0

Hello,

I have a problem with my PC, there some kind of virus ssqrq.dll (I suppose this is it) and "StorageProtector" thing
(there were 2 false Windows icons on my desctop and when I tried to delete them they appiered again and again).
I tried many anti-viruses and anti-spywares like Kaspersky, Avast, Windows Defender, Ad-Aware and many others.
As a result "StorageProtector" was gone, as i thought, but in process I found that ssqrq.dll (BHO if I'm correct) file whitch none of monitoring deviceses could delete.
So I tried 2 days without any result, but today when I came back to home I discovered that "StorageProtector" was back.

Then I searched for helpfull topiks and found this forum this ---> http://www.daniweb.com/forums/post511422.html

I did as it was written and here are some logs.

At first I did ComboFix stuff (LOG)

ComboFix 08-01-17.5 - bakra 2008-01-16 18:35:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.241 [GMT 2:00]
Running from: C:\Documents and Settings\bakra\desktop\ComboFix.exe
Command switches used :: /KillAll

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos120.tmp
C:\pos121.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos220.tmp
C:\pos221.tmp
C:\pos222.tmp
C:\pos223.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos229.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos239.tmp
C:\pos23A.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23E.tmp
C:\pos23F.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos243.tmp
C:\pos244.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24C.tmp
C:\pos24D.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos252.tmp
C:\pos253.tmp
C:\pos254.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos290.tmp
C:\pos291.tmp
C:\pos292.tmp
C:\pos293.tmp
C:\pos294.tmp
C:\pos295.tmp
C:\pos296.tmp
C:\pos297.tmp
C:\pos298.tmp
C:\pos299.tmp
C:\pos29A.tmp
C:\pos29B.tmp
C:\pos29C.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A0.tmp
C:\pos2A1.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AA.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2AF.tmp
C:\pos2B0.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B6.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BC.tmp
C:\pos2BD.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C6.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CE.tmp
C:\pos2CF.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2ED.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos346.tmp
C:\pos347.tmp
C:\pos348.tmp
C:\pos349.tmp
C:\pos34A.tmp
C:\pos34B.tmp
C:\pos34C.tmp
C:\pos34D.tmp
C:\pos34E.tmp
C:\pos34F.tmp
C:\pos350.tmp
C:\pos351.tmp
C:\pos352.tmp
C:\pos353.tmp
C:\pos354.tmp
C:\pos355.tmp
C:\pos356.tmp
C:\pos357.tmp
C:\pos358.tmp
C:\pos359.tmp
C:\pos35A.tmp
C:\pos35B.tmp
C:\pos35C.tmp
C:\pos35D.tmp
C:\pos35E.tmp
C:\pos35F.tmp
C:\pos360.tmp
C:\pos361.tmp
C:\pos362.tmp
C:\pos363.tmp
C:\pos364.tmp
C:\pos365.tmp
C:\pos366.tmp
C:\pos367.tmp
C:\pos368.tmp
C:\pos369.tmp
C:\pos36A.tmp
C:\pos36B.tmp
C:\pos36C.tmp
C:\pos36D.tmp
C:\pos36E.tmp
C:\pos36F.tmp
C:\pos370.tmp
C:\pos371.tmp
C:\pos372.tmp
C:\pos373.tmp
C:\pos374.tmp
C:\pos375.tmp
C:\pos376.tmp
C:\pos377.tmp
C:\pos378.tmp
C:\pos379.tmp
C:\pos37A.tmp
C:\pos37B.tmp
C:\pos37C.tmp
C:\pos37D.tmp
C:\pos37E.tmp
C:\pos37F.tmp
C:\pos380.tmp
C:\pos381.tmp
C:\pos382.tmp
C:\pos383.tmp
C:\pos384.tmp
C:\pos385.tmp
C:\pos386.tmp
C:\pos387.tmp
C:\pos388.tmp
C:\pos389.tmp
C:\pos38A.tmp
C:\pos38B.tmp
C:\pos38C.tmp
C:\pos38D.tmp
C:\pos38E.tmp
C:\pos38F.tmp
C:\pos390.tmp
C:\pos391.tmp
C:\pos392.tmp
C:\pos393.tmp
C:\pos394.tmp
C:\pos395.tmp
C:\pos396.tmp
C:\pos397.tmp
C:\pos398.tmp
C:\pos399.tmp
C:\pos39A.tmp
C:\pos39B.tmp
C:\pos39C.tmp
C:\pos39D.tmp
C:\pos39E.tmp
C:\pos39F.tmp
C:\pos3A0.tmp
C:\pos3A1.tmp
C:\pos3A2.tmp
C:\pos3A3.tmp
C:\pos3A4.tmp
C:\pos3A5.tmp
C:\pos3A6.tmp
C:\pos3A7.tmp
C:\pos3A8.tmp
C:\pos3A9.tmp
C:\pos3AA.tmp
C:\pos3AB.tmp
C:\pos3AC.tmp
C:\pos3AD.tmp
C:\pos3AE.tmp
C:\pos3AF.tmp
C:\pos3B0.tmp
C:\pos3B1.tmp
C:\pos3B2.tmp
C:\pos3B3.tmp
C:\pos3B4.tmp
C:\pos3B5.tmp
C:\pos3B6.tmp
C:\pos3B7.tmp
C:\pos3B8.tmp
C:\pos3B9.tmp
C:\pos3BA.tmp
C:\pos3BB.tmp
C:\pos3BC.tmp
C:\pos3BD.tmp
C:\pos3BE.tmp
C:\pos3BF.tmp
C:\pos3C0.tmp
C:\pos3C1.tmp
C:\pos3C2.tmp
C:\pos3C3.tmp
C:\pos3C4.tmp
C:\pos3C5.tmp
C:\pos3C6.tmp
C:\pos3C7.tmp
C:\pos3C8.tmp
C:\pos3C9.tmp
C:\pos3CA.tmp
C:\pos3CB.tmp
C:\pos3CC.tmp
C:\pos3CD.tmp
C:\pos3CE.tmp
C:\pos3CF.tmp
C:\pos3D0.tmp
C:\pos3D1.tmp
C:\pos3D2.tmp
C:\pos3D3.tmp
C:\pos3D4.tmp
C:\pos3D5.tmp
C:\pos3D6.tmp
C:\pos3D7.tmp
C:\pos3D8.tmp
C:\pos3D9.tmp
C:\pos3DA.tmp
C:\pos3DB.tmp
C:\pos3DC.tmp
C:\pos3DD.tmp
C:\pos3DE.tmp
C:\pos3DF.tmp
C:\pos3E0.tmp
C:\pos3E1.tmp
C:\pos3E2.tmp
C:\pos3E3.tmp
C:\pos3E4.tmp
C:\pos3E5.tmp
C:\pos3E6.tmp
C:\pos3E7.tmp
C:\pos3E8.tmp
C:\pos3E9.tmp
C:\pos3EA.tmp
C:\pos3EB.tmp
C:\pos3EC.tmp
C:\pos3ED.tmp
C:\pos3EE.tmp
C:\pos3EF.tmp
C:\pos3F0.tmp
C:\pos3F1.tmp
C:\pos3F2.tmp
C:\pos3F3.tmp
C:\pos3F4.tmp
C:\pos3F5.tmp
C:\pos3F6.tmp
C:\pos3F7.tmp
C:\pos3F8.tmp
C:\pos3F9.tmp
C:\pos3FA.tmp
C:\pos3FB.tmp
C:\pos3FC.tmp
C:\pos3FD.tmp
C:\pos3FE.tmp
C:\pos3FF.tmp
C:\pos400.tmp
C:\pos401.tmp
C:\pos402.tmp
C:\pos403.tmp
C:\pos404.tmp
C:\pos405.tmp
C:\pos406.tmp
C:\pos407.tmp
C:\pos408.tmp
C:\pos409.tmp
C:\pos40A.tmp
C:\pos40B.tmp
C:\pos40C.tmp
C:\pos40D.tmp
C:\pos40E.tmp
C:\pos40F.tmp
C:\pos410.tmp
C:\pos411.tmp
C:\pos412.tmp
C:\pos413.tmp
C:\pos414.tmp
C:\pos415.tmp
C:\pos416.tmp
C:\pos417.tmp
C:\pos418.tmp
C:\pos419.tmp
C:\pos41A.tmp
C:\pos41B.tmp
C:\pos41C.tmp
C:\pos41D.tmp
C:\pos41E.tmp
C:\pos41F.tmp
C:\pos420.tmp
C:\pos421.tmp
C:\pos422.tmp
C:\pos423.tmp
C:\pos424.tmp
C:\pos425.tmp
C:\pos426.tmp
C:\pos427.tmp
C:\pos428.tmp
C:\pos429.tmp
C:\pos42A.tmp
C:\pos42B.tmp
C:\pos42C.tmp
C:\pos42D.tmp
C:\pos42E.tmp
C:\pos42F.tmp
C:\pos430.tmp
C:\pos431.tmp
C:\pos432.tmp
C:\pos433.tmp
C:\pos434.tmp
C:\pos435.tmp
C:\pos436.tmp
C:\pos437.tmp
C:\pos438.tmp
C:\pos439.tmp
C:\pos43A.tmp
C:\pos43B.tmp
C:\pos43C.tmp
C:\pos43D.tmp
C:\pos43E.tmp
C:\pos43F.tmp
C:\pos440.tmp
C:\pos441.tmp
C:\pos442.tmp
C:\pos443.tmp
C:\pos444.tmp
C:\pos445.tmp
C:\pos446.tmp
C:\pos447.tmp
C:\pos448.tmp
C:\pos449.tmp
C:\pos44A.tmp
C:\pos44B.tmp
C:\pos44C.tmp
C:\pos44D.tmp
C:\pos44E.tmp
C:\pos44F.tmp
C:\pos450.tmp
C:\pos451.tmp
C:\pos452.tmp
C:\pos453.tmp
C:\pos454.tmp
C:\pos455.tmp
C:\pos456.tmp
C:\pos457.tmp
C:\pos458.tmp
C:\pos459.tmp
C:\pos45A.tmp
C:\pos45B.tmp
C:\pos45C.tmp
C:\pos45D.tmp
C:\pos45E.tmp
C:\pos45F.tmp
C:\pos460.tmp
C:\pos461.tmp
C:\pos462.tmp
C:\pos463.tmp
C:\pos464.tmp
C:\pos465.tmp
C:\pos466.tmp
C:\pos467.tmp
C:\pos468.tmp
C:\pos469.tmp
C:\pos46A.tmp
C:\pos46B.tmp
C:\pos46C.tmp
C:\pos46D.tmp
C:\pos46E.tmp
C:\pos46F.tmp
C:\pos470.tmp
C:\pos471.tmp
C:\pos472.tmp
C:\pos473.tmp
C:\pos474.tmp
C:\pos475.tmp
C:\pos476.tmp
C:\pos477.tmp
C:\pos478.tmp
C:\pos479.tmp
C:\pos47A.tmp
C:\pos47B.tmp
C:\pos47C.tmp
C:\pos47D.tmp
C:\pos47E.tmp
C:\pos47F.tmp
C:\pos480.tmp
C:\pos481.tmp
C:\pos482.tmp
C:\pos483.tmp
C:\pos484.tmp
C:\pos485.tmp
C:\pos486.tmp
C:\pos487.tmp
C:\pos488.tmp
C:\pos489.tmp
C:\pos48A.tmp
C:\pos48B.tmp
C:\pos48C.tmp
C:\pos48D.tmp
C:\pos48E.tmp
C:\pos48F.tmp
C:\pos490.tmp
C:\pos491.tmp
C:\pos492.tmp
C:\pos493.tmp
C:\pos494.tmp
C:\pos495.tmp
C:\pos496.tmp
C:\pos497.tmp
C:\pos498.tmp
C:\pos499.tmp
C:\pos49A.tmp
C:\pos49B.tmp
C:\pos49C.tmp
C:\pos49D.tmp
C:\pos49E.tmp
C:\pos49F.tmp
C:\pos4A0.tmp
C:\pos4A1.tmp
C:\pos4A2.tmp
C:\pos4A3.tmp
C:\pos4A4.tmp
C:\pos4A5.tmp
C:\pos4A6.tmp
C:\pos4A7.tmp
C:\pos4A8.tmp
C:\pos4A9.tmp
C:\pos4AA.tmp
C:\pos4AB.tmp
C:\pos4AC.tmp
C:\pos4AD.tmp
C:\pos4AE.tmp
C:\pos4AF.tmp
C:\pos4B0.tmp
C:\pos4B1.tmp
C:\pos4B2.tmp
C:\pos4B3.tmp
C:\pos4B4.tmp
C:\pos4B5.tmp
C:\pos4B6.tmp
C:\pos4B7.tmp
C:\pos4B8.tmp
C:\pos4B9.tmp
C:\pos4BA.tmp
C:\pos4BB.tmp
C:\pos4BC.tmp
C:\pos4BD.tmp
C:\pos4BE.tmp
C:\pos4BF.tmp
C:\pos4C0.tmp
C:\pos4C1.tmp
C:\pos4C2.tmp
C:\pos4C3.tmp
C:\pos4C4.tmp
C:\pos4C5.tmp
C:\pos4C6.tmp
C:\pos4C7.tmp
C:\pos4C8.tmp
C:\pos4C9.tmp
C:\pos4CA.tmp
C:\pos4CB.tmp
C:\pos4CC.tmp
C:\pos4CD.tmp
C:\pos4CE.tmp
C:\pos4CF.tmp
C:\pos4D0.tmp
C:\pos4D1.tmp
C:\pos4D2.tmp
C:\pos4D3.tmp
C:\pos4D4.tmp
C:\pos4D5.tmp
C:\pos4D6.tmp
C:\pos4D7.tmp
C:\pos4D8.tmp
C:\pos4D9.tmp
C:\pos4DA.tmp
C:\pos4DB.tmp
C:\pos4DC.tmp
C:\pos4DD.tmp
C:\pos4DE.tmp
C:\pos4DF.tmp
C:\pos4E0.tmp
C:\pos4E1.tmp
C:\pos4E2.tmp
C:\pos4E3.tmp
C:\pos4E4.tmp
C:\pos4E5.tmp
C:\pos4E6.tmp
C:\pos4E7.tmp
C:\pos4E8.tmp
C:\pos4E9.tmp
C:\pos4EA.tmp
C:\pos4EB.tmp
C:\pos4EC.tmp
C:\pos4ED.tmp
C:\pos4EE.tmp
C:\pos4EF.tmp
C:\pos4F0.tmp
C:\pos4F1.tmp
C:\pos4F2.tmp
C:\pos4F3.tmp
C:\pos4F4.tmp
C:\pos4F5.tmp
C:\pos4F6.tmp
C:\pos4F7.tmp
C:\pos4F8.tmp
C:\pos4F9.tmp
C:\pos4FA.tmp
C:\pos4FB.tmp
C:\pos4FC.tmp
C:\pos4FD.tmp
C:\pos4FE.tmp
C:\pos4FF.tmp
C:\pos500.tmp
C:\pos501.tmp
C:\pos502.tmp
C:\pos503.tmp
C:\pos504.tmp
C:\pos505.tmp
C:\pos506.tmp
C:\pos507.tmp
C:\pos508.tmp
C:\pos509.tmp
C:\pos50A.tmp
C:\pos50B.tmp
C:\pos50C.tmp
C:\pos50D.tmp
C:\pos50E.tmp
C:\pos50F.tmp
C:\pos510.tmp
C:\pos511.tmp
C:\pos512.tmp
C:\pos513.tmp
C:\pos514.tmp
C:\pos515.tmp
C:\pos516.tmp
C:\pos517.tmp
C:\pos518.tmp
C:\pos519.tmp
C:\pos51A.tmp
C:\pos51B.tmp
C:\pos51C.tmp
C:\pos51D.tmp
C:\pos51E.tmp
C:\pos51F.tmp
C:\pos520.tmp
C:\pos521.tmp
C:\pos522.tmp
C:\pos523.tmp
C:\pos524.tmp
C:\pos525.tmp
C:\pos526.tmp
C:\pos527.tmp
C:\pos528.tmp
C:\pos529.tmp
C:\pos52A.tmp
C:\pos52B.tmp
C:\pos52C.tmp
C:\pos52D.tmp
C:\pos52E.tmp
C:\pos52F.tmp
C:\pos530.tmp
C:\pos531.tmp
C:\pos532.tmp
C:\pos533.tmp
C:\pos534.tmp
C:\pos535.tmp
C:\pos536.tmp
C:\pos537.tmp
C:\pos538.tmp
C:\pos539.tmp
C:\pos53A.tmp
C:\pos53B.tmp
C:\pos53C.tmp
C:\pos53D.tmp
C:\pos53E.tmp
C:\pos53F.tmp
C:\pos540.tmp
C:\pos541.tmp
C:\pos542.tmp
C:\pos543.tmp
C:\pos544.tmp
C:\pos545.tmp
C:\pos546.tmp
C:\pos547.tmp
C:\pos548.tmp
C:\pos549.tmp
C:\pos54A.tmp
C:\pos54B.tmp
C:\pos54C.tmp
C:\pos54D.tmp
C:\pos54E.tmp
C:\pos54F.tmp
C:\pos550.tmp
C:\pos551.tmp
C:\pos552.tmp
C:\pos553.tmp
C:\pos554.tmp
C:\pos555.tmp
C:\pos556.tmp
C:\pos557.tmp
C:\pos558.tmp
C:\pos559.tmp
C:\pos55A.tmp
C:\pos55B.tmp
C:\pos55C.tmp
C:\pos55D.tmp
C:\pos55E.tmp
C:\pos55F.tmp
C:\pos560.tmp
C:\pos561.tmp
C:\pos562.tmp
C:\pos563.tmp
C:\pos564.tmp
C:\pos565.tmp
C:\pos566.tmp
C:\pos567.tmp
C:\pos568.tmp
C:\pos569.tmp
C:\pos56A.tmp
C:\pos56B.tmp
C:\pos56C.tmp
C:\pos56D.tmp
C:\pos56E.tmp
C:\pos56F.tmp
C:\pos570.tmp
C:\pos571.tmp
C:\pos572.tmp
C:\pos573.tmp
C:\pos574.tmp
C:\pos575.tmp
C:\pos576.tmp
C:\pos577.tmp
C:\pos578.tmp
C:\pos579.tmp
C:\pos57A.tmp
C:\pos57B.tmp
C:\pos57C.tmp
C:\pos57D.tmp
C:\pos57E.tmp
C:\pos57F.tmp
C:\pos580.tmp
C:\pos581.tmp
C:\pos582.tmp
C:\pos583.tmp
C:\pos584.tmp
C:\pos585.tmp
C:\pos586.tmp
C:\pos587.tmp
C:\pos588.tmp
C:\pos589.tmp
C:\pos58A.tmp
C:\pos58B.tmp
C:\pos58C.tmp
C:\pos58D.tmp
C:\pos58E.tmp
C:\pos58F.tmp
C:\pos590.tmp
C:\pos591.tmp
C:\pos592.tmp
C:\pos593.tmp
C:\pos594.tmp
C:\pos595.tmp
C:\pos596.tmp
C:\pos597.tmp
C:\pos598.tmp
C:\pos599.tmp
C:\pos59A.tmp
C:\pos59B.tmp
C:\pos59C.tmp
C:\pos59D.tmp
C:\pos59E.tmp
C:\pos59F.tmp
C:\pos5A0.tmp
C:\pos5A1.tmp
C:\pos5A2.tmp
C:\pos5A3.tmp
C:\pos5A4.tmp
C:\pos5A5.tmp
C:\pos5A6.tmp
C:\pos5A7.tmp
C:\pos5A8.tmp
C:\pos5A9.tmp
C:\pos5AA.tmp
C:\pos5AB.tmp
C:\pos5AC.tmp
C:\pos5AD.tmp
C:\pos5AE.tmp
C:\pos5AF.tmp
C:\pos5B0.tmp
C:\pos5B1.tmp
C:\pos5B2.tmp
C:\pos5B3.tmp
C:\pos5B4.tmp
C:\pos5B5.tmp
C:\pos5B6.tmp
C:\pos5B7.tmp
C:\pos5B8.tmp
C:\pos5B9.tmp
C:\pos5BA.tmp
C:\pos5BB.tmp
C:\pos5BC.tmp
C:\pos5BD.tmp
C:\pos5BE.tmp
C:\pos5BF.tmp
C:\pos5C0.tmp
C:\pos5C1.tmp
C:\pos5C2.tmp
C:\pos5C3.tmp
C:\pos5C4.tmp
C:\pos5C5.tmp
C:\pos5C6.tmp
C:\pos5C7.tmp
C:\pos5C8.tmp
C:\pos5C9.tmp
C:\pos5CA.tmp
C:\pos5CB.tmp
C:\pos5CC.tmp
C:\pos5CD.tmp
C:\pos5CE.tmp
C:\pos5CF.tmp
C:\pos5D0.tmp
C:\pos5D1.tmp
C:\pos5D2.tmp
C:\pos5D3.tmp
C:\pos5D4.tmp
C:\pos5D5.tmp
C:\pos5D6.tmp
C:\pos5D7.tmp
C:\pos5D8.tmp
C:\pos5D9.tmp
C:\pos5DA.tmp
C:\pos5DB.tmp
C:\pos5DC.tmp
C:\pos5DD.tmp
C:\pos5DE.tmp
C:\pos5DF.tmp
C:\pos5E.tmp
C:\pos5E0.tmp
C:\pos5E1.tmp
C:\pos5E2.tmp
C:\pos5E3.tmp
C:\pos5E4.tmp
C:\pos5E5.tmp
C:\pos5E6.tmp
C:\pos5E7.tmp
C:\pos5E8.tmp
C:\pos5E9.tmp
C:\pos5EA.tmp
C:\pos5EB.tmp
C:\pos5EC.tmp
C:\pos5ED.tmp
C:\pos5EE.tmp
C:\pos5EF.tmp
C:\pos5F.tmp
C:\pos5F0.tmp
C:\pos5F1.tmp
C:\pos5F2.tmp
C:\pos5F3.tmp
C:\pos5F4.tmp
C:\pos5F5.tmp
C:\pos5F6.tmp
C:\pos5F7.tmp
C:\pos5F8.tmp
C:\pos5F9.tmp
C:\pos5FA.tmp
C:\pos5FB.tmp
C:\pos5FC.tmp
C:\pos5FD.tmp
C:\pos5FE.tmp
C:\pos5FF.tmp
C:\pos60.tmp
C:\pos600.tmp
C:\pos601.tmp
C:\pos602.tmp
C:\pos603.tmp
C:\pos604.tmp
C:\pos605.tmp
C:\pos606.tmp
C:\pos607.tmp
C:\pos608.tmp
C:\pos609.tmp
C:\pos60A.tmp
C:\pos60B.tmp
C:\pos60C.tmp
C:\pos60D.tmp
C:\pos60E.tmp
C:\pos60F.tmp
C:\pos61.tmp
C:\pos610.tmp
C:\pos611.tmp
C:\pos612.tmp
C:\pos613.tmp
C:\pos614.tmp
C:\pos615.tmp
C:\pos616.tmp
C:\pos617.tmp
C:\pos618.tmp
C:\pos619.tmp
C:\pos61A.tmp
C:\pos61B.tmp
C:\pos61C.tmp
C:\pos61D.tmp
C:\pos61E.tmp
C:\pos61F.tmp
C:\pos62.tmp
C:\pos620.tmp
C:\pos621.tmp
C:\pos622.tmp
C:\pos623.tmp
C:\pos624.tmp
C:\pos625.tmp
C:\pos626.tmp
C:\pos627.tmp
C:\pos628.tmp
C:\pos629.tmp
C:\pos62A.tmp
C:\pos62B.tmp
C:\pos62C.tmp
C:\pos62D.tmp
C:\pos62E.tmp
C:\pos62F.tmp
C:\pos63.tmp
C:\pos630.tmp
C:\pos631.tmp
C:\pos632.tmp
C:\pos633.tmp
C:\pos634.tmp
C:\pos635.tmp
C:\pos636.tmp
C:\pos637.tmp
C:\pos638.tmp
C:\pos639.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\Program Files\Helper
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cdgwqudt.dllbox
C:\WINDOWS\system32\ehecpvth.ini
C:\WINDOWS\system32\ifleqdyl.dll
C:\WINDOWS\system32\irivtngm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mkbvjlgf.dllbox
C:\WINDOWS\system32\muvsghke.dll
C:\WINDOWS\system32\qrqss.ini <--------
C:\WINDOWS\system32\qrqss.ini2 <--------
C:\WINDOWS\system32\seulwpoo.ini
C:\WINDOWS\system32\ssqrq.dll <--------
C:\WINDOWS\system32\ssqrq.exe <---------
C:\WINDOWS\system32\wakvnggh.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\xkjhiwco.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 18:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 01:16 . 2005-01-04 20:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-15 18:14 . 2008-01-15 18:14 <DIR> d-------- C:\Program Files\VVSN
2008-01-15 18:06 . 2008-01-15 18:18 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-15 04:10 . 2008-01-15 04:10 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-15 04:10 . 2008-01-15 04:10 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-15 04:08 . 2008-01-15 04:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 04:08 . 2008-01-17 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 04:08 . 2008-01-17 18:55 992,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-15 04:08 . 2008-01-17 18:52 13,532 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-15 04:08 . 2008-01-17 18:54 10,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-15 04:08 . 2008-01-17 18:52 2,060 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-15 04:05 . 2008-01-15 04:05 <DIR> d-------- C:\kav
2008-01-14 18:30 . 2008-01-14 18:30 158,208 --a------ C:\WINDOWS\system32\msconfig .exe
2008-01-14 03:16 . 2008-01-14 03:48 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-14 03:16 . 2003-03-18 22:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-14 03:16 . 2003-03-18 21:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-14 03:16 . 2003-02-21 05:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-01-14 02:37 . 2008-01-14 02:37 <DIR> d-------- C:\Program Files\RemoveIt
2008-01-14 02:31 . 2008-01-14 03:31 16,384 --a------ C:\WINDOWS\winbait .exe
2008-01-14 02:15 . 2008-01-14 02:25 334,336 --a------ C:\WINDOWS\system32\SSQRQ.DLL.del
2008-01-14 01:54 . 2008-01-14 03:30 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-01-14 01:54 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-14 01:50 . 2008-01-14 01:50 <DIR> d-------- C:\Program Files\Greatis
2008-01-14 01:43 . 2008-01-14 01:43 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-14 01:43 . 2008-01-16 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-14 00:40 . 2008-01-14 01:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-13 18:46 . 2008-01-13 18:57 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-13 16:29 . 2008-01-13 16:29 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-13 16:29 . 2008-01-13 16:29 <DIR> d-------- C:\WINDOWS\system32\restore
2008-01-13 16:29 . 2008-01-13 16:29 <DIR> d-------- C:\WINDOWS\srchasst
2008-01-13 16:29 . 2008-01-13 16:29 <DIR> d-------- C:\WINDOWS\msagent
2008-01-13 16:29 . 2008-01-13 16:29 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-13 13:13 . 2008-01-15 12:52 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-09 13:11 . 2008-01-09 13:11 287 --a------ C:\WINDOWS\game.ini
2008-01-09 13:04 . 2008-01-09 13:04 <DIR> d-------- C:\Program Files\Activision
2008-01-09 13:02 . 2008-01-09 13:02 54,764 --a------ C:\WINDOWS\system32\DXDSS.SYS.del
2008-01-09 13:02 . 2008-01-09 13:02 37,632 --a------ C:\WINDOWS\system32\drivers\NTIO922.SYS.del
2008-01-09 13:02 . 2008-01-13 19:01 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-01-09 13:02 . 2008-01-09 13:02 7,040 --a------ C:\WINDOWS\system32\drivers\NDISALUO.SYS.del
2008-01-09 13:02 . 2008-01-09 13:02 8 --a------ C:\WINDOWS\system32\-935926108
2008-01-09 01:40 . 2008-01-09 01:40 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-09 01:38 . 2008-01-09 01:38 <DIR> d-------- C:\Program Files\KONAMI
2008-01-08 23:23 . 2005-04-21 18:31 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-07 17:35 . 2008-01-07 17:35 <DIR> d-------- C:\Documents and Settings\bakra\Application Data\FrimaStudio
2007-12-29 02:45 . 2007-12-29 02:45 <DIR> d-------- C:\Program Files\iriver
2007-12-29 02:45 . 2005-04-07 15:15 307,200 --a------ C:\WINDOWS\system32\iFPSP.dll
2007-12-29 02:45 . 2005-04-15 14:13 14,540 --a------ C:\WINDOWS\system32\drivers\T10.SYS
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\N10.SYS
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\ifpusb.sys
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp900.sys
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp800.sys
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp700.sys
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp500.sys
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\ifp300.sys
2007-12-29 02:45 . 2004-03-29 17:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp1000.sys
2007-12-23 21:05 . 2007-12-23 21:05 4,608 --a------ C:\WINDOWS\system32\temp.000
2007-12-20 16:50 . 2007-12-20 16:53 <DIR> d-------- C:\Program Files\Absolutist.com
2007-12-18 00:44 . 2007-12-18 00:44 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2007-12-18 00:43 . 2007-12-18 00:43 23,396 --a------ C:\WINDOWS\system32\drivers\klopp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 15:50 --------- d-----w C:\Program Files\QuickTime
2008-01-15 16:12 --------- d-----w C:\Program Files\ICQLite
2008-01-15 16:09 --------- d--h--r C:\Documents and Settings\bakra\Application Data\yahoo!
2008-01-15 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-15 16:08 --------- d-----w C:\Program Files\Windows Live
2008-01-13 14:23 --------- d-----w C:\Documents and Settings\bakra\Application Data\uTorrent
2008-01-10 17:23 --------- d-----w C:\Program Files\DivX
2008-01-10 17:22 --------- d-----w C:\Program Files\Web Page Maker V2
2008-01-10 17:18 --------- d-----w C:\Program Files\Java
2008-01-10 16:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 16:00 --------- d-----w C:\Documents and Settings\bakra\Application Data\Apple Computer
2007-12-24 10:18 --------- d-----w C:\Program Files\FlashGet
2007-12-23 19:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-23 19:05 286,720 ------w C:\WINDOWS\Setup1.exe
2007-12-15 23:37 --------- d-----w C:\Documents and Settings\bakra\Application Data\Skype
2007-12-13 11:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-12-10 18:20 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-09 14:27 --------- d-----w C:\Program Files\WC3Banlist
2007-12-05 22:26 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-05 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-28 01:46 --------- d-----w C:\Documents and Settings\bakra\Application Data\Sony
2007-11-26 07:37 --------- d-----w C:\Program Files\Opera
2007-11-26 07:37 --------- d-----w C:\Program Files\Apple Software Update
2007-11-26 07:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
.

<pre>
----a-w           847,872 2008-01-13 23:25:32  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w         4,670,704 2008-01-13 16:39:02  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w            16,384 2008-01-14 01:31:54  C:\WINDOWS\winbait .exe
----a-w            15,360 2008-01-15 10:52:03  C:\WINDOWS\system32\ctfmon .exe
----a-w           158,208 2008-01-14 16:30:59  C:\WINDOWS\system32\msconfig .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2006-06-14 05:39 391680 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2007-10-11 01:55 124928]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2002-12-31 20:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdgwqudt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@RegRunOnSecure]
C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 15:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-10-28 15:25 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 16:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-03 19:21 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ssqrq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget]
--a------ 2007-09-09 20:08 171520 C:\Program Files\Rapget\rapget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegRun WinBait]
C:\WINDOWS\winbait.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regrun2]
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simplify Media]
C:\Documents and Settings\bakra\Local Settings\Application Data\Simplify Media\SimplifyMedia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 19:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 17:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-01-14 03:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService REG_MULTI_SZ LmHosts upnphost SSDPSRV

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 18:55:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 18:58:54 - machine was rebooted [bakra]
ComboFix-quarantined-files.txt 2008-01-17 16:58:50
.
2008-01-15 12:07:38 --- E O F ---


than Hijackthis (LOG)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:37, on 17.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\bakra\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing
--
End of file - 3148 bytes)


and at last VundoFix (it found nothing).

I think there are some more viruses in my PC. So please analize this logs and help if you can.

Thanks :)

P.S.
After my PC be safe, if it be safe :) , can you recomend which anti-virus is best (and free ^_^).
what is this svhost.exe exectlly?
And can I delete those beckup files?

P.P.S
sorry for my poof english :)

5
Contributors
23
Replies
24
Views
9 Years
Discussion Span
Last Post by crunchie
0

and one more, thing...
some viruses are still in my PC like ssqrq.dll.del
but i think i deleted them with Kaspersky anti-virus...

0

plz help me... :(
i think it's not a problem for you...

0

my suggestion to you is to use CCleaner and Spybot S&D and then I want you to go to run and type in msconfig and make it so all of your startup services are enabled and all of your services are enabled and then restart and post a new hijackthis log here. I had a spyware before that took me 2 months to fully get rid of because of the startup options. So making it so that all of it starts when the computer turns on will ensure that everything comes up in your hjt log

0

Delete C:\WINDOWS\NirCmd.exe,
msconfig.exe seems to be the Winur worm so you can delete that,
delete MFC71.dll
and get rid of all those temp files.
ssqrq.dll is the Vundo trojan, check out this link for Vundo removel instructionshttp://www.spywareremove.com/removeVundo.html
StorageProtector is a rouge Anti-spyware program that can install other malware onto the infected computer, I did not detect any StorageProtector files but here's removel instructions anyway http://www.spywareremove.com/removeStorageProtector.html
as for what svchost.exe is its just a normal Windows component.
I also recommend taking a look at this website that tells you how to self analyze Hijackthis logs, heres the link: http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm
Hope this helps.

0

Be a little careful!
This msconfig.exe is in the wrong place: C:\WINDOWS\system32\msconfig .exe
-it should be in C:\windows\pchealth\helpctr\binaries\, so I suggest you check its owner. If it is not from Microsoft, delete it.
C:\WINDOWS\system32\temp.000.... I would delete this, system32 is not the place for temp files.
Delete this file: C:\WINDOWS\system32\SSQRQ.DLL.del
Nircmd is from combofix.
C:\WINDOWS\system32\MFC71.dll - this file is legitimate!!
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdgwqudt] -fix this with hijackthis... start it, place a check against this entry:-
O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\
...and press Fix Checked.

ssqrq.dll removal does not seem to have been handled correctly... this file [with .del extension] exists: C:\WINDOWS\system32\SSQRQ.DLL.del
So may I suggest:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\qrqss.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.

0

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RENV::
----a-w 847,872 2008-01-13 23:25:32 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w 4,670,704 2008-01-13 16:39:02 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 16,384 2008-01-14 01:31:54 C:\WINDOWS\winbait .exe
----a-w 15,360 2008-01-15 10:52:03 C:\WINDOWS\system32\ctfmon .exe
----a-w 158,208 2008-01-14 16:30:59 C:\WINDOWS\system32\msconfig .exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

Crunchie, FF is not rendering this thread fully - I cannot see what you posted about in his Combofix log... there are gaps. ... it could be my FF settings, I do not know. Could you mention this to the backroom boys pls?

0

Yep, no worries. You may want to post that in the feedback forum too?
Just tried it in FF and it looks OK from here.

0

Aw heck, then it must be my settings, thanks Crunchie... an there are so many possibilities for playing with them in FF. Sigh. Looking in the error console it sees a lot of html errors in some pages in daniweb; doen't seem to be able to ignore them all... must be a setting for that somewhere..?

Interestingly, Opera pulls it all in...

0

Yeah... FF is a "copy" of Opera - they adopted many of Opera's features. I switched to using FF for daniweb cos it was faster than Opera for me. Now that I use hosts to block all the ads on the pages though... the difference is not there. May switch back... go Opera!, you unknown king of browsers, you.

0

Where are you bakra? This infection will not go away and will get worse if you do not clean it out.

0

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Thanks for helping me.
And sorry I was not at home for 2 days...

Here are results.

CF Log:
ComboFix 08-01-17.5 - bakra 2008-01-26 16:10:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.247 [GMT 4:00]
Running from: C:\Documents and Settings\bakra\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bakra\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-24 13:15 . 2008-01-26 15:51 <DIR> d-------- C:\Program Files\Medal of Honor - War in France '44
2008-01-23 15:52 . 2008-01-23 15:55 <DIR> d-------- C:\Program Files\DoD
2008-01-21 09:37 . 2007-07-30 21:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-01-16 20:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 03:16 . 2005-01-04 22:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-15 20:14 . 2008-01-15 20:14 <DIR> d-------- C:\Program Files\VVSN
2008-01-15 20:06 . 2008-01-15 20:18 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-15 06:10 . 2008-01-15 06:10 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-15 06:10 . 2008-01-15 06:10 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-15 06:08 . 2008-01-15 06:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 06:05 . 2008-01-15 06:05 <DIR> d-------- C:\kav
2008-01-14 20:30 . 2008-01-14 20:30 158,208 --a------ C:\WINDOWS\system32\msconfig.exe
2008-01-14 05:16 . 2008-01-14 05:48 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-14 05:16 . 2003-03-19 00:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-14 05:16 . 2003-03-18 23:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-14 05:16 . 2003-02-21 07:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-01-14 04:37 . 2008-01-14 04:37 <DIR> d-------- C:\Program Files\RemoveIt
2008-01-14 04:31 . 2008-01-14 05:31 16,384 --a------ C:\WINDOWS\winbait.exe
2008-01-14 03:54 . 2008-01-14 05:30 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-01-14 03:54 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-14 03:50 . 2008-01-14 03:50 <DIR> d-------- C:\Program Files\Greatis
2008-01-14 03:43 . 2008-01-20 15:14 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-14 03:43 . 2008-01-16 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-14 02:40 . 2008-01-14 03:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-13 20:46 . 2008-01-13 20:57 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\system32\restore
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\srchasst
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\msagent
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-13 15:13 . 2008-01-15 14:52 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-13 15:13 . 2008-01-15 14:52 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 15:02 . 2008-01-09 15:02 37,632 --a------ C:\WINDOWS\system32\drivers\NTIO922.SYS.del
2008-01-09 15:02 . 2008-01-13 21:01 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-01-09 15:02 . 2008-01-09 15:02 7,040 --a------ C:\WINDOWS\system32\drivers\NDISALUO.SYS.del
2008-01-09 15:02 . 2008-01-09 15:02 8 --a------ C:\WINDOWS\system32\-935926108
2008-01-09 03:40 . 2008-01-09 03:40 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-09 03:38 . 2008-01-09 03:38 <DIR> d-------- C:\Program Files\KONAMI
2008-01-09 01:23 . 2005-04-21 20:31 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-07 19:35 . 2008-01-07 19:35 <DIR> d-------- C:\Documents and Settings\bakra\Application Data\FrimaStudio
2007-12-29 04:45 . 2007-12-29 04:45 <DIR> d-------- C:\Program Files\iriver
2007-12-29 04:45 . 2005-04-07 17:15 307,200 --a------ C:\WINDOWS\system32\iFPSP.dll
2007-12-29 04:45 . 2005-04-15 16:13 14,540 --a------ C:\WINDOWS\system32\drivers\T10.SYS
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\N10.SYS
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\ifpusb.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp900.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp800.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp700.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp500.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\ifp300.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp1000.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 08:10 --------- d-----w C:\Documents and Settings\bakra\Application Data\uTorrent
2008-01-16 15:50 --------- d-----w C:\Program Files\QuickTime
2008-01-15 16:12 --------- d-----w C:\Program Files\ICQLite
2008-01-15 16:09 --------- d--h--r C:\Documents and Settings\bakra\Application Data\yahoo!
2008-01-15 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-15 16:08 --------- d-----w C:\Program Files\Windows Live
2008-01-10 17:23 --------- d-----w C:\Program Files\DivX
2008-01-10 17:22 --------- d-----w C:\Program Files\Web Page Maker V2
2008-01-10 17:18 --------- d-----w C:\Program Files\Java
2008-01-10 16:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 16:00 --------- d-----w C:\Documents and Settings\bakra\Application Data\Apple Computer
2007-12-24 10:18 --------- d-----w C:\Program Files\FlashGet
2007-12-23 19:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-23 19:05 286,720 ------w C:\WINDOWS\Setup1.exe
2007-12-20 14:53 --------- d-----w C:\Program Files\Absolutist.com
2007-12-15 23:37 --------- d-----w C:\Documents and Settings\bakra\Application Data\Skype
2007-12-10 18:20 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-09 14:27 --------- d-----w C:\Program Files\WC3Banlist
2007-12-05 22:26 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-05 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-28 01:46 --------- d-----w C:\Documents and Settings\bakra\Application Data\Sony
2007-11-26 07:37 --------- d-----w C:\Program Files\Opera
2007-11-26 07:37 --------- d-----w C:\Program Files\Apple Software Update
2007-11-26 07:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
.

<pre>
----a-w         4,670,704 2008-01-13 16:39:02  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-15 14:52 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 14:45 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2007-10-11 03:55 124928]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2002-12-31 22:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@RegRunOnSecure]
C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-10-28 17:25 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-01-15 14:52 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 18:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-03 21:21 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ssqrq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget]
--a------ 2007-09-09 22:08 171520 C:\Program Files\Rapget\rapget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegRun WinBait]
--a------ 2008-01-14 05:31 16384 C:\WINDOWS\winbait.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regrun2]
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simplify Media]
C:\Documents and Settings\bakra\Local Settings\Application Data\Simplify Media\SimplifyMedia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 21:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-01-14 05:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService REG_MULTI_SZ LmHosts upnphost SSDPSRV

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 16:16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 16:19:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-26 12:19:22
.
2008-01-23 20:10:34 --- E O F ---

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:20:08, on 26.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\bakra\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{51792042-35A5-4456-A5CE-BC5EA0757C77}: NameServer = 62.168.168.2,62.168.168.5
O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 3392 bytes


P.S.
I can't run msconfig.exe :(

0

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • When shown the disclaimer, Select "2"

The above procedure will:


  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Download the latest combofix from the same links as before.

==

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


RENV::
----a-w 4,670,704 2008-01-13 16:39:02 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB th_CF_Cleanup.png 9.98 KB
0

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • When shown the disclaimer, Select "2"

The above procedure will:


  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Download the latest combofix from the same links as before.

==

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I did everything you told me.

here are logs.

CF:
ComboFix 08-01-17.5 - bakra 2008-01-27 17:01:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.294 [GMT 4:00]
Running from: C:\Documents and Settings\bakra\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bakra\Desktop\CFScript.txt.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 17:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-23 15:52 . 2008-01-23 15:55 <DIR> d-------- C:\Program Files\DoD
2008-01-21 09:37 . 2007-07-30 21:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-01-16 03:16 . 2005-01-04 22:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-15 20:14 . 2008-01-15 20:14 <DIR> d-------- C:\Program Files\VVSN
2008-01-15 20:06 . 2008-01-15 20:18 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-15 06:10 . 2008-01-15 06:10 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-15 06:10 . 2008-01-15 06:10 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-15 06:05 . 2008-01-15 06:05 <DIR> d-------- C:\kav
2008-01-14 20:30 . 2008-01-14 20:30 158,208 --a------ C:\WINDOWS\system32\msconfig.exe
2008-01-14 05:16 . 2003-03-19 00:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-14 05:16 . 2003-03-18 23:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-14 05:16 . 2003-02-21 07:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-01-14 04:37 . 2008-01-14 04:37 <DIR> d-------- C:\Program Files\RemoveIt
2008-01-14 04:31 . 2008-01-14 05:31 16,384 --a------ C:\WINDOWS\winbait.exe
2008-01-14 03:54 . 2008-01-14 05:30 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-01-14 03:54 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-14 03:50 . 2008-01-14 03:50 <DIR> d-------- C:\Program Files\Greatis
2008-01-14 03:43 . 2008-01-20 15:14 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-14 03:43 . 2008-01-16 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-13 20:46 . 2008-01-13 20:57 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\system32\restore
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\srchasst
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\msagent
2008-01-13 18:29 . 2008-01-13 18:29 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-01-13 15:13 . 2008-01-15 14:52 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-13 15:13 . 2008-01-15 14:52 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 15:02 . 2008-01-09 15:02 37,632 --a------ C:\WINDOWS\system32\drivers\NTIO922.SYS.del
2008-01-09 15:02 . 2008-01-13 21:01 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-01-09 15:02 . 2008-01-09 15:02 7,040 --a------ C:\WINDOWS\system32\drivers\NDISALUO.SYS.del
2008-01-09 15:02 . 2008-01-09 15:02 8 --a------ C:\WINDOWS\system32\-935926108
2008-01-09 03:40 . 2008-01-09 03:40 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-09 03:38 . 2008-01-09 03:38 <DIR> d-------- C:\Program Files\KONAMI
2008-01-09 01:23 . 2005-04-21 20:31 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-07 19:35 . 2008-01-07 19:35 <DIR> d-------- C:\Documents and Settings\bakra\Application Data\FrimaStudio
2007-12-29 04:45 . 2007-12-29 04:45 <DIR> d-------- C:\Program Files\iriver
2007-12-29 04:45 . 2005-04-07 17:15 307,200 --a------ C:\WINDOWS\system32\iFPSP.dll
2007-12-29 04:45 . 2005-04-15 16:13 14,540 --a------ C:\WINDOWS\system32\drivers\T10.SYS
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\N10.SYS
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\ifpusb.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp900.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp800.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp700.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp500.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\ifp300.sys
2007-12-29 04:45 . 2004-03-29 19:28 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp1000.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 09:08 --------- d-----w C:\Documents and Settings\bakra\Application Data\uTorrent
2008-01-16 15:50 --------- d-----w C:\Program Files\QuickTime
2008-01-15 16:09 --------- d--h--r C:\Documents and Settings\bakra\Application Data\yahoo!
2008-01-15 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-15 16:08 --------- d-----w C:\Program Files\Windows Live
2008-01-10 17:23 --------- d-----w C:\Program Files\DivX
2008-01-10 17:22 --------- d-----w C:\Program Files\Web Page Maker V2
2008-01-10 16:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 16:00 --------- d-----w C:\Documents and Settings\bakra\Application Data\Apple Computer
2007-12-24 10:18 --------- d-----w C:\Program Files\FlashGet
2007-12-23 19:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-23 19:05 286,720 ------w C:\WINDOWS\Setup1.exe
2007-12-20 14:53 --------- d-----w C:\Program Files\Absolutist.com
2007-12-15 23:37 --------- d-----w C:\Documents and Settings\bakra\Application Data\Skype
2007-12-10 18:20 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-09 14:27 --------- d-----w C:\Program Files\WC3Banlist
2007-12-05 22:26 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-05 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-28 01:46 --------- d-----w C:\Documents and Settings\bakra\Application Data\Sony
2007-11-07 18:16 6,144 ----a-w C:\WINDOWS\system32\BReWErS.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 15:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

<pre>
----a-w         4,670,704 2008-01-13 16:39:02  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-15 14:52 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 14:45 36040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2007-10-11 03:55 124928]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2002-12-31 22:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@RegRunOnSecure]
C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-10-28 17:25 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-01-15 14:52 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-03 21:21 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ssqrq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget]
--a------ 2007-09-09 22:08 171520 C:\Program Files\Rapget\rapget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegRun WinBait]
--a------ 2008-01-14 05:31 16384 C:\WINDOWS\winbait.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regrun2]
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simplify Media]
C:\Documents and Settings\bakra\Local Settings\Application Data\Simplify Media\SimplifyMedia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 21:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-01-14 05:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService REG_MULTI_SZ LmHosts upnphost SSDPSRV

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 17:05:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 17:06:07
.
2008-01-23 20:10:34 --- E O F ---

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:58:37, on 27.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bakra\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{51792042-35A5-4456-A5CE-BC5EA0757C77}: NameServer = 62.168.168.2,62.168.168.5
O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

--
End of file - 3408 bytes

0

O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\

i think that this is bad but i cant find anything on it i would remove it and if it messes up the computer than just restore with HiJackThis

0

O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\

i removed it with HJT :)

crunchie
PC works great :) thanks for solving my problem :)

one last question:
Should I use Avast! ? I think it great anti-virus, but can't buy pro verison so I'm using home addition. Is it alright?

0

You are welcome :).

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.