboFix4.txt 2009-04-28 18:54
ComboFix5.txt 2009-04-29 18:06

Pre-Run: 34,386,071,552 bytes free
Post-Run: 34,367,717,376 bytes free

227

Thanks a million,
richue

 

[peku006]

Hi Richue

Great that your machine is running better now

Please do this: Click Start, Run, and in the Open box enter the below:
notepad C:\Qoobox\ComboFix-quarantined-files.txt

Copy and paste the info for your hosts file back here

Thanks peku006

 

[Richue]

Hello Peku006,

Here is the info requested:

2009-04-28 18:52:53 . 2009-04-28 18:52:53 434 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}.reg.dat
2009-04-28 18:48:42 . 2009-04-28 18:48:42 7,168 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_wlubdewd.reg.dat
2009-04-28 18:48:42 . 2009-04-28 18:48:42 1,276 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_WLUBDEWD.reg.dat
2009-04-28 18:47:12 . 2009-04-28 18:47:12 81,104 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_uxehitb_.dll.zip
2009-04-28 18:47:10 . 2009-04-28 18:47:11 304,908 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_rtqwryr_.dll.zip
2009-04-28 18:47:07 . 2009-04-28 18:47:07 141,726 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_kqfpqyei_.dll.zip
2009-04-28 18:47:04 . 2009-04-28 18:47:04 11,443 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_wlubdewd_.sys.zip
2009-04-26 15:04:20 . 2009-04-26 15:04:20 270 ----a-w C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2009-04-26 15:03:41 . 2004-04-30 19:01:14 53 ----a-w C:\Qoobox\Quarantine\D\Autorun.inf.vir
2009-04-26 15:02:19 . 2009-04-29 18:09:09 6,353 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-26 14:57:12 . 2009-04-29 18:06:38 1,619 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-24 20:39:44 . 2009-04-24 20:39:44 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js.vir
2009-04-24 20:30:26 . 2009-04-24 20:39:50 4,491 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat.vir
2009-04-24 20:30:10 . 2009-04-24 20:30:10 569 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf.vir
2009-04-24 20:30:00 . 2009-04-24 20:42:34 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite.vir
2009-04-24 20:30:00 . 2009-04-24 20:30:00 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite.vir
2009-04-24 20:29:56 . 2009-04-24 20:39:58 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal.vir
2009-04-24 20:29:56 . 2009-04-24 20:39:58 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite.vir
2009-04-24 20:29:56 . 2009-04-24 20:31:59 32,768 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite.vir
2009-04-24 20:29:56 . 2009-04-24 20:29:56 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db.vir
2009-04-24 20:29:56 . 2009-04-24 20:31:59 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db.vir
2009-04-24 20:29:56 . 2009-04-24 20:29:56 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db.vir
2009-04-24 20:29:55 . 2009-04-24 20:43:08 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite.vir
2009-04-24 20:29:53 . 2009-04-24 20:29:53 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite.vir
2009-04-24 20:29:53 . 2009-04-24 20:39:43 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat.vir
2009-04-24 20:29:53 . 2009-04-24 20:43:08 438,116 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl.vir
2009-04-24 20:29:52 . 2009-04-24 20:39:43 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat.vir
2009-04-24 20:29:51 . 2009-04-24 20:39:43 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini.vir
2009-04-24 20:29:51 . 2009-04-24 20:29:51 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini.vir
2009-04-24 03:56:29 . 2009-04-24 03:56:29 788 ----a-w C:\Qoobox\Quarantine\C\727f743fab11e26b7bbd0a\$shtdwn$.req.vir
2009-04-23 16:29:01 . 2009-04-23 16:29:01 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js.vir
2009-04-23 15:24:28 . 2009-04-23 15:24:28 569 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf.vir
2009-04-23 15:24:19 . 2009-04-23 16:29:05 4,491 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat.vir
2009-04-23 15:24:17 . 2009-04-23 16:31:40 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite.vir
2009-04-23 15:24:17 . 2009-04-23 15:24:17 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite.vir
2009-04-23 15:24:15 . 2009-04-23 16:33:02 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal.vir
2009-04-23 15:24:15 . 2009-04-23 16:29:08 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite.vir
2009-04-23 15:24:15 . 2009-04-23 15:26:20 32,768 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite.vir
2009-04-23 15:24:15 . 2009-04-23 15:24:15 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db.vir
2009-04-23 15:24:15 . 2009-04-23 15:26:20 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db.vir
2009-04-23 15:24:14 . 2009-04-23 15:24:14 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db.vir
2009-04-23 15:24:14 . 2009-04-23 16:33:43 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite.vir
2009-04-23 15:24:13 . 2009-04-23 15:24:13 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite.vir
2009-04-23 15:24:13 . 2009-04-23 16:29:00 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat.vir
2009-04-23 15:24:12 . 2009-04-23 16:29:15 378,058 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl.vir
2009-04-23 15:24:12 . 2009-04-23 16:29:00 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat.vir
2009-04-23 15:24:12 . 2009-04-23 16:29:00 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini.vir
2009-04-23 15:24:12 . 2009-04-23 15:24:12 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\profiles.ini.vir
2009-04-23 14:58:54 . 2009-04-23 14:58:54 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nfr.gpref.vir
2009-04-23 14:04:52 . 2009-04-23 14:04:52 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nfr.assembly.vir
2009-04-23 14:04:38 . 2009-04-23 14:04:38 140 ----a-w C:\Qoobox\Quarantine\C\pch.bat.vir
2009-04-23 14:03:05 . 2009-04-25 23:49:37 434 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At1.job.vir
2009-04-22 17:44:04 . 2006-05-17 02:40:20 49,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXTHK32.DLL.vir
2009-04-22 17:44:04 . 2006-05-17 02:40:20 102,672 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXTIFFN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXRAMN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXSLN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXPANN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 209,168 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXNOTEN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 74,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXNAMEN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXMPN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 233,744 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXMDLN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXMDLGN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 57,616 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXLZWN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 463,120 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXJP2K.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 119,056 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXJBGN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 69,904 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXDLGN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 94,480 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXAPS.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 753,936 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXANNOT.DLL.vir
2009-04-22 17:41:42 . 2006-05-17 02:40:20 53,520 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXPERMN.DLL.vir
2009-04-22 17:41:42 . 2006-05-17 02:40:18 74,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXLOCN.DLL.vir
2009-04-22 17:41:42 . 2006-05-17 02:40:18 221,456 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXDFLTN.DLL.vir
2009-04-06 12:57:26 . 2009-04-06 12:57:26 24,921,544 ----a-w C:\Qoobox\Quarantine\C\727f743fab11e26b7bbd0a\mrt.exe.vir
2009-04-06 12:57:24 . 2009-04-06 12:57:24 25,032 ----a-w C:\Qoobox\Quarantine\C\727f743fab11e26b7bbd0a\mrtstub.exe.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\wlubdewd.sys.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 143,872 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\kqfpqyei.dll.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 104,448 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\rtqwryr.dll.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 104,448 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\uxehitb.dll.vir

THANK YOU,

richue

 

[peku006]

Hi Richue

this is my last attempt......:wink:

delete the old CFScript.txt from your desktop and we're going to make a new one

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\profiles.ini

Quit::

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.

Thanks peku006

 

[Richue]

Success!!
dequarantine_log:

C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db ( 65536 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini ( 207 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat ( 127885 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite ( 4096 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf ( 569 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal ( 0 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite ( 131072 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat ( 4491 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js ( 367 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat ( 96173 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite.vir -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite ( 32768 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl.vir -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl ( 378058 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini ( 111 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db ( 65536 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini ( 207 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat ( 127885 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite ( 4096 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf ( 569 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal ( 0 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite ( 131072 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat ( 4491 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js ( 367 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat ( 96173 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite.vir -> C:\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite ( 32768 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl.vir -> C:\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl ( 438116 bytes )

Thank you
richue

 

[peku006]

Hi Richue

The scans are fine and it looks like your machine is clean :yahoo:

To remove all of the tools we used and the files and folders they created do the following:

• Double-click OTMoveIt3.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check *Turn off System Restore*.
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.


Happy safe surfing! :bigthumb:

 

[Richue]

Greetings Peku006,

I do not know how to thank you enough for all your time and effort! All seems well and I will take your advice about prevention.You guys are awesome.
Thanks again,
richue

 

[peku006]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.