Virus Removal Help

View previous topic View next topic Go down

Virus Removal Help

Post by Japanese on 2nd March 2009, 11:50 pm

Thanks for helping me ahead of time.


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 2nd March 2009, 11:51 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:19 PM, on 3/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\program files\novell\zenworks\nalwin.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TXS6696\Local Settings\Temporary Internet Files\Content.IE5\X97C3GM6\hijackgpthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.6:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [NAL] c:\program files\novell\zenworks\nalwin.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Startup] c:\windows\system32\startup.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [Sophos] C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-20\..\Run: [zogovavado] Rundll32.exe "C:\WINDOWS\system32\zubufoba.dll",s (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: xccstart.lnk = ?
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: fwxjye.dll
O20 - Winlogon Notify: TPSvc - C:\WINDOWS\SYSTEM32\TPSvc.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint GmbH - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11417 bytes


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 12:01 am

Hello.

I see you have Viewpoint Manager, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.]

Additional info: [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Lets remove the malware.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKUS\S-1-5-20\..\Run: [zogovavado] Rundll32.exe "C:\WINDOWS\system32\zubufoba.dll",s (User 'NETWORK SERVICE')
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O20 - AppInit_DLLs: fwxjye.dll
    O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe


  • Press "Fix Checked"
  • Close Hijack This.


  • Open Malware Bytes Anti-Malware and open the "Update" tab, and press "Check for updates"
  • Allow the updates to download.
  • Then once the updates are done, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 12:27 am

I don't see C:\WINDOWS\system32\sopidkc.exe


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 12:28 am

Hmm.
Okay, do the HJT items that you can find and then go onto MBAM scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 12:36 am

You want me to do what? I don't understand what your saying, Where do I look for HJT Items? If your talking about Hijack, its not there.


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 12:44 am

I edited my post when I first posted, but I should of been quick enough that you didn't notice.
The HJT log says MBAM is already on the system, so read my post for the instructions and give it a run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:00 am

Hey dude every time i still do a MBAM, it shows that i have 7 Viruses.

Spyware.Agent.H
Spyware.Agent.H
Trojan.Agent
Trojan.Agent
Trojan.Agent
Trojan.Agent
Trojan.Agent


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:01 am

I keep constantly scanning, the virus just pops right back up. I keep restarting and I'm starting to get tired, what do I do?


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:02 am

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 3

3/2/2009 7:01:11 PM
mbam-log-2009-03-02 (19-01-11).txt

Scan type: Quick Scan
Objects scanned: 83643
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\xypinit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nvtpm32.dll (Spyware.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\azton.mt (Trojan.Agent) -> Quarantined and deleted successfully.


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 1:03 am

Hmmm.
Lets see what these shows.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:08 am

Here is the DDS.txt


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:08 am

DDS (Ver_09-02-01.01) - NTFSx86
Run by TXS6696 at 19:07:26.82 on Mon 03/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1475 [GMT -6:00]


============== Running Processes ===============

svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\program files\novell\zenworks\nalwin.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
svchost.exe C:\WINDOWS\TEMP\VRT9.tmp
C:\WINDOWS\system32\B.tmp
C:\Documents and Settings\TXS6696\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;reef000s288.cert.mobiledomain.net;mobile.domain;10.1.0.51;*.coppellisd.com
uInternet Settings,ProxyServer = 10.0.0.6:8080
mWinlogon: System=ziswin.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\txs6696\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [VMware Tools] c:\program files\vmware\vmware tools\VMwareTray.exe
mRun: [VMware User Process] c:\program files\vmware\vmware tools\VMwareUser.exe
mRun: [NAL] c:\program files\novell\zenworks\nalwin.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Startup] c:\windows\system32\startup.exe
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: []
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [Sophos] c:\program files\sophos\autoupdate\ALMon.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\txs6696\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\xccstart.lnk - c:\windows\system\xccef090131.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: &Search
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\txs6696\applic~1\mozilla\firefox\profiles\tjzcl9gp.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4

============= SERVICES / DRIVERS ===============

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-6-23 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-5-23 6899]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [2008-6-23 92592]
R2 LGTO_Sync;Sync Driver;c:\windows\system32\drivers\lgtosync.sys [2008-6-23 36400]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 188416]
R2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 31744]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 65536]
R2 VMMEMCTL;VMware server memory controller;c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [2008-5-15 15408]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2007-12-24 81920]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-5-23 2773]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-6-23 17968]
S2 VMTools;VMware Tools Service;c:\program files\vmware\vmware tools\VMwareService.exe [2008-5-15 264752]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-4 2176]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2008-5-15 315392]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2008-6-23 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-6-23 62768]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2008-6-23 34992]


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:09 am

=============== Created Last 30 ================

2009-03-02 19:03 105,984 a------- c:\windows\system32\azton.mt
2009-03-02 19:03 105,984 a------- c:\windows\system32\B.tmp
2009-03-02 19:03 40 a------- c:\windows\system32\A.tmp
2009-03-02 19:01 61,440 a------- c:\windows\system32\drivers\fjtbkk.sys
2009-03-02 18:53 262,144 a------- c:\windows\system32\nvtpm32.dll
2009-03-02 18:53 105,984 -------- c:\windows\system32\5.tmp
2009-03-02 18:34 578,560 a------- c:\windows\system32\gseo
2009-03-02 17:09 578,560 a------- c:\windows\system32\fdwr
2009-03-02 17:07 406,016 a------- c:\windows\system32\tmpxccacj1.exe
2009-03-02 17:07 7,915 a------- c:\windows\system32\work.ini
2009-03-02 17:06 228 a------- c:\windows\system32\hgset.ini
2009-03-02 17:06 --d----- c:\windows\system32\3361
2009-03-02 17:06 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-03-02 17:06 90,112 a------- c:\windows\system32\20093637.dll
2009-03-02 17:06 77,824 a------- c:\windows\system32\u17259227.dll
2009-03-02 17:06 676,352 a------- c:\windows\system32\rtl60.bpl
2009-03-02 17:06 0 a------- c:\windows\mqcd.dbt
2009-03-02 17:05 197 a------- c:\windows\system32\xcchit32.ini
2009-03-02 17:05 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-03-02 17:05 32,768 a------- c:\windows\system32\odjan.wa
2009-03-02 17:05 32,768 a------- c:\windows\system32\kei1w.an
2009-03-02 17:05 77,312 a------- c:\windows\system32\rkoq.pxf
2009-03-02 17:05 28,672 a------- c:\windows\system32\doqkm.zt
2009-03-02 17:05 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-03-02 17:05 606 a------- c:\windows\xccwinsys.ini
2009-03-02 17:05 0 a------- c:\windows\system32\1F.tmp
2009-03-02 17:05 --d----- c:\windows\system32\inf
2009-03-02 17:05 105,984 a------- c:\windows\system32\1D.tmp
2009-03-02 17:05 40 a------- c:\windows\system32\1C.tmp
2009-03-02 16:37 885,479 a------- c:\windows\system32\rn.tmp
2009-03-02 11:32 --d----- c:\program files\RocketDock
2009-02-25 16:19 --d----- C:\Downloads
2009-02-24 23:02 61,440 a------- c:\windows\system32\drivers\dIwwhag.sys
2009-02-24 22:59 --d----- c:\docume~1\txs6696\applic~1\Malwarebytes
2009-02-24 22:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-24 22:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 22:59 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 22:59 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-24 22:48 --d----- C:\My Received Files
2009-02-24 19:08 --d----- c:\windows\.mpr_file_store_32
2009-02-23 07:28 --d----- c:\program files\MSXML 4.0
2009-02-21 21:03 --d----- C:\My Virtual Machines
2009-02-21 21:00 --d----- c:\program files\Microsoft Virtual PC
2009-02-21 19:52 --d----- c:\windows\.silabclient_store_32
2009-02-19 16:27 224,256 a------- c:\windows\system32\zk_sc.scr
2009-02-19 16:27 --d----- c:\windows\system32\zk_sc dir
2009-02-18 19:15 --d----- C:\Ntreev
2009-02-18 16:40 --d----- c:\docume~1\txs6696\applic~1\Nexon
2009-02-18 16:40 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-02-18 16:40 4,682 a------- c:\windows\system32\npptNT2.sys
2009-02-18 16:39 --d----- c:\program files\common files\INCA Shared
2009-02-18 15:10 --d--r-- C:\Favorites
2009-02-18 15:10 --d--r-- C:\My Videos
2009-02-18 15:10 --d--r-- C:\My Pictures
2009-02-18 15:10 --d--r-- C:\My Music
2009-02-18 15:10 --d----- C:\OneNote Notebooks
2009-02-18 15:10 78 a--sh--- C:\desktop.ini
2009-02-18 12:01 --d----- C:\Nexon
2009-02-17 21:36 --d----- c:\program files\DNA
2009-02-17 21:36 --d----- c:\docume~1\txs6696\applic~1\DNA
2009-02-17 20:41 7,680 a--sh--- c:\windows\Thumbs.db
2009-02-17 20:30 82,328 a---h--- c:\windows\system32\mlfcache.dat
2009-02-17 20:29 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-02-17 20:28 --d--r-- c:\program files\Skype
2009-02-17 19:19 --d----- c:\program files\directx
2009-02-17 13:28 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-02-17 13:28 21,504 a------- c:\windows\system32\hidserv.dll
2009-02-17 13:28 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-02-17 13:28 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-02-17 13:28 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-02-17 13:28 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-02-17 13:12 --d----- C:\My Documents
2009-02-16 20:42 --d----- C:\My WindowBlinds Skins
2009-02-16 20:31 --d----- c:\documents and settings\txs6696\Tracing
2009-02-16 20:27 --d----- c:\program files\Microsoft
2009-02-16 20:26 --d----- c:\program files\Windows Live SkyDrive
2009-02-16 20:15 --d----- c:\program files\common files\Windows Live
2009-02-16 20:10 --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-02-16 20:10 --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-02-16 20:10 --d----- c:\program files\common files\AOL
2009-02-16 20:10 --d----- c:\program files\AIM6
2009-02-16 20:10 454 a---h--- C:\IPH.PH
2009-02-16 19:18 --d----- c:\program files\DAEMON Tools Pro
2009-02-16 19:18 --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-02-16 19:15 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-16 19:15 --d----- c:\docume~1\txs6696\applic~1\DAEMON Tools Pro
2009-02-16 19:15 19,188 a------- c:\windows\Q883956Readme.rtf
2009-02-16 18:12 --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-02-16 18:11 --d----- c:\program files\Pando Networks
2009-02-16 15:33 --d----- c:\windows\system32\appmgmt
2009-02-16 15:22 106,496 a------- c:\windows\unvise32.exe
2009-02-16 15:22 --d----- C:\ExamView
2009-02-16 15:17 --d----- c:\docume~1\txs6696\applic~1\InfraRecorder
2009-02-16 14:44 180,224 -c------ c:\windows\system32\dllcache\scrobj.dll
2009-02-16 14:44 172,032 -c------ c:\windows\system32\dllcache\scrrun.dll
2009-02-16 14:44 155,648 -c------ c:\windows\system32\dllcache\wscript.exe
2009-02-16 14:44 135,168 -c------ c:\windows\system32\dllcache\cscript.exe
2009-02-16 14:44 90,112 -c------ c:\windows\system32\dllcache\wshext.dll
2009-02-16 14:44 253,952 -c------ c:\windows\system32\dllcache\es.dll
2009-02-16 14:44 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-16 14:44 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-16 14:44 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-16 14:44 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-16 14:44 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-16 14:44 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-16 14:37 --d----- c:\docume~1\alluse~1\applic~1\Commvault Systems
2009-02-16 14:37 --d----- C:\AddInLM
2009-02-16 14:37 --d----- c:\program files\CommVault Systems
2009-02-16 14:32 74,240 -c------ c:\windows\system32\dllcache\mscms.dll
2009-02-16 14:29 --d----- c:\documents and settings\txs6696\.gimp-2.4
2009-02-16 14:29 --d----- c:\docume~1\txs6696\applic~1\Inkscape
2009-02-16 14:29 --dsh--- c:\documents and settings\txs6696\UserData
2009-02-16 14:29 --d----- c:\documents and settings\TXS6696
2009-02-16 14:28 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-02-16 14:28 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-02-16 14:28 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-02-16 14:28 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-02-16 12:23 --d----- c:\windows\SchCache
2009-02-16 12:22 53,248 a------- c:\windows\Regme.exe
2009-02-16 12:18 --d-h--- c:\windows\system32\GroupPolicy.WMOriginal2
2009-02-16 12:18 --d-h--- c:\windows\system32\GroupPolicy.UserCache
2009-02-16 11:13 --d----- C:\Zenworks
2009-02-16 11:09 --d----- c:\program files\InfraRecorder
2009-02-16 11:09 --d-h--- C:\NALCache
2009-02-16 11:09 172,032 a------- c:\windows\system32\igfxres.dll
2009-02-16 11:07 4,444 a------- c:\windows\system32\pid.PNF
2009-02-16 11:06 --d----- c:\program files\CONEXANT
2009-02-16 11:06 --d----- c:\program files\Sigmatel
2009-02-16 11:06 4,952,064 a------- c:\windows\system32\stacgui.cpl
2009-02-16 11:06 1,601,536 a------- c:\windows\system32\stlang.dll
2009-02-16 11:06 425,984 a------- c:\windows\stsystra.exe
2009-02-16 11:06 114,688 a------- c:\windows\system32\stacsv.exe
2009-02-16 11:06 920,088 a------- c:\windows\system32\igxpun.exe
2009-02-16 11:06 --d----- c:\windows\system32\x64
2009-02-16 11:05 319,456 a------- c:\windows\system32\difxapi.dll
2009-02-16 11:05 6,400 a------- c:\windows\system32\drivers\enum1394.sys
2009-02-16 11:05 61,696 a------- c:\windows\system32\drivers\ohci1394.sys
2009-02-16 11:05 53,376 a------- c:\windows\system32\drivers\1394bus.sys
2009-02-16 11:04 8,832 a------- c:\windows\system32\drivers\wmiacpi.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

==================== Find3M ====================

2009-03-02 19:03 578,560 a------- c:\windows\system32\user32.DLL
2009-02-16 12:23 47,104 a------- c:\windows\system32\wifi_config.exe
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 19:07:41.15 ===============


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 1:15 am

Oh my...how did you get this badly infected? Sad tearing


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) See [You must be registered and logged in to see this link.] for how to disable your AV. (Sophos)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:20 am

Wow... Results came out as:

You cannot rename ComboFix as ComboFix[1]
Please use another name, preferbaly made up of alphanumeric characters.

I didn't rename anything! Help me Sad tearing


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 1:23 am

The malware blocks it.
Download Combofix as follows.

1 If you are using Firefox, make sure that your download settings are as follows:

Tools->Options->Main tab
Set to "Always ask me where to Save the files".

2 During the download, rename Combofix to Combo-Fix as follows:


3 It is important you rename Combofix during the download, but not after.
4 Please do not rename Combofix to other names, but only to the one indicated.
5 Close any open browsers.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:42 am

((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-02 19:35 . 2009-03-02 19:03 578,560 --a------ c:\windows\system32\wkxnpganrj
2009-03-02 19:35 . 2009-03-02 19:35 262,144 --a------ c:\windows\system32\nvtpm32.dll
2009-03-02 19:35 . 2009-03-02 19:35 105,984 --a------ c:\windows\system32\azton.mt
2009-03-02 19:34 . 2009-03-02 19:35 105,984 --a------ c:\windows\system32\3.tmp
2009-03-02 19:34 . 2009-03-02 19:34 40 --a------ c:\windows\system32\2.tmp
2009-03-02 19:12 . 2009-03-02 19:15 d-------- c:\documents and settings\TXS6696\Application Data\Move Networks
2009-03-02 19:03 . 2009-03-02 19:03 40 --a------ c:\windows\system32\A.tmp
2009-03-02 18:34 . 2009-03-02 18:22 578,560 --a------ c:\windows\system32\gseo
2009-03-02 17:09 . 2009-03-02 17:05 578,560 --a------ c:\windows\system32\fdwr
2009-03-02 17:07 . 2009-03-02 17:07 7,915 --a------ c:\windows\system32\work.ini
2009-03-02 17:06 . 2009-03-02 17:34 d-------- c:\windows\system32\3361
2009-03-02 17:06 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-03-02 17:06 . 2009-03-02 17:06 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-03-02 17:06 . 2009-03-02 17:06 77,824 --a------ c:\windows\system32\u17259227.dll
2009-03-02 17:06 . 2009-03-02 17:10 228 --a------ c:\windows\system32\hgset.ini
2009-03-02 17:06 . 2009-03-02 17:06 0 --a------ c:\windows\mqcd.dbt
2009-03-02 17:05 . 2009-03-02 17:34 d-------- c:\windows\system32\inf
2009-03-02 17:05 . 2009-03-02 19:03 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-02 17:05 . 2009-03-02 17:05 105,984 --a------ c:\windows\system32\1D.tmp
2009-03-02 17:05 . 2009-03-02 19:03 77,312 --a------ c:\windows\system32\rkoq.pxf
2009-03-02 17:05 . 2009-03-02 19:03 32,768 --a------ c:\windows\system32\odjan.wa
2009-03-02 17:05 . 2009-03-02 19:03 32,768 --a------ c:\windows\system32\kei1w.an
2009-03-02 17:05 . 2009-03-02 19:03 28,672 --a------ c:\windows\system32\kdoqmn.sr
2009-03-02 17:05 . 2009-03-02 19:03 28,672 --a------ c:\windows\system32\doqkm.zt
2009-03-02 17:05 . 2009-03-02 17:05 40 --a------ c:\windows\system32\1C.tmp
2009-03-02 17:05 . 2009-03-02 17:05 0 --a------ c:\windows\system32\1F.tmp
2009-03-02 16:37 . 2009-03-02 16:37 885,479 --a------ c:\windows\system32\rn.tmp
2009-03-02 11:32 . 2009-03-02 11:32 d-------- c:\program files\RocketDock
2009-02-25 16:19 . 2009-02-25 16:19 d-------- C:\Downloads
2009-02-24 23:02 . 2009-02-24 23:02 61,440 --a------ c:\windows\system32\drivers\dIwwhag.sys
2009-02-24 22:59 . 2009-02-24 22:59 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 22:59 . 2009-02-24 22:59 d-------- c:\documents and settings\TXS6696\Application Data\Malwarebytes
2009-02-24 22:59 . 2009-02-24 22:59 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 22:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 22:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-24 22:48 . 2009-02-24 22:48 d-------- C:\My Received Files
2009-02-24 19:08 . 2009-02-24 19:08 d-------- c:\windows\.mpr_file_store_32
2009-02-23 07:28 . 2009-02-23 07:28 d-------- c:\program files\MSXML 4.0
2009-02-21 21:03 . 2009-02-23 11:27 d-------- C:\My Virtual Machines
2009-02-21 21:00 . 2009-02-21 21:00 d-------- c:\program files\Microsoft Virtual PC
2009-02-21 19:52 . 2009-02-21 19:55 d-------- c:\windows\.silabclient_store_32
2009-02-19 16:27 . 2009-02-19 16:27 d-------- c:\windows\system32\zk_sc dir
2009-02-19 16:27 . 2009-02-19 16:27 224,256 --a------ c:\windows\system32\zk_sc.scr
2009-02-18 19:15 . 2009-02-23 07:32 d-------- C:\Ntreev
2009-02-18 16:40 . 2009-02-18 16:40 d-------- c:\documents and settings\TXS6696\Application Data\Nexon
2009-02-18 16:40 . 2003-07-20 12:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-18 16:40 . 2005-01-04 03:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-18 16:39 . 2009-02-18 16:39 d-------- c:\program files\Common Files\INCA Shared
2009-02-18 15:10 . 2009-02-18 15:10 d-------- C:\OneNote Notebooks
2009-02-18 15:10 . 2009-02-18 15:10 dr------- C:\My Videos
2009-02-18 15:10 . 2009-02-18 15:10 dr------- C:\My Pictures
2009-02-18 15:10 . 2009-02-19 13:47 dr------- C:\My Music
2009-02-18 15:10 . 2009-02-18 15:10 dr------- C:\Favorites
2009-02-18 15:10 . 2009-02-18 15:10 78 --ahs---- C:\desktop.ini
2009-02-18 12:01 . 2009-02-18 12:01 d-------- C:\Nexon
2009-02-17 21:36 . 2009-03-02 19:35 d-------- c:\program files\DNA
2009-02-17 21:36 . 2009-03-02 19:35 d-------- c:\documents and settings\TXS6696\Application Data\DNA
2009-02-17 20:41 . 2009-02-17 20:41 7,680 --ahs---- c:\windows\Thumbs.db
2009-02-17 20:30 . 2009-02-17 20:30 82,328 --ah----- c:\windows\system32\mlfcache.dat
2009-02-17 20:29 . 2009-03-02 16:34 d-------- c:\documents and settings\TXS6696\Application Data\skypePM
2009-02-17 20:29 . 2009-02-17 20:29 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-02-17 20:28 . 2009-02-17 20:28 dr------- c:\program files\Skype
2009-02-17 20:28 . 2009-02-17 20:28 d-------- c:\program files\Common Files\Skype
2009-02-17 20:28 . 2009-03-02 19:29 d-------- c:\documents and settings\TXS6696\Application Data\Skype
2009-02-17 20:28 . 2009-02-17 20:28 d-------- c:\documents and settings\All Users\Application Data\Skype
2009-02-17 19:19 . 2009-02-17 19:19 d-------- c:\program files\directx
2009-02-17 13:28 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-17 13:28 . 2008-04-13 13:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-02-17 13:28 . 2008-04-13 19:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-02-17 13:28 . 2008-04-13 19:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-02-17 13:28 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-17 13:28 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-17 13:12 . 2009-02-17 13:12 d-------- C:\My Documents
2009-02-17 12:00 . 2009-02-17 12:00 d-------- c:\program files\Safari
2009-02-17 12:00 . 2009-02-17 12:00 d-------- c:\program files\Apple Software Update
2009-02-16 20:42 . 2009-02-16 20:42 d-------- C:\My WindowBlinds Skins
2009-02-16 20:31 . 2009-03-01 20:20 d-------- c:\documents and settings\TXS6696\Tracing
2009-02-16 20:27 . 2009-02-16 20:27 d-------- c:\program files\Microsoft
2009-02-16 20:26 . 2009-02-16 20:26 d-------- c:\program files\Windows Live SkyDrive
2009-02-16 20:26 . 2009-02-16 20:27 d-------- c:\program files\Windows Live
2009-02-16 20:15 . 2009-02-16 20:15 d-------- c:\program files\Common Files\Windows Live
2009-02-16 20:11 . 2009-02-16 20:11 d-------- c:\documents and settings\TXS6696\Application Data\acccore
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\program files\Common Files\AOL
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\program files\AIM6
2009-02-16 20:10 . 2009-03-02 18:24 d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\documents and settings\All Users\Application Data\AOL
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\documents and settings\All Users\Application Data\acccore
2009-02-16 20:10 . 2009-02-16 20:10 454 --ah----- C:\IPH.PH
2009-02-16 19:18 . 2009-02-16 19:19 d-------- c:\program files\DAEMON Tools Pro
2009-02-16 19:18 . 2009-02-16 19:18 d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-02-16 19:15 . 2009-02-16 19:15 d-------- c:\documents and settings\TXS6696\Application Data\DAEMON Tools Pro
2009-02-16 19:15 . 2009-02-16 19:15 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-02-16 19:15 . 2004-02-24 16:25 19,188 --a------ c:\windows\Q883956Readme.rtf
2009-02-16 19:05 . 2009-02-16 19:05 d-------- c:\documents and settings\TXS6696\Application Data\dvdcss
2009-02-16 18:12 . 2009-02-17 19:49 d-------- c:\documents and settings\All Users\Application Data\PMB Files
2009-02-16 18:11 . 2009-02-16 18:11 d-------- c:\program files\Pando Networks
2009-02-16 15:30 . 2009-02-16 15:30 97 --a------ c:\documents and settings\EditLiveForJava.ini
2009-02-16 15:22 . 2009-02-16 15:22 d-------- C:\ExamView
2009-02-16 15:22 . 1999-12-17 11:13 106,496 --a------ c:\windows\unvise32.exe
2009-02-16 15:17 . 2009-02-16 15:17 d-------- c:\documents and settings\TXS6696\Application Data\InfraRecorder
2009-02-16 15:12 . 2009-02-16 15:12 d-------- c:\program files\Google
2009-02-16 14:44 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-16 14:44 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-16 14:44 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-16 14:44 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-16 14:44 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-16 14:44 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-16 14:44 . 2008-07-07 14:26 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2009-02-16 14:44 . 2008-05-09 04:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-02-16 14:44 . 2008-05-09 04:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-02-16 14:44 . 2008-05-08 05:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-02-16 14:44 . 2008-05-09 02:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-02-16 14:44 . 2008-05-09 04:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-02-16 14:37 . 2009-02-16 14:37 d-------- c:\program files\CommVault Systems
2009-02-16 14:37 . 2009-02-16 14:37 d-------- c:\documents and settings\All Users\Application Data\Commvault Systems
2009-02-16 14:37 . 2009-02-16 14:37 d-------- C:\AddInLM
2009-02-16 14:32 . 2008-06-24 10:43 74,240 -----c--- c:\windows\system32\dllcache\mscms.dll
2009-02-16 14:29 . 2008-06-23 09:50 d--hs---- c:\documents and settings\TXS6696\UserData
2009-02-16 14:29 . 2008-06-24 13:05 d-------- c:\documents and settings\TXS6696\Application Data\vlc
2009-02-16 14:29 . 2008-06-24 08:19 d-------- c:\documents and settings\TXS6696\Application Data\Inkscape
2009-02-16 14:29 . 2009-02-17 12:03 d-------- c:\documents and settings\TXS6696\Application Data\Apple Computer
2009-02-16 14:29 . 2009-02-16 15:17 d-------- c:\documents and settings\TXS6696\.gimp-2.4
2009-02-16 14:29 . 2009-03-02 17:07 d-------- c:\documents and settings\TXS6696
2009-02-16 14:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 1:43 am

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 23:22 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-18 01:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-16 17:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 578560 bytes )
Infected c:\windows\system32\user32.dll hex repaired


------- Sigcheck -------

2004-08-04 06:00 31744 98fdf4d337345abc7d7c6a08cdb2818d c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31232 368426ea303df8228504bc1e017a6acf c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 df4a9eada11337db94b0302fa0403786 c:\windows\system32\svchost.exe

2008-04-13 18:12 1050624 c0260afbf3f841382958e486b403a6b4 c:\windows\explorer.exe
2004-08-04 06:00 1049088 e8203782163fb41150be9e1b0c47e488 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 18:12 1051136 3dd23ef25df31fbc590582ddb1884f91 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-13 18:12 1050624 738b35a8125468bf6c376c0014d04744 c:\windows\system32\dllcache\explorer.exe

2004-08-04 06:00 32256 c6437ccb015b6e93104a17453b691685 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32256 4a9c1ab0152558b100a8c9b23c9b0a4e c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32256 f989b18e18380a3bf93e2a79c9206043 c:\windows\system32\ctfmon.exe

2004-08-04 06:00 74752 21c9ed76374f7ea04db8b4d9c51d5c04 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 18:12 74752 498129b920e0d12e5c24342ec78fdf9e c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 74752 6e81e4a6c3c828cb3b8e34a33cd57a14 c:\windows\system32\spoolsv.exe

2004-08-04 06:00 41984 8a98757ec944a6ef57ba74dbbfb311cc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43008 f24c444096a6fb9e44da918564ade27e c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 18:12 43008 f4132cc9aa168815434234524126711a c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32256]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-17 342848]
"Google Update"="c:\documents and settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 53339]
"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2008-05-15 92720]
"VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2008-05-15 268848]
"NAL"="c:\program files\novell\zenworks\nalwin.exe" [2007-12-24 382464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Startup"="c:\windows\system32\startup.exe" [2005-07-18 121315]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 61440]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1904640]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-30 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-30 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 425984]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-05-28 61440]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-05-28 65536]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\TXS6696\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-04 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-12-24 22:21 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2008-05-15 22:23 364544 c:\windows\system32\TPSvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"57547:TCP"= 57547:TCP:Pando Media Booster
"57547:UDP"= 57547:UDP:Pando Media Booster

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-06-23 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-05-23 6899]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [2008-06-23 92592]
R2 LGTO_Sync;Sync Driver;c:\windows\system32\drivers\lgtosync.sys [2008-06-23 36400]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 188416]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-08-04 65536]
R2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-05-15 15408]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2007-12-24 81920]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-05-23 2773]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-06-23 17968]
S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [2008-05-15 264752]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-08-04 2176]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2008-05-15 315392]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2008-06-23 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-06-23 62768]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2008-06-23 34992]
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-426075309-104346630-1563886607-1016.job
- c:\documents and settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-25 16:15]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Sophos - c:\program files\Sophos\AutoUpdate\ALMon.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;reef000s288.cert.mobiledomain.net;mobile.domain;10.1.0.51;*.coppellisd.com
uInternet Settings,ProxyServer = 10.0.0.6:8080
IE: &Search
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TXS6696\Application Data\Mozilla\Firefox\Profiles\tjzcl9gp.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-02 19:35:12
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\tpszxyd.sys 377344 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\Novell\ncplw32.dll
c:\windows\system32\novell\nls\english\NetIdent.dll
c:\windows\system32\Novell\xtagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-03-02 19:40:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 01:40:31

Pre-Run: 34,919,976,960 bytes free
Post-Run: 35,003,498,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

380 --- E O F --- 2009-02-26 23:22:30


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 5:55 pm

Hello.
Sorry, but this is game over.

You are dealing with Virut, along with other file infectors.
Read here:
[You must be registered and logged in to see this link.]

Do not backup any exe/scr/php/htm/html/asp files or zips that have them kind of files inside them.

The format the machine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 6:36 pm

theres gotta be some way, please help me, I just spent months on getting money for this computer please.


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 6:46 pm

No promises this will work because there is so much damage done already.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
sopidkc

ROOTKIT::
c:\windows\system32\tpszxyd.sys

File::
c:\windows\system32\wkxnpganrj
c:\windows\system32\nvtpm32.dll
c:\windows\system32\azton.mt
c:\windows\system32\3.tmp
c:\windows\system32\2.tmp
c:\windows\system32\A.tmp
c:\windows\system32\gseo
c:\windows\system32\fdwr
c:\windows\system32\work.ini
c:\windows\system32\u17259227.dll
c:\windows\system32\hgset.ini
c:\windows\mqcd.dbt
c:\windows\system32\1D.tmp
c:\windows\system32\rkoq.pxf
c:\windows\system32\odjan.wa
c:\windows\system32\kei1w.an
c:\windows\system32\kdoqmn.sr
c:\windows\system32\doqkm.zt
c:\windows\system32\1C.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\rn.tmp
C:\desktop.ini
c:\windows\system32\drivers\dIwwhag.sys
c:\windows\system32\sopidkc.exe

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint

DirLook::
c:\windows\system32\3361

FCOPY::
c:\windows\$NtServicePackUninstall$\userinit.exe | c:\windows\system32\userinit.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 7:10 pm

ComboFix 09-03-02.01 - TXS6696 2009-03-03 12:59:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1438 [GMT -6:00]
Running from: c:\documents and settings\TXS6696\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\TXS6696\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\desktop.ini
c:\windows\mqcd.dbt
c:\windows\system32\1C.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\A.tmp
c:\windows\system32\azton.mt
c:\windows\system32\doqkm.zt
c:\windows\system32\drivers\dIwwhag.sys
c:\windows\system32\fdwr
c:\windows\system32\gseo
c:\windows\system32\hgset.ini
c:\windows\system32\kdoqmn.sr
c:\windows\system32\kei1w.an
c:\windows\system32\nvtpm32.dll
c:\windows\system32\odjan.wa
c:\windows\system32\rkoq.pxf
c:\windows\system32\rn.tmp
c:\windows\system32\sopidkc.exe
c:\windows\system32\u17259227.dll
c:\windows\system32\wkxnpganrj
c:\windows\system32\work.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\All Users\Application Data\Viewpoint
c:\windows\mqcd.dbt
c:\windows\system32\1C.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\5.tmp
c:\windows\system32\A.tmp
c:\windows\system32\azton.mt
c:\windows\system32\C.tmp
c:\windows\system32\comsa32.sys
c:\windows\system32\doqkm.zt
c:\windows\system32\drivers\dIwwhag.sys
c:\windows\system32\F.tmp
c:\windows\system32\fdwr
c:\windows\system32\gseo
c:\windows\system32\hgset.ini
c:\windows\system32\kdoqmn.sr
c:\windows\system32\kei1w.an
c:\windows\system32\nvaux32.dll
c:\windows\system32\nvtpm32.dll
c:\windows\system32\odjan.wa
c:\windows\system32\rkoq.pxf
c:\windows\system32\rn.tmp
c:\windows\system32\sopidkc.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\u17259227.dll
c:\windows\system32\wkxnpganrj
c:\windows\system32\work.ini

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SOPIDKC
-------\Service_sopidkc


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-03 13:02 . 2009-03-03 12:34 578,560 --a------ c:\windows\system32\jfkmcrhhx
2009-03-03 13:02 . 2009-03-03 13:02 0 --a------ c:\windows\system32\6.tmp
2009-03-03 12:47 . 2009-03-03 12:34 578,560 --a------ c:\windows\system32\xuyu
2009-03-03 12:47 . 2009-03-03 12:47 207,872 --a------ c:\windows\system32\2A.tmp
2009-03-03 12:47 . 2009-03-03 12:47 124 --a------ c:\windows\system32\28.tmp
2009-03-03 12:47 . 2009-03-03 12:47 1 --a------ c:\windows\system32\29.tmp
2009-03-03 12:47 . 2009-03-03 12:47 0 --a------ c:\windows\system32\2B.tmp
2009-03-03 12:34 . 2009-03-03 13:02 215,552 --a--c--- c:\windows\system32\dllcache\termsrv.dll
2009-03-03 12:34 . 2009-03-03 12:34 207,872 --a------ c:\windows\system32\17.tmp
2009-03-03 12:34 . 2009-03-03 12:34 64,512 --a------ c:\windows\system32\wer3.pf
2009-03-03 12:34 . 2009-03-03 12:34 32,768 --a------ c:\windows\system32\febbn.wa
2009-03-03 12:34 . 2009-03-03 12:34 124 --a------ c:\windows\system32\15.tmp
2009-03-03 12:34 . 2009-03-03 12:34 1 --a------ c:\windows\system32\16.tmp
2009-03-03 12:34 . 2009-03-03 12:34 0 --a------ c:\windows\system32\18.tmp
2009-03-03 07:22 . 2009-03-02 20:24 578,560 --a------ c:\windows\system32\kncnr
2009-03-03 07:22 . 2009-03-03 07:22 40 --a------ c:\windows\system32\4.tmp
2009-03-02 20:51 . 2009-03-02 20:24 578,560 --a------ c:\windows\system32\sfgk
2009-03-02 20:51 . 2009-03-02 20:51 40 --a------ c:\windows\system32\E.tmp
2009-03-02 20:23 . 2009-03-02 20:23 40 --a------ c:\windows\system32\B.tmp
2009-03-02 19:12 . 2009-03-02 19:15 d-------- c:\documents and settings\TXS6696\Application Data\Move Networks
2009-03-02 17:06 . 2009-03-02 17:34 d-------- c:\windows\system32\3361
2009-03-02 17:06 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-03-02 17:06 . 2009-03-02 17:06 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-03-02 17:05 . 2009-03-02 17:34 d-------- c:\windows\system32\inf
2009-03-02 17:05 . 2009-03-03 12:34 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-02 11:32 . 2009-03-02 11:32 d-------- c:\program files\RocketDock
2009-02-25 16:19 . 2009-02-25 16:19 d-------- C:\Downloads
2009-02-24 22:59 . 2009-02-24 22:59 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 22:59 . 2009-02-24 22:59 d-------- c:\documents and settings\TXS6696\Application Data\Malwarebytes
2009-02-24 22:59 . 2009-02-24 22:59 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 22:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 22:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-24 22:48 . 2009-02-24 22:48 d-------- C:\My Received Files
2009-02-24 19:08 . 2009-02-24 19:08 d-------- c:\windows\.mpr_file_store_32
2009-02-23 07:28 . 2009-02-23 07:28 d-------- c:\program files\MSXML 4.0
2009-02-21 21:03 . 2009-02-23 11:27 d-------- C:\My Virtual Machines
2009-02-21 21:00 . 2009-02-21 21:00 d-------- c:\program files\Microsoft Virtual PC
2009-02-21 19:52 . 2009-02-21 19:55 d-------- c:\windows\.silabclient_store_32
2009-02-19 16:27 . 2009-02-19 16:27 d-------- c:\windows\system32\zk_sc dir
2009-02-19 16:27 . 2009-02-19 16:27 224,256 --a------ c:\windows\system32\zk_sc.scr
2009-02-18 19:15 . 2009-02-23 07:32 d-------- C:\Ntreev
2009-02-18 16:40 . 2009-02-18 16:40 d-------- c:\documents and settings\TXS6696\Application Data\Nexon
2009-02-18 16:40 . 2003-07-20 12:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-18 16:40 . 2005-01-04 03:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-18 16:39 . 2009-02-18 16:39 d-------- c:\program files\Common Files\INCA Shared
2009-02-18 15:10 . 2009-02-18 15:10 d-------- C:\OneNote Notebooks
2009-02-18 15:10 . 2009-02-18 15:10 dr------- C:\My Videos
2009-02-18 15:10 . 2009-02-18 15:10 dr------- C:\My Pictures
2009-02-18 15:10 . 2009-02-19 13:47 dr------- C:\My Music
2009-02-18 15:10 . 2009-02-18 15:10 dr------- C:\Favorites
2009-02-18 12:01 . 2009-02-18 12:01 d-------- C:\Nexon
2009-02-17 21:36 . 2009-03-03 13:03 d-------- c:\program files\DNA
2009-02-17 21:36 . 2009-03-03 13:03 d-------- c:\documents and settings\TXS6696\Application Data\DNA
2009-02-17 20:41 . 2009-02-17 20:41 7,680 --ahs---- c:\windows\Thumbs.db
2009-02-17 20:30 . 2009-02-17 20:30 82,328 --ah----- c:\windows\system32\mlfcache.dat
2009-02-17 20:29 . 2009-03-03 12:39 d-------- c:\documents and settings\TXS6696\Application Data\skypePM
2009-02-17 20:29 . 2009-02-17 20:29 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-02-17 20:28 . 2009-02-17 20:28 dr------- c:\program files\Skype
2009-02-17 20:28 . 2009-02-17 20:28 d-------- c:\program files\Common Files\Skype
2009-02-17 20:28 . 2009-03-03 12:40 d-------- c:\documents and settings\TXS6696\Application Data\Skype
2009-02-17 20:28 . 2009-02-17 20:28 d-------- c:\documents and settings\All Users\Application Data\Skype
2009-02-17 19:19 . 2009-02-17 19:19 d-------- c:\program files\directx
2009-02-17 13:28 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-17 13:28 . 2008-04-13 13:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-02-17 13:28 . 2008-04-13 19:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-02-17 13:28 . 2008-04-13 19:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-02-17 13:28 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-17 13:28 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-17 13:12 . 2009-02-17 13:12 d-------- C:\My Documents
2009-02-17 12:00 . 2009-02-17 12:00 d-------- c:\program files\Safari
2009-02-17 12:00 . 2009-02-17 12:00 d-------- c:\program files\Apple Software Update
2009-02-16 20:42 . 2009-02-16 20:42 d-------- C:\My WindowBlinds Skins
2009-02-16 20:31 . 2009-03-01 20:20 d-------- c:\documents and settings\TXS6696\Tracing
2009-02-16 20:27 . 2009-02-16 20:27 d-------- c:\program files\Microsoft
2009-02-16 20:26 . 2009-02-16 20:26 d-------- c:\program files\Windows Live SkyDrive
2009-02-16 20:26 . 2009-02-16 20:27 d-------- c:\program files\Windows Live
2009-02-16 20:15 . 2009-02-16 20:15 d-------- c:\program files\Common Files\Windows Live
2009-02-16 20:11 . 2009-02-16 20:11 d-------- c:\documents and settings\TXS6696\Application Data\acccore
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\program files\Common Files\AOL
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\program files\AIM6
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\documents and settings\All Users\Application Data\AOL
2009-02-16 20:10 . 2009-02-16 20:10 d-------- c:\documents and settings\All Users\Application Data\acccore
2009-02-16 20:10 . 2009-02-16 20:10 454 --ah----- C:\IPH.PH
2009-02-16 19:18 . 2009-02-16 19:19 d-------- c:\program files\DAEMON Tools Pro
2009-02-16 19:18 . 2009-02-16 19:18 d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-02-16 19:15 . 2009-02-16 19:15 d-------- c:\documents and settings\TXS6696\Application Data\DAEMON Tools Pro
2009-02-16 19:15 . 2009-02-16 19:15 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-02-16 19:15 . 2004-02-24 16:25 19,188 --a------ c:\windows\Q883956Readme.rtf
2009-02-16 19:05 . 2009-02-16 19:05 d-------- c:\documents and settings\TXS6696\Application Data\dvdcss
2009-02-16 18:12 . 2009-02-17 19:49 d-------- c:\documents and settings\All Users\Application Data\PMB Files
2009-02-16 18:11 . 2009-02-16 18:11 d-------- c:\program files\Pando Networks
2009-02-16 15:30 . 2009-02-16 15:30 97 --a------ c:\documents and settings\EditLiveForJava.ini
2009-02-16 15:22 . 2009-02-16 15:22 d-------- C:\ExamView
2009-02-16 15:22 . 1999-12-17 11:13 106,496 --a------ c:\windows\unvise32.exe
2009-02-16 15:17 . 2009-02-16 15:17 d-------- c:\documents and settings\TXS6696\Application Data\InfraRecorder
2009-02-16 15:12 . 2009-02-16 15:12 d-------- c:\program files\Google
2009-02-16 14:44 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-16 14:44 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-16 14:44 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-16 14:44 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-16 14:44 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-16 14:44 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-16 14:44 . 2008-07-07 14:26 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2009-02-16 14:44 . 2008-05-09 04:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-02-16 14:44 . 2008-05-09 04:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-02-16 14:44 . 2008-05-08 05:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-02-16 14:44 . 2008-05-09 02:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-02-16 14:44 . 2008-05-09 04:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-02-16 14:37 . 2009-02-16 14:37 d-------- c:\program files\CommVault Systems
2009-02-16 14:37 . 2009-02-16 14:37 d-------- c:\documents and settings\All Users\Application Data\Commvault Systems
2009-02-16 14:37 . 2009-02-16 14:37 d-------- C:\AddInLM
2009-02-16 14:32 . 2008-06-24 10:43 74,240 -----c--- c:\windows\system32\dllcache\mscms.dll
2009-02-16 14:29 . 2008-06-23 09:50 d--hs---- c:\documents and settings\TXS6696\UserData
2009-02-16 14:29 . 2008-06-24 13:05 d-------- c:\documents and settings\TXS6696\Application Data\vlc
2009-02-16 14:29 . 2008-06-24 08:19 d-------- c:\documents and settings\TXS6696\Application Data\Inkscape
2009-02-16 14:29 . 2009-02-17 12:03 d-------- c:\documents and settings\TXS6696\Application Data\Apple Computer
2009-02-16 14:29 . 2009-02-16 15:17 d-------- c:\documents and settings\TXS6696\.gimp-2.4
2009-02-16 14:29 . 2009-03-03 12:38 d-------- c:\documents and settings\TXS6696
2009-02-16 14:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-02-16 14:28 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-02-16 14:28 . 2008-04-13 13:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-16 14:28 . 2008-04-13 13:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-02-16 12:23 . 2009-02-16 12:23 d-------- c:\windows\SchCache
2009-02-16 12:22 . 2008-10-06 13:57 53,248 --a------ c:\windows\Regme.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 23:22 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-18 01:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-16 17:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 578560 bytes )
Infected c:\windows\system32\user32.dll hex repaired


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 7:12 pm

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\3361 ----

2009-03-02 17:27 4 --a------ c:\windows\system32\3361\mlog


------- Sigcheck -------

2004-08-04 06:00 31744 98fdf4d337345abc7d7c6a08cdb2818d c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31232 368426ea303df8228504bc1e017a6acf c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 df4a9eada11337db94b0302fa0403786 c:\windows\system32\svchost.exe

2008-04-13 18:12 1050624 c0260afbf3f841382958e486b403a6b4 c:\windows\explorer.exe
2004-08-04 06:00 1049088 e8203782163fb41150be9e1b0c47e488 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 18:12 1051136 3dd23ef25df31fbc590582ddb1884f91 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-13 18:12 1050624 738b35a8125468bf6c376c0014d04744 c:\windows\system32\dllcache\explorer.exe

2004-08-04 06:00 32256 c6437ccb015b6e93104a17453b691685 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32256 4a9c1ab0152558b100a8c9b23c9b0a4e c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32256 f989b18e18380a3bf93e2a79c9206043 c:\windows\system32\ctfmon.exe

2004-08-04 06:00 74752 21c9ed76374f7ea04db8b4d9c51d5c04 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 18:12 74752 498129b920e0d12e5c24342ec78fdf9e c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 74752 6e81e4a6c3c828cb3b8e34a33cd57a14 c:\windows\system32\spoolsv.exe

2004-08-04 06:00 41984 8a98757ec944a6ef57ba74dbbfb311cc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43008 f24c444096a6fb9e44da918564ade27e c:\windows\ServicePackFiles\i386\userinit.exe
2004-08-04 06:00 41984 8a98757ec944a6ef57ba74dbbfb311cc c:\windows\system32\userinit.exe

2004-08-04 06:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2009-03-03 13:02 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\termsrv.dll
2009-03-03 13:02 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00:00 183,808 -c--a-w c:\windows\$NtServicePackUninstall$\accwiz.exe
+ 2004-08-04 12:00:00 200,704 -c--a-w c:\windows\$NtServicePackUninstall$\accwiz.exe
- 2004-08-04 12:00:00 4,096 -c--a-w c:\windows\$NtServicePackUninstall$\actmovie.exe
+ 2004-08-04 12:00:00 21,504 -c--a-w c:\windows\$NtServicePackUninstall$\actmovie.exe
- 2003-03-24 21:52:04 16,439 -c--a-w c:\windows\$NtServicePackUninstall$\admin.exe
+ 2003-03-24 21:52:04 36,919 -c--a-w c:\windows\$NtServicePackUninstall$\admin.exe
- 2004-08-04 12:00:00 256,512 -c--a-w c:\windows\$NtServicePackUninstall$\agentsvr.exe
+ 2004-08-04 12:00:00 273,408 -c--a-w c:\windows\$NtServicePackUninstall$\agentsvr.exe
- 2004-08-04 12:00:00 98,304 -c--a-w c:\windows\$NtServicePackUninstall$\ahui.exe
+ 2004-08-04 12:00:00 115,712 -c--a-w c:\windows\$NtServicePackUninstall$\ahui.exe
- 2004-08-04 12:00:00 44,544 -c--a-w c:\windows\$NtServicePackUninstall$\alg.exe
+ 2004-08-04 12:00:00 61,440 -c--a-w c:\windows\$NtServicePackUninstall$\alg.exe
- 2004-08-04 12:00:00 30,208 -c--a-w c:\windows\$NtServicePackUninstall$\asr_fmt.exe
+ 2004-08-04 12:00:00 47,616 -c--a-w c:\windows\$NtServicePackUninstall$\asr_fmt.exe
- 2004-08-04 12:00:00 32,768 -c--a-w c:\windows\$NtServicePackUninstall$\asr_pfu.exe
+ 2004-08-04 12:00:00 49,664 -c--a-w c:\windows\$NtServicePackUninstall$\asr_pfu.exe
- 2004-08-04 12:00:00 11,264 -c--a-w c:\windows\$NtServicePackUninstall$\atmadm.exe
+ 2004-08-04 12:00:00 28,672 -c--a-w c:\windows\$NtServicePackUninstall$\atmadm.exe
- 2004-08-04 12:00:00 11,264 -c--a-w c:\windows\$NtServicePackUninstall$\attrib.exe
+ 2004-08-04 12:00:00 28,672 -c--a-w c:\windows\$NtServicePackUninstall$\attrib.exe
- 2004-08-04 12:00:00 14,336 -c--a-w c:\windows\$NtServicePackUninstall$\auditusr.exe
+ 2004-08-04 12:00:00 31,744 -c--a-w c:\windows\$NtServicePackUninstall$\auditusr.exe
- 2003-03-24 21:52:04 16,439 -c--a-w c:\windows\$NtServicePackUninstall$\author.exe
+ 2003-03-24 21:52:04 36,919 -c--a-w c:\windows\$NtServicePackUninstall$\author.exe
- 2004-08-04 12:00:00 71,680 -c--a-w c:\windows\$NtServicePackUninstall$\blastcln.exe
+ 2004-08-04 12:00:00 88,576 -c--a-w c:\windows\$NtServicePackUninstall$\blastcln.exe
- 2004-08-04 12:00:00 136,704 -c--a-w c:\windows\$NtServicePackUninstall$\bootcfg.exe
+ 2004-08-04 12:00:00 154,112 -c--a-w c:\windows\$NtServicePackUninstall$\bootcfg.exe
- 2004-08-04 12:00:00 18,432 -c--a-w c:\windows\$NtServicePackUninstall$\cacls.exe
+ 2004-08-04 12:00:00 35,840 -c--a-w c:\windows\$NtServicePackUninstall$\cacls.exe
- 2003-03-24 21:52:04 188,480 -c--a-w c:\windows\$NtServicePackUninstall$\cfgwiz.exe
+ 2003-03-24 21:52:04 208,960 -c--a-w c:\windows\$NtServicePackUninstall$\cfgwiz.exe
- 2004-08-04 12:00:00 56,320 -c--a-w c:\windows\$NtServicePackUninstall$\cipher.exe
+ 2004-08-04 12:00:00 73,728 -c--a-w c:\windows\$NtServicePackUninstall$\cipher.exe
- 2004-08-04 12:00:00 5,632 -c--a-w c:\windows\$NtServicePackUninstall$\cisvc.exe
+ 2004-08-04 12:00:00 23,040 -c--a-w c:\windows\$NtServicePackUninstall$\cisvc.exe
- 2004-08-04 12:00:00 64,000 -c--a-w c:\windows\$NtServicePackUninstall$\cleanmgr.exe
+ 2004-08-04 12:00:00 80,896 -c--a-w c:\windows\$NtServicePackUninstall$\cleanmgr.exe
- 2004-08-04 12:00:00 20,480 -c--a-w c:\windows\$NtServicePackUninstall$\cliconfg.exe
+ 2004-08-04 12:00:00 40,960 -c--a-w c:\windows\$NtServicePackUninstall$\cliconfg.exe
- 2004-08-04 12:00:00 102,912 -c--a-w c:\windows\$NtServicePackUninstall$\clipbrd.exe
+ 2004-08-04 12:00:00 120,320 -c--a-w c:\windows\$NtServicePackUninstall$\clipbrd.exe
- 2004-08-04 12:00:00 33,280 -c--a-w c:\windows\$NtServicePackUninstall$\clipsrv.exe
+ 2004-08-04 12:00:00 50,688 -c--a-w c:\windows\$NtServicePackUninstall$\clipsrv.exe
- 2004-08-04 12:00:00 388,608 -c--a-w c:\windows\$NtServicePackUninstall$\cmd.exe
+ 2004-08-04 12:00:00 405,504 -c--a-w c:\windows\$NtServicePackUninstall$\cmd.exe
- 2004-08-04 12:00:00 47,104 -c--a-w c:\windows\$NtServicePackUninstall$\cmdl32.exe
+ 2004-08-04 12:00:00 64,000 -c--a-w c:\windows\$NtServicePackUninstall$\cmdl32.exe
- 2004-08-04 12:00:00 39,936 -c--a-w c:\windows\$NtServicePackUninstall$\cmmon32.exe
+ 2004-08-04 12:00:00 56,832 -c--a-w c:\windows\$NtServicePackUninstall$\cmmon32.exe
- 2004-08-04 12:00:00 63,488 -c--a-w c:\windows\$NtServicePackUninstall$\cmstp.exe
+ 2004-08-04 12:00:00 80,384 -c--a-w c:\windows\$NtServicePackUninstall$\cmstp.exe
- 2004-08-04 12:00:00 9,728 -c--a-w c:\windows\$NtServicePackUninstall$\comrepl.exe
+ 2004-08-04 12:00:00 26,624 -c--a-w c:\windows\$NtServicePackUninstall$\comrepl.exe
- 2004-08-04 12:00:00 5,120 -c--a-w c:\windows\$NtServicePackUninstall$\comrereg.exe
+ 2004-08-04 12:00:00 22,016 -c--a-w c:\windows\$NtServicePackUninstall$\comrereg.exe
- 2004-08-04 12:00:00 1,032,192 -c--a-w c:\windows\$NtServicePackUninstall$\conf.exe
+ 2004-08-04 12:00:00 1,052,672 -c--a-w c:\windows\$NtServicePackUninstall$\conf.exe
- 2004-08-04 12:00:00 27,648 -c--a-w c:\windows\$NtServicePackUninstall$\conime.exe
+ 2004-08-04 12:00:00 45,056 -c--a-w c:\windows\$NtServicePackUninstall$\conime.exe
- 2004-08-04 12:00:00 98,304 -c--a-w c:\windows\$NtServicePackUninstall$\cscript.exe
+ 2004-08-04 12:00:00 118,784 -c--a-w c:\windows\$NtServicePackUninstall$\cscript.exe
- 2004-08-04 12:00:00 15,360 -c--a-w c:\windows\$NtServicePackUninstall$\ctfmon.exe
+ 2004-08-04 12:00:00 32,256 -c--a-w c:\windows\$NtServicePackUninstall$\ctfmon.exe
- 2004-08-04 12:00:00 42,496 -c--a-w c:\windows\$NtServicePackUninstall$\davcdata.exe
+ 2004-08-04 12:00:00 59,904 -c--a-w c:\windows\$NtServicePackUninstall$\davcdata.exe
- 2004-08-04 12:00:00 5,120 -c--a-w c:\windows\$NtServicePackUninstall$\dcomcnfg.exe
+ 2004-08-04 12:00:00 22,016 -c--a-w c:\windows\$NtServicePackUninstall$\dcomcnfg.exe
- 2004-08-04 12:00:00 30,208 -c--a-w c:\windows\$NtServicePackUninstall$\ddeshare.exe
+ 2004-08-04 12:00:00 47,104 -c--a-w c:\windows\$NtServicePackUninstall$\ddeshare.exe
- 2004-08-04 12:00:00 25,088 -c--a-w c:\windows\$NtServicePackUninstall$\defrag.exe
+ 2004-08-04 12:00:00 41,984 -c--a-w c:\windows\$NtServicePackUninstall$\defrag.exe
- 2004-08-04 12:00:00 82,432 -c--a-w c:\windows\$NtServicePackUninstall$\dfrgfat.exe
+ 2004-08-04 12:00:00 99,328 -c--a-w c:\windows\$NtServicePackUninstall$\dfrgfat.exe
- 2004-08-04 12:00:00 104,960 -c--a-w c:\windows\$NtServicePackUninstall$\dfrgntfs.exe
+ 2004-08-04 12:00:00 121,856 -c--a-w c:\windows\$NtServicePackUninstall$\dfrgntfs.exe
- 2004-08-04 12:00:00 539,136 -c--a-w c:\windows\$NtServicePackUninstall$\dialer.exe
+ 2004-08-04 12:00:00 556,032 -c--a-w c:\windows\$NtServicePackUninstall$\dialer.exe
- 2004-08-04 12:00:00 85,504 -c--a-w c:\windows\$NtServicePackUninstall$\diantz.exe
+ 2004-08-04 12:00:00 102,400 -c--a-w c:\windows\$NtServicePackUninstall$\diantz.exe
- 2004-08-04 12:00:00 163,840 -c--a-w c:\windows\$NtServicePackUninstall$\diskpart.exe
+ 2004-08-04 12:00:00 180,736 -c--a-w c:\windows\$NtServicePackUninstall$\diskpart.exe
- 2004-08-04 12:00:00 5,120 -c--a-w c:\windows\$NtServicePackUninstall$\dllhost.exe
+ 2004-08-04 12:00:00 22,016 -c--a-w c:\windows\$NtServicePackUninstall$\dllhost.exe
- 2004-08-04 12:00:00 224,768 -c--a-w c:\windows\$NtServicePackUninstall$\dmadmin.exe
+ 2004-08-04 12:00:00 241,664 -c--a-w c:\windows\$NtServicePackUninstall$\dmadmin.exe
- 2004-08-04 12:00:00 15,872 -c--a-w c:\windows\$NtServicePackUninstall$\dmremote.exe
+ 2004-08-04 12:00:00 32,768 -c--a-w c:\windows\$NtServicePackUninstall$\dmremote.exe
- 2004-08-04 12:00:00 30,208 -c--a-w c:\windows\$NtServicePackUninstall$\dplaysvr.exe
+ 2004-08-04 12:00:00 47,104 -c--a-w c:\windows\$NtServicePackUninstall$\dplaysvr.exe
- 2004-08-04 12:00:00 18,432 -c--a-w c:\windows\$NtServicePackUninstall$\dpnsvr.exe
+ 2004-08-04 12:00:00 35,328 -c--a-w c:\windows\$NtServicePackUninstall$\dpnsvr.exe
- 2004-08-04 12:00:00 83,456 -c--a-w c:\windows\$NtServicePackUninstall$\dpvsetup.exe
+ 2004-08-04 12:00:00 100,352 -c--a-w c:\windows\$NtServicePackUninstall$\dpvsetup.exe
- 2004-08-04 12:00:00 58,368 -c--a-w c:\windows\$NtServicePackUninstall$\driverquery.exe
+ 2004-08-04 12:00:00 75,264 -c--a-w c:\windows\$NtServicePackUninstall$\driverquery.exe
- 2004-08-04 12:00:00 58,368 -c--a-w c:\windows\$NtServicePackUninstall$\drvqry.exe
+ 2004-08-04 12:00:00 75,776 -c--a-w c:\windows\$NtServicePackUninstall$\drvqry.exe
- 2004-08-04 12:00:00 10,752 -c--a-w c:\windows\$NtServicePackUninstall$\dumprep.exe
+ 2004-08-04 12:00:00 27,648 -c--a-w c:\windows\$NtServicePackUninstall$\dumprep.exe
- 2004-08-04 12:00:00 17,920 -c--a-w c:\windows\$NtServicePackUninstall$\dvdupgrd.exe
+ 2004-08-04 12:00:00 34,816 -c--a-w c:\windows\$NtServicePackUninstall$\dvdupgrd.exe
- 2004-08-04 12:00:00 180,224 -c--a-w c:\windows\$NtServicePackUninstall$\dwwin.exe
+ 2004-08-04 12:00:00 200,704 -c--a-w c:\windows\$NtServicePackUninstall$\dwwin.exe
- 2004-08-04 12:00:00 1,298,432 -c--a-w c:\windows\$NtServicePackUninstall$\dxdiag.exe
+ 2004-08-04 12:00:00 1,318,912 -c--a-w c:\windows\$NtServicePackUninstall$\dxdiag.exe
- 2004-08-04 12:00:00 193,024 -c--a-w c:\windows\$NtServicePackUninstall$\eudcedit.exe
+ 2004-08-04 12:00:00 209,920 -c--a-w c:\windows\$NtServicePackUninstall$\eudcedit.exe
- 2004-08-04 12:00:00 50,176 -c--a-w c:\windows\$NtServicePackUninstall$\evcreate.exe
+ 2004-08-04 12:00:00 67,584 -c--a-w c:\windows\$NtServicePackUninstall$\evcreate.exe
- 2004-08-04 12:00:00 50,176 -c--a-w c:\windows\$NtServicePackUninstall$\eventcreate.exe
+ 2004-08-04 12:00:00 67,584 -c--a-w c:\windows\$NtServicePackUninstall$\eventcreate.exe
- 2004-08-04 12:00:00 77,824 -c--a-w c:\windows\$NtServicePackUninstall$\eventtriggers.exe
+ 2004-08-04 12:00:00 94,720 -c--a-w c:\windows\$NtServicePackUninstall$\eventtriggers.exe


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 7:13 pm

- 2004-08-04 12:00:00 24,064 -c--a-w c:\windows\$NtServicePackUninstall$\evntcmd.exe
+ 2004-08-04 12:00:00 40,960 -c--a-w c:\windows\$NtServicePackUninstall$\evntcmd.exe
- 2004-08-04 12:00:00 92,160 -c--a-w c:\windows\$NtServicePackUninstall$\evntwin.exe
+ 2004-08-04 12:00:00 109,568 -c--a-w c:\windows\$NtServicePackUninstall$\evntwin.exe
- 2004-08-04 12:00:00 77,824 -c--a-w c:\windows\$NtServicePackUninstall$\evtrig.exe
+ 2004-08-04 12:00:00 94,720 -c--a-w c:\windows\$NtServicePackUninstall$\evtrig.exe
- 2004-08-04 12:00:00 45,568 -c--a-w c:\windows\$NtServicePackUninstall$\extrac32.exe
+ 2004-08-04 12:00:00 62,976 -c--a-w c:\windows\$NtServicePackUninstall$\extrac32.exe
- 2004-08-04 12:00:00 27,136 -c--a-w c:\windows\$NtServicePackUninstall$\findstr.exe
+ 2004-08-04 12:00:00 44,544 -c--a-w c:\windows\$NtServicePackUninstall$\findstr.exe
- 2004-08-04 12:00:00 22,528 -c--a-w c:\windows\$NtServicePackUninstall$\fltmc.exe
+ 2004-08-04 12:00:00 39,936 -c--a-w c:\windows\$NtServicePackUninstall$\fltmc.exe
- 2004-08-04 12:00:00 20,992 -c--a-w c:\windows\$NtServicePackUninstall$\fontview.exe
+ 2004-08-04 12:00:00 37,888 -c--a-w c:\windows\$NtServicePackUninstall$\fontview.exe
- 2004-08-04 12:00:00 7,168 -c--a-w c:\windows\$NtServicePackUninstall$\forcedos.exe
+ 2004-08-04 12:00:00 24,064 -c--a-w c:\windows\$NtServicePackUninstall$\forcedos.exe
- 2003-03-24 21:52:04 14,608 -c--a-w c:\windows\$NtServicePackUninstall$\fp98sadm.exe
+ 2003-03-24 21:52:04 31,504 -c--a-w c:\windows\$NtServicePackUninstall$\fp98sadm.exe
- 2003-03-24 21:52:04 109,328 -c--a-w c:\windows\$NtServicePackUninstall$\fp98swin.exe
+ 2003-03-24 21:52:04 126,224 -c--a-w c:\windows\$NtServicePackUninstall$\fp98swin.exe
- 2003-03-24 21:52:04 24,632 -c--a-w c:\windows\$NtServicePackUninstall$\fpadmcgi.exe
+ 2003-03-24 21:52:04 45,112 -c--a-w c:\windows\$NtServicePackUninstall$\fpadmcgi.exe
- 2003-03-24 21:52:04 188,494 -c--a-w c:\windows\$NtServicePackUninstall$\fpcount.exe
+ 2003-03-24 21:52:04 208,974 -c--a-w c:\windows\$NtServicePackUninstall$\fpcount.exe
- 2003-03-24 21:52:04 20,538 -c--a-w c:\windows\$NtServicePackUninstall$\fpremadm.exe
+ 2003-03-24 21:52:04 41,018 -c--a-w c:\windows\$NtServicePackUninstall$\fpremadm.exe
- 2004-08-04 12:00:00 193,024 -c--a-w c:\windows\$NtServicePackUninstall$\fsquirt.exe
+ 2004-08-04 12:00:00 209,920 -c--a-w c:\windows\$NtServicePackUninstall$\fsquirt.exe
- 2004-08-04 12:00:00 42,496 -c--a-w c:\windows\$NtServicePackUninstall$\[You must be registered and logged in to see this link.]
+ 2004-08-04 12:00:00 59,392 -c--a-w c:\windows\$NtServicePackUninstall$\[You must be registered and logged in to see this link.]
- 2004-08-04 12:00:00 143,360 -c--a-w c:\windows\$NtServicePackUninstall$\fxsclnt.exe
+ 2004-08-04 12:00:00 160,768 -c--a-w c:\windows\$NtServicePackUninstall$\fxsclnt.exe
- 2004-08-04 12:00:00 229,376 -c--a-w c:\windows\$NtServicePackUninstall$\fxscover.exe
+ 2004-08-04 12:00:00 246,784 -c--a-w c:\windows\$NtServicePackUninstall$\fxscover.exe
- 2004-08-04 12:00:00 267,776 -c--a-w c:\windows\$NtServicePackUninstall$\fxssvc.exe
+ 2004-08-04 12:00:00 284,672 -c--a-w c:\windows\$NtServicePackUninstall$\fxssvc.exe
- 2004-08-04 12:00:00 55,296 -c--a-w c:\windows\$NtServicePackUninstall$\getmac.exe
+ 2004-08-04 12:00:00 72,704 -c--a-w c:\windows\$NtServicePackUninstall$\getmac.exe
- 2004-08-04 12:00:00 119,808 -c--a-w c:\windows\$NtServicePackUninstall$\gpresult.exe
+ 2004-08-04 12:00:00 136,704 -c--a-w c:\windows\$NtServicePackUninstall$\gpresult.exe
- 2004-08-04 12:00:00 119,808 -c--a-w c:\windows\$NtServicePackUninstall$\gprslt.exe
+ 2004-08-04 12:00:00 136,704 -c--a-w c:\windows\$NtServicePackUninstall$\gprslt.exe
- 2004-08-04 12:00:00 39,424 -c--a-w c:\windows\$NtServicePackUninstall$\grpconv.exe
+ 2004-08-04 12:00:00 56,320 -c--a-w c:\windows\$NtServicePackUninstall$\grpconv.exe
- 2004-08-04 12:00:00 14,848 -c--a-w c:\windows\$NtServicePackUninstall$\help.exe
+ 2004-08-04 12:00:00 31,744 -c--a-w c:\windows\$NtServicePackUninstall$\help.exe
- 2004-08-04 12:00:00 768,512 -c--a-w c:\windows\$NtServicePackUninstall$\helpctr.exe
+ 2004-08-04 12:00:00 785,408 -c--a-w c:\windows\$NtServicePackUninstall$\helpctr.exe
- 2004-08-04 12:00:00 743,936 -c--a-w c:\windows\$NtServicePackUninstall$\helpsvc.exe
+ 2004-08-04 12:00:00 761,344 -c--a-w c:\windows\$NtServicePackUninstall$\helpsvc.exe
- 2004-08-04 12:00:00 10,752 -c--a-w c:\windows\$NtServicePackUninstall$\hh.exe
+ 2004-08-04 12:00:00 27,648 -c--a-w c:\windows\$NtServicePackUninstall$\hh.exe
- 2004-08-04 12:00:00 18,944 -c--a-w c:\windows\$NtServicePackUninstall$\hscupd.exe
+ 2004-08-04 12:00:00 36,352 -c--a-w c:\windows\$NtServicePackUninstall$\hscupd.exe
- 2004-08-04 12:00:00 214,528 -c--a-w c:\windows\$NtServicePackUninstall$\icwconn1.exe
+ 2004-08-04 12:00:00 231,424 -c--a-w c:\windows\$NtServicePackUninstall$\icwconn1.exe
- 2004-08-04 12:00:00 86,016 -c--a-w c:\windows\$NtServicePackUninstall$\icwconn2.exe
+ 2004-08-04 12:00:00 106,496 -c--a-w c:\windows\$NtServicePackUninstall$\icwconn2.exe
- 2004-08-04 12:00:00 24,576 -c--a-w c:\windows\$NtServicePackUninstall$\icwrmind.exe
+ 2004-08-04 12:00:00 45,056 -c--a-w c:\windows\$NtServicePackUninstall$\icwrmind.exe
- 2004-08-04 12:00:00 34,304 -c--a-w c:\windows\$NtServicePackUninstall$\ie4uinit.exe
+ 2004-08-04 12:00:00 51,712 -c--a-w c:\windows\$NtServicePackUninstall$\ie4uinit.exe
- 2004-08-04 12:00:00 18,432 -c--a-w c:\windows\$NtServicePackUninstall$\iedw.exe
+ 2004-08-04 12:00:00 35,328 -c--a-w c:\windows\$NtServicePackUninstall$\iedw.exe
- 2004-08-04 12:00:00 93,184 -c--a-w c:\windows\$NtServicePackUninstall$\iexplore.exe
+ 2004-08-04 12:00:00 110,592 -c--a-w c:\windows\$NtServicePackUninstall$\iexplore.exe
- 2004-08-04 12:00:00 114,688 -c--a-w c:\windows\$NtServicePackUninstall$\iexpress.exe
+ 2004-08-04 12:00:00 132,096 -c--a-w c:\windows\$NtServicePackUninstall$\iexpress.exe
- 2004-08-04 12:00:00 30,720 -c--a-w c:\windows\$NtServicePackUninstall$\iisrstas.exe
+ 2004-08-04 12:00:00 47,616 -c--a-w c:\windows\$NtServicePackUninstall$\iisrstas.exe
- 2004-08-04 12:00:00 150,016 -c--a-w c:\windows\$NtServicePackUninstall$\imapi.exe
+ 2004-08-04 12:00:00 166,912 -c--a-w c:\windows\$NtServicePackUninstall$\imapi.exe
- 2004-08-04 12:00:00 15,872 -c--a-w c:\windows\$NtServicePackUninstall$\inetin51.exe
+ 2004-08-04 12:00:00 32,768 -c--a-w c:\windows\$NtServicePackUninstall$\inetin51.exe
- 2004-08-04 12:00:00 20,480 -c--a-w c:\windows\$NtServicePackUninstall$\inetwiz.exe
+ 2004-08-04 12:00:00 40,960 -c--a-w c:\windows\$NtServicePackUninstall$\inetwiz.exe
- 2004-08-04 12:00:00 55,808 -c--a-w c:\windows\$NtServicePackUninstall$\ipconfig.exe
+ 2004-08-04 12:00:00 72,704 -c--a-w c:\windows\$NtServicePackUninstall$\ipconfig.exe
- 2004-08-04 12:00:00 53,248 -c--a-w c:\windows\$NtServicePackUninstall$\ipv6.exe
+ 2004-08-04 12:00:00 70,144 -c--a-w c:\windows\$NtServicePackUninstall$\ipv6.exe
- 2004-08-04 12:00:00 23,552 -c--a-w c:\windows\$NtServicePackUninstall$\ipxroute.exe
+ 2004-08-04 12:00:00 40,448 -c--a-w c:\windows\$NtServicePackUninstall$\ipxroute.exe
- 2004-08-04 12:00:00 75,264 -c--a-w c:\windows\$NtServicePackUninstall$\locator.exe
+ 2004-08-04 12:00:00 92,672 -c--a-w c:\windows\$NtServicePackUninstall$\locator.exe
- 2004-08-04 12:00:00 103,936 -c--a-w c:\windows\$NtServicePackUninstall$\logagent.exe
+ 2004-08-04 12:00:00 120,832 -c--a-w c:\windows\$NtServicePackUninstall$\logagent.exe
- 2004-08-04 12:00:00 59,392 -c--a-w c:\windows\$NtServicePackUninstall$\logman.exe
+ 2004-08-04 12:00:00 76,288 -c--a-w c:\windows\$NtServicePackUninstall$\logman.exe
- 2004-08-04 12:00:00 13,312 -c--a-w c:\windows\$NtServicePackUninstall$\lsass.exe
+ 2004-08-04 12:00:00 30,208 -c--a-w c:\windows\$NtServicePackUninstall$\lsass.exe
- 2004-08-04 12:00:00 72,704 -c--a-w c:\windows\$NtServicePackUninstall$\magnify.exe
+ 2004-08-04 12:00:00 89,600 -c--a-w c:\windows\$NtServicePackUninstall$\magnify.exe
- 2004-08-04 12:00:00 85,504 -c--a-w c:\windows\$NtServicePackUninstall$\makecab.exe
+ 2004-08-04 12:00:00 102,912 -c--a-w c:\windows\$NtServicePackUninstall$\makecab.exe
- 2004-08-04 12:00:00 103,424 -c--a-w c:\windows\$NtServicePackUninstall$\migload.exe
+ 2004-08-04 12:00:00 120,320 -c--a-w c:\windows\$NtServicePackUninstall$\migload.exe
- 2004-08-04 12:00:00 786,432 -c--a-w c:\windows\$NtServicePackUninstall$\migrate.exe
+ 2004-08-04 12:00:00 806,912 -c--a-w c:\windows\$NtServicePackUninstall$\migrate.exe
- 2004-08-04 12:00:00 7,680 -c--a-w c:\windows\$NtServicePackUninstall$\migregdb.exe
+ 2004-08-04 12:00:00 25,088 -c--a-w c:\windows\$NtServicePackUninstall$\migregdb.exe
- 2004-08-04 12:00:00 240,128 -c--a-w c:\windows\$NtServicePackUninstall$\migwiz.exe
+ 2004-08-04 12:00:00 257,024 -c--a-w c:\windows\$NtServicePackUninstall$\migwiz.exe
- 2004-08-04 12:00:00 815,104 -c--a-w c:\windows\$NtServicePackUninstall$\mmc.exe
+ 2004-08-04 12:00:00 832,000 -c--a-w c:\windows\$NtServicePackUninstall$\mmc.exe
- 2004-08-04 12:00:00 32,768 -c--a-w c:\windows\$NtServicePackUninstall$\mnmsrvc.exe
+ 2004-08-04 12:00:00 53,248 -c--a-w c:\windows\$NtServicePackUninstall$\mnmsrvc.exe
- 2004-08-04 12:00:00 143,360 -c--a-w c:\windows\$NtServicePackUninstall$\mobsync.exe
+ 2004-08-04 12:00:00 160,256 -c--a-w c:\windows\$NtServicePackUninstall$\mobsync.exe
- 2004-08-04 12:00:00 16,384 -c--a-w c:\windows\$NtServicePackUninstall$\mofcomp.exe
+ 2004-08-04 12:00:00 33,280 -c--a-w c:\windows\$NtServicePackUninstall$\mofcomp.exe
- 2004-08-04 12:00:00 3,555,328 -c--a-w c:\windows\$NtServicePackUninstall$\moviemk.exe
+ 2004-08-04 12:00:00 3,572,224 -c--a-w c:\windows\$NtServicePackUninstall$\moviemk.exe
- 2004-08-04 12:00:00 123,392 -c--a-w c:\windows\$NtServicePackUninstall$\mplay32.exe
+ 2004-08-04 12:00:00 140,288 -c--a-w c:\windows\$NtServicePackUninstall$\mplay32.exe
- 2004-08-04 12:00:00 4,639 -c--a-w c:\windows\$NtServicePackUninstall$\mplayer2.exe
+ 2004-08-04 12:00:00 22,047 -c--a-w c:\windows\$NtServicePackUninstall$\mplayer2.exe
- 2004-08-04 12:00:00 19,968 -c--a-w c:\windows\$NtServicePackUninstall$\mqbkup.exe
+ 2004-08-04 12:00:00 36,864 -c--a-w c:\windows\$NtServicePackUninstall$\mqbkup.exe
- 2004-08-04 12:00:00 4,608 -c--a-w c:\windows\$NtServicePackUninstall$\mqsvc.exe
+ 2004-08-04 12:00:00 21,504 -c--a-w c:\windows\$NtServicePackUninstall$\mqsvc.exe
- 2004-08-04 12:00:00 117,248 -c--a-w c:\windows\$NtServicePackUninstall$\mqtgsvc.exe
+ 2004-08-04 12:00:00 134,144 -c--a-w c:\windows\$NtServicePackUninstall$\mqtgsvc.exe
- 2004-08-04 12:00:00 158,208 -c--a-w c:\windows\$NtServicePackUninstall$\msconfig.exe
+ 2004-08-04 12:00:00 175,104 -c--a-w c:\windows\$NtServicePackUninstall$\msconfig.exe
- 2004-08-04 12:00:00 6,144 -c--a-w c:\windows\$NtServicePackUninstall$\msdtc.exe
+ 2004-08-04 12:00:00 23,040 -c--a-w c:\windows\$NtServicePackUninstall$\msdtc.exe
- 2004-08-04 12:00:00 29,184 -c--a-w c:\windows\$NtServicePackUninstall$\mshta.exe
+ 2004-08-04 12:00:00 46,080 -c--a-w c:\windows\$NtServicePackUninstall$\mshta.exe
- 2004-08-04 12:00:00 77,312 -c--a-w c:\windows\$NtServicePackUninstall$\msiexec.exe
+ 2004-08-04 12:00:00 94,720 -c--a-w c:\windows\$NtServicePackUninstall$\msiexec.exe
- 2004-08-04 12:00:00 60,416 -c--a-w c:\windows\$NtServicePackUninstall$\msimn.exe
+ 2004-08-04 12:00:00 77,312 -c--a-w c:\windows\$NtServicePackUninstall$\msimn.exe
- 2004-08-04 12:00:00 40,960 -c--a-w c:\windows\$NtServicePackUninstall$\msiregmv.exe
+ 2004-08-04 12:00:00 57,856 -c--a-w c:\windows\$NtServicePackUninstall$\msiregmv.exe
- 2004-08-04 06:06:34 1,667,584 -c--a-w c:\windows\$NtServicePackUninstall$\msmsgs.exe
+ 2004-08-04 06:06:34 1,684,480 -c--a-w c:\windows\$NtServicePackUninstall$\msmsgs.exe
- 2004-08-04 12:00:00 28,160 -c--a-w c:\windows\$NtServicePackUninstall$\msoobe.exe
+ 2004-08-04 12:00:00 45,056 -c--a-w c:\windows\$NtServicePackUninstall$\msoobe.exe
- 2004-08-04 12:00:00 343,040 -c--a-w c:\windows\$NtServicePackUninstall$\mspaint.exe
+ 2004-08-04 12:00:00 359,936 -c--a-w c:\windows\$NtServicePackUninstall$\mspaint.exe
- 2004-08-04 12:00:00 12,288 -c--a-w c:\windows\$NtServicePackUninstall$\mstinit.exe
+ 2004-08-04 12:00:00 29,184 -c--a-w c:\windows\$NtServicePackUninstall$\mstinit.exe
- 2009-03-03 01:34:02 49,152 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-03 19:01:37 49,152 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-03 01:34:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-03 19:01:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-03 01:34:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-03 19:01:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-03 01:03:45 578,560 ----a-w c:\windows\system32\user32.DLL
+ 2009-03-03 18:34:45 578,560 ----a-w c:\windows\system32\user32.DLL
.
-- Snapshot reset to current date --


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 7:13 pm

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32256]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-17 342848]
"Google Update"="c:\documents and settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 53339]
"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2008-05-15 92720]
"VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2008-05-15 268848]
"NAL"="c:\program files\novell\zenworks\nalwin.exe" [2007-12-24 382464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Startup"="c:\windows\system32\startup.exe" [2005-07-18 121315]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 61440]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1904640]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-30 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-30 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 425984]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-05-28 61440]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-05-28 65536]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\TXS6696\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-04 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-12-24 22:21 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2008-05-15 22:23 364544 c:\windows\system32\TPSvc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"57547:TCP"= 57547:TCP:Pando Media Booster
"57547:UDP"= 57547:UDP:Pando Media Booster

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-06-23 17968]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-06-23 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-05-23 6899]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [2008-06-23 92592]
R2 LGTO_Sync;Sync Driver;c:\windows\system32\drivers\lgtosync.sys [2008-06-23 36400]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 188416]
R2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-05-15 15408]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2007-12-24 81920]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-05-23 2773]
S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [2008-05-15 264752]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-08-04 2176]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2008-05-15 315392]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2008-06-23 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-06-23 62768]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2008-06-23 34992]
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-426075309-104346630-1563886607-1016.job
- c:\documents and settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-25 16:15]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;reef000s288.cert.mobiledomain.net;mobile.domain;10.1.0.51;*.coppellisd.com
uInternet Settings,ProxyServer = 10.0.0.6:8080
IE: &Search
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TXS6696\Application Data\Mozilla\Firefox\Profiles\tjzcl9gp.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-03 13:03:02
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1232)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\Novell\ncplw32.dll
c:\windows\system32\novell\nls\english\NetIdent.dll
c:\windows\system32\Novell\xtagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-03-03 13:09:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 19:09:14
ComboFix2.txt 2009-03-03 01:40:34

Pre-Run: 34,942,062,592 bytes free
Post-Run: 34,971,398,144 bytes free

666 --- E O F --- 2009-02-26 23:22:30


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 7:14 pm

Hello.
Really, this is a waste of mine and your time.
This infection is Virut, Virut CANNOT be fixed.

c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\system32\svchost.exe . . . is infected!!
c:\windows\system32\spoolsv.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 3rd March 2009, 9:13 pm

Well... there goes $1450 down the drain... thanks though...


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 3rd March 2009, 10:22 pm

Just format the machine, you have an XP disc right?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 4th March 2009, 12:25 am

No o.o


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 4th March 2009, 12:41 am

They should be pretty much giving away XP discs now.
If MS are still offering the beta for 7, use that for now, free to download. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on 4th March 2009, 4:22 pm

How long will the download be?


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29729
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on 4th March 2009, 4:29 pm

Depends on your internet connection.
I could download the beta in about 2-3hrs.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum