The TROJAN.VUNDO.H is IMPOSSIBLE to Get Rid Of!!! Please Help :) ?

**evilfantasy** · #11 9th Mar 2009, 16:33

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code:

c:\windows\system32\zenufiwu.dll

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.

goat199 · #12 9th Mar 2009, 22:02

Amazing! Thanks for the reply. Here is the link:
http://www.virustotal.com/analisis/3...0adfa056e17748

I'm curious, how do the pro's know which files are bad in a hijack log?

and it seems the virus is almost all removed, am I correct?

Thanks

**evilfantasy** · #13 10th Mar 2009, 10:45

It comes from seeing a lot of logs...

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
c:\windows\system32\vamomino.dll
c:\windows\system32\nayuvaku.dll
c:\windows\system32\nagohuwo.dll
c:\windows\system32\taviduwa.dll
c:\windows\system32\zenufiwu.dll
c:\windows\system32\reteleza.dll
c:\windows\Tasks\ggogpupo.job
c:\windows\system32\awttrRhF.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

goat199 · #14 11th Mar 2009, 22:34

ComboFix 09-03-06.02 - Owner 2009-03-11 22:54:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2441 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\awttrRhF.dll
c:\windows\system32\nagohuwo.dll
c:\windows\system32\nayuvaku.dll
c:\windows\system32\reteleza.dll
c:\windows\system32\taviduwa.dll
c:\windows\system32\vamomino.dll
c:\windows\system32\zenufiwu.dll
c:\windows\Tasks\ggogpupo.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nagohuwo.dll
c:\windows\system32\nayuvaku.dll
c:\windows\system32\reteleza.dll
c:\windows\system32\taviduwa.dll
c:\windows\system32\vamomino.dll
c:\windows\system32\zenufiwu.dll
c:\windows\Tasks\ggogpupo.job

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-11 03:06 . 2009-03-11 03:06 268 --ah----- C:\sqmdata18.sqm
2009-03-11 03:06 . 2009-03-11 03:06 244 --ah----- C:\sqmnoopt18.sqm
2009-03-09 14:20 . 2009-03-09 14:20 <DIR> d-------- C:\rsit
2009-03-08 19:28 . 2009-03-08 19:28 <DIR> d-------- c:\program files\Trend Micro
2009-03-07 12:41 . 2009-03-07 12:41 244 --ah----- C:\sqmnoopt17.sqm
2009-03-07 12:41 . 2009-03-07 12:41 232 --ah----- C:\sqmdata17.sqm
2009-03-06 12:44 . 2009-03-06 12:44 244 --ah----- C:\sqmnoopt16.sqm
2009-03-06 12:44 . 2009-03-06 12:44 232 --ah----- C:\sqmdata16.sqm
2009-03-06 00:15 . 2009-03-06 00:15 244 --ah----- C:\sqmnoopt15.sqm
2009-03-06 00:15 . 2009-03-06 00:15 232 --ah----- C:\sqmdata15.sqm
2009-02-24 17:09 . 2009-01-09 13:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-19 17:01 . 2009-02-19 17:01 268 --ah----- C:\sqmdata14.sqm
2009-02-19 17:01 . 2009-02-19 17:01 244 --ah----- C:\sqmnoopt14.sqm
2009-02-12 09:21 . 2009-02-12 09:21 268 --ah----- C:\sqmdata13.sqm
2009-02-12 09:21 . 2009-02-12 09:21 244 --ah----- C:\sqmnoopt13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-11 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-11 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-10 22:02 --------- d-----w c:\program files\World of Warcraft
2009-03-09 22:18 --------- d-----w c:\program files\Lx_cats
2009-03-09 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-09 01:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-08 19:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-26 10:00 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-25 21:28 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-02-23 19:04 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-02-23 18:54 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-11 10:08 --------- d-----w c:\program files\Google
2009-01-31 10:01 --------- d-----w c:\program files\MSXML 4.0
2009-01-31 06:44 --------- d-----w c:\program files\Java
2009-01-31 06:36 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-31 06:18 --------- d-----w c:\program files\Lexmark Fax Solutions
2009-01-31 05:35 --------- d-----w c:\program files\Lexmark 2500 Series
2009-01-31 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\FaxCtr
2009-01-31 05:31 --------- d-----w c:\program files\Abbyy FineReader 6.0 Sprint
2009-01-18 22:44 43,672 ----a-w c:\windows\system32\drivers\AFS2K.SYS
2009-01-18 22:44 --------- d-----w c:\program files\HP
2009-01-18 22:44 --------- d-----w c:\program files\Hewlett-Packard
2009-01-13 01:55 --------- d-----w c:\program files\Microsoft SQL Server
2009-01-13 01:54 --------- d-----w c:\program files\MSXML 6.0
2009-01-13 01:54 --------- d-----w c:\program files\Microsoft.NET
2009-01-13 01:50 --------- d-----w c:\program files\Microsoft Synchronization Services
2009-01-13 01:50 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-01-13 01:49 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2009-01-13 01:48 --------- d-----w c:\program files\Microsoft SDKs
2008-08-13 05:47 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-09_16.22.20.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
- 2009-02-11 10:01:15 1,165,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-11 09:00:46 1,165,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
- 2009-02-11 10:01:16 20,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-11 09:00:46 20,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-02-11 10:01:16 159,504 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-11 09:00:46 159,504 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
- 2009-02-11 10:01:16 184,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-03-11 09:00:46 184,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
- 2009-02-11 10:01:16 217,864 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-11 09:00:46 217,864 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2009-02-11 10:01:16 18,704 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-11 09:00:46 18,704 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-02-11 10:01:16 35,088 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-11 09:00:46 35,088 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-02-11 10:01:16 845,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-03-11 09:00:46 845,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-11 10:01:16 922,384 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-11 09:00:46 922,384 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
- 2009-02-11 10:01:16 272,648 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-11 09:00:46 272,648 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2009-02-11 10:01:16 888,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-11 09:00:46 888,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-02-11 10:01:15 1,172,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-11 09:00:46 1,172,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-06-12 05:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-12 00:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2009-01-13 01:51:54 265,416 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 09:07:24 265,416 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2007-11-30 11:18:51 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 15:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
- 2007-06-12 05:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-12 00:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2009-03-12 04:56:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_70c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-05-17 68856]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-31 1601304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb09.exe" [2004-05-04 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-05-04 491520]
"LXDDCATS"="c:\windows\System32\spool\DRIVERS\W32X 86\3\LXDDtime.dll" [2007-01-22 102400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-31 00:36 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
--a------ 2007-02-05 17:32 20480 c:\program files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-02-12 17:58 291760 c:\program files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 23:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 11:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Actiontec\\BroadBand\\gwconfig.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\hpwuSchd2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6999:TCP"= 6999:TCP:blizz

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-31 298264]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddco ms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-03-31 22:35]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w7f9tc1y.default\
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 22:59:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDDtim e.dll,_RunDLLEntry@16????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\HPZipm12.exe
.
************************************************** ************************
.
Completion time: 2009-03-11 23:03:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 05:03:46
ComboFix2.txt 2009-03-09 22:23:03

Pre-Run: 42,508,881,920 bytes free
Post-Run: 42,556,321,792 bytes free

263 --- E O F --- 2009-03-11 09:01:04

**evilfantasy** · #15 11th Mar 2009, 23:42

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

How is the computer running now?

.

goat199 · #16 11th Mar 2009, 23:53

It seems to be running wonderfully! I have only tested it for 10 mins though. hehe. I will keep a close monitoring of it and let ya know if something goes wrong. If not then thank you !!!! :) you have done the imposible :))))

**evilfantasy** · #17 11th Mar 2009, 23:55

Sounds good.

Here are a few more suggestions.

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

Make sure all of your security programs are up to date and run scans with them regularly.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.