Unable to Remove Virus Remnants

View previous topic View next topic Go down

Unable to Remove Virus Remnants

Post by flash641 on Mon Apr 27, 2009 6:03 pm

Several days ago, my notebook computer picked up one or more viruses. My troubles began with pop-up screens that would not go away. The pop-up screen informed me that my computer was infected with viruses and that I should download Spyware Protect 2009 to clean my machine. A second pop-up screen told me that the BankerFox.A virus and that the Win32/Nuqel.E virus was on my machine. I recognized this as a rogue antivirus/spyware removal scam. Besides the pop-up screens that would not go away, my IE browser was affected. When I clicked on a Favorite link, I would be taken to a completely different URL in many cases. After doing some research, I tried to remove the viruses by running Trend Micro's Sysclean program. I also ran the Hijack This program and the Malwarebytes Anti-Malware program. I have been successful in removing all of the readily observeable effects of the viruses. The pop-up screens that would not go away are no longer there. HOWEVER, the Malwarebytes log report indicate I have 4 registry keys that are infected and I have one infected file that the programs could not remove. I will copy and paste this log for your information. I have very limited computer knowledge and I have never edited the Windows registry. How can I remove the infected registry keys and the infected file? Thanks in advance for your help.

flash641

Here is the log:
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/26/2009 6:27:42 PM
mbam-log-2009-04-26 (18-27-22).txt

Scan type: Quick Scan
Objects scanned: 91696
Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f955c768-b003-4b5b-a0a2-3a9b82dc87ce} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ronzykoc (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f955c768-b003-4b5b-a0a2-3a9b82dc87ce} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\dbgaifs.dll (Trojan.Vundo.H) -> No action taken.

flash641
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-26
OS OS : Windows XP
Points Points : 27812
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by Belahzur on Mon Apr 27, 2009 6:41 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by flash641 on Mon Apr 27, 2009 7:02 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Katherine at 13:56:12.81 on Mon 04/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.46 [GMT -5:00]

AV: Avanquest VirusScanner Pro *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Katherine\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
BHO: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - AcroIEHlprObj Class
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: : {f955c768-b003-4b5b-a0a2-3a9b82dc87ce} - c:\windows\system32\dbgaifs.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [dll32] dll32
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [VirusScannerPro] c:\progra~1\avanqu~1\fix-it\MemCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\kather~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Filter: text/html - {4d01612a-9c2d-4361-add7-39d4f08beff1} - c:\windows\system32\dsound3dd.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ronzykoc - dbgaifs.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-24 10:18 --d----- c:\program files\NortonInstaller
2009-04-23 17:27 --d----- c:\docume~1\kather~1\applic~1\Malwarebytes
2009-04-23 17:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-23 17:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 17:27 --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-04-23 17:27 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-23 17:18 --d----- c:\program files\Trend Micro
2009-04-23 15:04 --d----- c:\docume~1\kather~1\applic~1\gqdaufzj
2009-04-22 12:20 --d----- c:\docume~1\alluse~1.win\applic~1\Norton
2009-04-22 12:14 --d----- c:\docume~1\alluse~1.win\applic~1\NortonInstaller
2009-04-22 08:37 --d----- c:\windows\system32\179223
2009-04-22 08:37 0 a------- c:\windows\system32\nfr.gpref
2009-04-21 10:38 0 a------- c:\windows\system32\nfr.assembly
2009-04-21 10:33 --d----- c:\windows\system32\219198
2009-04-21 10:27 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-18 00:55 10,752 a------- c:\windows\DCEBoot.exe
2009-04-16 16:41 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 16:41 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 16:41 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 16:41 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 16:41 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 16:41 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 16:41 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 16:41 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 16:41 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:39 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 16:39 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 16:39 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 20:50 4,721,952 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-15 20:50 63,908 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-15 20:50 61,728 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-15 20:50 7,736 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-15 20:49 3,656 a------- C:\rollback.ini
2009-04-15 20:26 --d----- c:\program files\common files\ParetoLogic
2009-04-15 20:26 --d----- c:\docume~1\alluse~1.win\applic~1\ParetoLogic Anti-Virus PLUS
2009-04-15 20:26 --d----- c:\docume~1\alluse~1.win\applic~1\ParetoLogic
2009-04-09 20:25 --d----- c:\program files\Lame for Audacity
2009-04-09 20:23 --d----- c:\program files\Audacity
2009-04-08 19:28 --d----- c:\program files\Common

==================== Find3M ====================

2009-04-27 12:07 5,488 a------- c:\docume~1\kather~1\applic~1\wklnhst.dat
2009-04-23 13:10 143,872 a------- c:\windows\system32\bshsmsyz.dll
2009-04-21 10:27 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 13:09 78,336 -------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2007-09-18 18:35 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 13:57:49.95 ===============

flash641
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-26
OS OS : Windows XP
Points Points : 27812
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by Belahzur on Mon Apr 27, 2009 7:13 pm

Hello.
Do you know how to disable Avanquest VirusScanner? malware has patched a legit file and we need to replace it with a clean copy. The tool we need to use is very powerful and scanners will find components of this tool as "HackTool", which is a false positive.

Usually, you can disable it by right clicking the tray icon and exit it.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please close/disable all protection programs before running Combofix.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by flash641 on Mon Apr 27, 2009 8:41 pm

Combofix log file was to big to send all in one part so I broke it into 2 files. Here is first part.
ComboFix 09-04-27.02 - Katherine 04/27/2009 14:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.44 [GMT -5:00]
Running from: c:\documents and settings\Katherine\Desktop\ComboFix.exe
AV: Avanquest VirusScanner Pro *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mssfc.dll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\sfcfiles.dat
c:\windows\system32\bshsmsyz.dll . . . . failed to delete

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll


.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-24 15:18 . 2009-04-26 18:37 -------- d-----w c:\program files\NortonInstaller
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\documents and settings\Katherine\Application Data\Malwarebytes
2009-04-23 22:27 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 22:27 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 22:18 . 2009-04-23 22:18 -------- d-----w c:\program files\Trend Micro
2009-04-23 20:04 . 2009-04-23 20:04 -------- d-----w c:\documents and settings\Katherine\Application Data\gqdaufzj
2009-04-23 20:04 . 2009-04-23 20:04 -------- d-----w c:\documents and settings\Katherine\Local Settings\Application Data\gqdaufzj
2009-04-22 18:22 . 2009-04-22 18:22 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\gqdaufzj
2009-04-22 18:22 . 2009-04-22 18:22 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\gqdaufzj
2009-04-22 17:20 . 2009-04-26 18:37 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2009-04-22 17:14 . 2009-04-26 18:31 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\NortonInstaller
2009-04-22 13:37 . 2009-04-23 22:57 -------- d-----w c:\windows\system32\179223
2009-04-21 15:33 . 2009-04-24 17:35 -------- d-----w c:\windows\system32\219198
2009-04-21 15:27 . 2009-04-21 15:27 213120 -c--a-w c:\windows\system32\dllcache\ndis.sys
2009-04-18 05:55 . 2009-04-23 18:13 10752 ----a-w c:\windows\DCEBoot.exe
2009-04-16 21:41 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:41 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:41 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 21:41 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:41 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:41 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 21:41 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:41 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 21:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 01:50 . 2009-04-27 19:58 68128 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-16 01:50 . 2009-04-27 20:03 4820512 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-16 01:26 . 2009-04-18 14:06 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-16 01:26 . 2009-04-16 01:26 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-16 01:26 . 2009-04-18 14:06 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2009-04-16 01:20 . 2009-04-16 01:20 -------- d-----w c:\documents and settings\Katherine\Local Settings\Application Data\Downloaded Installations
2009-04-10 01:25 . 2009-04-10 01:25 -------- d-----w c:\program files\Lame for Audacity
2009-04-10 01:23 . 2009-04-19 20:03 -------- d-----w c:\program files\Audacity
2009-04-09 00:28 . 2009-04-23 22:57 -------- d-----w c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 19:54 . 2009-04-16 01:50 8432 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-27 19:54 . 2009-04-16 01:50 65564 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-27 17:07 . 2008-06-27 00:33 5488 ----a-w c:\documents and settings\Katherine\Application Data\wklnhst.dat
2009-04-26 23:32 . 2005-04-29 13:10 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-23 18:10 . 2004-08-04 12:00 143872 ----a-w c:\windows\system32\bshsmsyz.dll
2009-04-21 15:27 . 2004-08-04 12:00 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-17 01:23 . 2005-10-16 15:14 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-31 17:08 . 2005-04-29 12:33 -------- d-----w c:\program files\Java
2009-03-09 10:19 . 2009-01-20 14:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:16 . 2009-03-06 03:00 -------- d-----w c:\program files\Free Accounting
2009-03-06 02:56 . 2009-03-06 02:56 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-03 02:51 . 2005-04-29 12:57 -------- d-----w c:\program files\Hp
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 15:14 . 2008-12-28 19:26 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 02:24 . 2008-06-26 17:44 65 ----a-w c:\windows\system32\BD8860DN.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ------w c:\windows\system32\ieencode.dll
2009-02-16 18:35 . 2008-06-26 17:16 43736 ----a-w c:\documents and settings\Katherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-04 12:00 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ------w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-03 22:59 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-09-18 23:35 . 2007-09-18 23:36 774144 ----a-w c:\program files\RngInterstitial.dll
.

------- Sigcheck -------

[7] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-04-21 15:27 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-21 15:27 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F955C768-B003-4B5B-A0A2-3A9B82DC87CE}]
2004-08-04 12:00 104448 ----a-w c:\windows\system32\dbgaifs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-25 98304]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"VirusScannerPro"="c:\progra~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Pichoff\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-6 344064]

c:\documents and settings\Katherine\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-6 344064]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ronzykoc]
2004-08-04 12:00 104448 ----a-w c:\windows\system32\dbgaifs.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 99248]
R3 MailScan;MailScan;c:\progra~1\AVANQU~1\Fix-It\MailScan.sys [2008-08-26 20496]
S0 qtgmnumu;qtgmnumu;c:\windows\system32\drivers\qtgmnumu.sys [2004-08-04 23424]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe [2007-04-26 517040]
S2 tmpreflt;tmpreflt;c:\progra~1\AVANQU~1\Fix-It\tmpreflt.sys [2007-08-31 32528]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

flash641
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-26
OS OS : Windows XP
Points Points : 27812
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by flash641 on Mon Apr 27, 2009 8:45 pm

Here is 2nd part of Combofix log file.
--- Other Services/Drivers In Memory ---

*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fix-It Task Manager
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hpqwmi
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - IntuitUpdateService
*Deregistered* - iPodService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - lxdi_device
*Deregistered* - Messenger
*Deregistered* - MSSQLSERVER
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - upnphost
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xqksquzl
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\At1.job
- c:\windows\system32\dbgaifs.dll [2004-08-04 12:00]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
.
.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-27 14:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?1?0?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1275210071-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3120)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-04-27 15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 20:13

Pre-Run: 13,159,837,696 bytes free
Post-Run: 13,230,080,000 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /usepmtimer /NoExecute=OptIn

269 --- E O F --- 2009-04-17 03:38

flash641
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-26
OS OS : Windows XP
Points Points : 27812
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by Belahzur on Mon Apr 27, 2009 8:56 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
qtgmnumu

Folder::
c:\windows\system32\179223
c:\windows\system32\219198

File::
c:\windows\system32\drivers\qtgmnumu.sys
c:\windows\Tasks\At1.job
c:\windows\system32\dbgaifs.dll
c:\windows\system32\bshsmsyz.dll

NetSvc::
xqksquzl

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F955C768-B003-4B5B-A0A2-3A9B82DC87CE}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ronzykoc]

FCOPY::
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\system32\drivers\ndis.sys
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\system32\dllcache\ndis.sys

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by flash641 on Mon Apr 27, 2009 9:45 pm

ComboFix 09-04-27.02 - Katherine 04/27/2009 16:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.41 [GMT -5:00]
Running from: c:\documents and settings\Katherine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Katherine\Desktop\CFScript.txt
AV: Avanquest VirusScanner Pro *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\bshsmsyz.dll
c:\windows\system32\dbgaifs.dll
c:\windows\system32\drivers\qtgmnumu.sys
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\179223
c:\windows\system32\219198
c:\windows\system32\bshsmsyz.dll
c:\windows\system32\dbgaifs.dll
c:\windows\system32\drivers\qtgmnumu.sys
c:\windows\Tasks\At1.job

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\ndis.sys --> c:\windows\system32\drivers\ndis.sys
c:\windows\$NtServicePackUninstall$\ndis.sys --> c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QTGMNUMU
-------\Service_qtgmnumu


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-24 15:18 . 2009-04-26 18:37 -------- d-----w c:\program files\NortonInstaller
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\documents and settings\Katherine\Application Data\Malwarebytes
2009-04-23 22:27 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 22:27 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 22:18 . 2009-04-23 22:18 -------- d-----w c:\program files\Trend Micro
2009-04-23 20:04 . 2009-04-23 20:04 -------- d-----w c:\documents and settings\Katherine\Application Data\gqdaufzj
2009-04-23 20:04 . 2009-04-23 20:04 -------- d-----w c:\documents and settings\Katherine\Local Settings\Application Data\gqdaufzj
2009-04-22 18:22 . 2009-04-22 18:22 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\gqdaufzj
2009-04-22 18:22 . 2009-04-22 18:22 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\gqdaufzj
2009-04-22 17:20 . 2009-04-26 18:37 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2009-04-22 17:14 . 2009-04-26 18:31 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\NortonInstaller
2009-04-18 05:55 . 2009-04-23 18:13 10752 ----a-w c:\windows\DCEBoot.exe
2009-04-16 21:41 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:41 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:41 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 21:41 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:41 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:41 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 21:41 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:41 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 21:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 01:50 . 2009-04-27 21:25 73504 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-16 01:50 . 2009-04-27 21:31 4897568 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-16 01:26 . 2009-04-18 14:06 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-16 01:26 . 2009-04-16 01:26 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-16 01:26 . 2009-04-18 14:06 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2009-04-16 01:20 . 2009-04-16 01:20 -------- d-----w c:\documents and settings\Katherine\Local Settings\Application Data\Downloaded Installations
2009-04-10 01:25 . 2009-04-10 01:25 -------- d-----w c:\program files\Lame for Audacity
2009-04-10 01:23 . 2009-04-19 20:03 -------- d-----w c:\program files\Audacity
2009-04-09 00:28 . 2009-04-23 22:57 -------- d-----w c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 21:23 . 2009-04-16 01:50 8936 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-27 21:23 . 2009-04-16 01:50 66596 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-27 21:16 . 2004-08-04 12:00 23424 ----a-w c:\windows\system32\drivers\zupvpxru.sys
2009-04-27 20:38 . 2008-06-27 00:33 5780 ----a-w c:\documents and settings\Katherine\Application Data\wklnhst.dat
2009-04-26 23:32 . 2005-04-29 13:10 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-17 01:23 . 2005-10-16 15:14 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-31 17:08 . 2005-04-29 12:33 -------- d-----w c:\program files\Java
2009-03-09 10:19 . 2009-01-20 14:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:16 . 2009-03-06 03:00 -------- d-----w c:\program files\Free Accounting
2009-03-06 02:56 . 2009-03-06 02:56 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-03 02:51 . 2005-04-29 12:57 -------- d-----w c:\program files\Hp
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 15:14 . 2008-12-28 19:26 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 02:24 . 2008-06-26 17:44 65 ----a-w c:\windows\system32\BD8860DN.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ------w c:\windows\system32\ieencode.dll
2009-02-16 18:35 . 2008-06-26 17:16 43736 ----a-w c:\documents and settings\Katherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-04 12:00 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ------w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-03 22:59 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-09-18 23:35 . 2007-09-18 23:36 774144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 21:25 . 2009-04-27 21:25 16384 c:\windows\temp\Perflib_Perfdata_240.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-25 98304]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"VirusScannerPro"="c:\progra~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Pichoff\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-6 344064]

c:\documents and settings\Katherine\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-6 344064]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 99248]
R3 MailScan;MailScan;c:\progra~1\AVANQU~1\Fix-It\MailScan.sys [2008-08-26 20496]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe [2007-04-26 517040]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - QTGMNUMU
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasAuto
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - upnphost
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-27 16:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?1?0?0??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1275210071-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-04-27 16:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 21:39
ComboFix2.txt 2009-04-27 20:13

Pre-Run: 13,212,180,480 bytes free
Post-Run: 13,162,655,744 bytes free

228 --- E O F --- 2009-04-17 03:38

flash641
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-26
OS OS : Windows XP
Points Points : 27812
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by Belahzur on Mon Apr 27, 2009 10:02 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
QTGMNUMU

File::
c:\windows\system32\drivers\zupvpxru.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by flash641 on Mon Apr 27, 2009 10:41 pm

ComboFix 09-04-27.02 - Katherine 04/27/2009 17:12.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.36 [GMT -5:00]
Running from: c:\documents and settings\Katherine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Katherine\Desktop\CFScript.txt
AV: Avanquest VirusScanner Pro *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\zupvpxru.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\zupvpxru.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QTGMNUMU


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-24 15:18 . 2009-04-26 18:37 -------- d-----w c:\program files\NortonInstaller
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\documents and settings\Katherine\Application Data\Malwarebytes
2009-04-23 22:27 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 22:27 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-23 22:27 . 2009-04-23 22:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 22:18 . 2009-04-23 22:18 -------- d-----w c:\program files\Trend Micro
2009-04-23 20:04 . 2009-04-23 20:04 -------- d-----w c:\documents and settings\Katherine\Application Data\gqdaufzj
2009-04-23 20:04 . 2009-04-23 20:04 -------- d-----w c:\documents and settings\Katherine\Local Settings\Application Data\gqdaufzj
2009-04-22 18:22 . 2009-04-22 18:22 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\gqdaufzj
2009-04-22 18:22 . 2009-04-22 18:22 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\gqdaufzj
2009-04-22 17:20 . 2009-04-26 18:37 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2009-04-22 17:14 . 2009-04-26 18:31 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\NortonInstaller
2009-04-18 05:55 . 2009-04-23 18:13 10752 ----a-w c:\windows\DCEBoot.exe
2009-04-16 21:41 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:41 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:41 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 21:41 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:41 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:41 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 21:41 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:41 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 21:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 01:50 . 2009-04-27 22:21 78112 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-16 01:50 . 2009-04-27 22:27 4967456 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-16 01:26 . 2009-04-18 14:06 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-16 01:26 . 2009-04-16 01:26 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-16 01:26 . 2009-04-18 14:06 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2009-04-16 01:20 . 2009-04-16 01:20 -------- d-----w c:\documents and settings\Katherine\Local Settings\Application Data\Downloaded Installations
2009-04-10 01:25 . 2009-04-10 01:25 -------- d-----w c:\program files\Lame for Audacity
2009-04-10 01:23 . 2009-04-19 20:03 -------- d-----w c:\program files\Audacity
2009-04-09 00:28 . 2009-04-23 22:57 -------- d-----w c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 22:20 . 2009-04-16 01:50 9368 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-27 22:20 . 2009-04-16 01:50 67556 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-27 20:38 . 2008-06-27 00:33 5780 ----a-w c:\documents and settings\Katherine\Application Data\wklnhst.dat
2009-04-26 23:32 . 2005-04-29 13:10 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-17 01:23 . 2005-10-16 15:14 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-31 17:08 . 2005-04-29 12:33 -------- d-----w c:\program files\Java
2009-03-09 10:19 . 2009-01-20 14:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:16 . 2009-03-06 03:00 -------- d-----w c:\program files\Free Accounting
2009-03-06 02:56 . 2009-03-06 02:56 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-03 02:51 . 2005-04-29 12:57 -------- d-----w c:\program files\Hp
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 15:14 . 2008-12-28 19:26 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 02:24 . 2008-06-26 17:44 65 ----a-w c:\windows\system32\BD8860DN.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ------w c:\windows\system32\ieencode.dll
2009-02-16 18:35 . 2008-06-26 17:16 43736 ----a-w c:\documents and settings\Katherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-04 12:00 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ------w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-03 22:59 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-09-18 23:35 . 2007-09-18 23:36 774144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 22:22 . 2009-04-27 22:22 16384 c:\windows\temp\Perflib_Perfdata_560.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 182912 c:\windows\system32\drivers\ndis.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 182912 c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-25 98304]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"VirusScannerPro"="c:\progra~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Pichoff\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-6 344064]

c:\documents and settings\Katherine\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-6 344064]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 99248]
R3 MailScan;MailScan;c:\progra~1\AVANQU~1\Fix-It\MailScan.sys [2008-08-26 20496]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe [2007-04-26 517040]
S2 tmpreflt;tmpreflt;c:\progra~1\AVANQU~1\Fix-It\tmpreflt.sys [2007-08-31 32528]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-27 17:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?1?0?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1275210071-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\progra~1\AVANQU~1\Fix-It\mxtask.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-04-27 17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 22:36
ComboFix2.txt 2009-04-27 21:39
ComboFix3.txt 2009-04-27 20:13

Pre-Run: 13,146,083,328 bytes free
Post-Run: 13,141,610,496 bytes free

188 --- E O F --- 2009-04-17 03:38

flash641
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-26
OS OS : Windows XP
Points Points : 27812
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by Belahzur on Mon Apr 27, 2009 11:15 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by flash641 on Mon Apr 27, 2009 11:55 pm

I ran Malwarebytes again and everything looked fine. I really do appreciate your help in overcoming this problem. I could not have done it alone. Many thanks. You are really good at what you do.

Jim P (flash641)

flash641
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-26
OS OS : Windows XP
Points Points : 27812
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Unable to Remove Virus Remnants

Post by Belahzur on Tue Apr 28, 2009 12:22 am

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum