Trojon thought to be removed but.....

**rbscooby** · #11 22nd Apr 2008, 12:41

i have done the Combofix scan and here is the log:

ComboFix 08-04-20.5 - Katie 2008-04-22 20:12:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.186 [GMT 1:00]
Running from: C:\Documents and Settings\Katie\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\CKmTCcdd.ini
C:\WINDOWS\system32\CKmTCcdd.ini2
.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.
2008-04-22 20:12 . 2008-04-22 20:12 1,024 --ah----- C:\Documents and Settings\Default User.WINDOWS\ntuser.dat.LOG
2008-04-22 18:38 . 2008-04-22 18:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-22 18:21 . 2008-04-22 18:55 <DIR> d-------- C:\SDFix
2008-04-21 21:04 . 2008-04-21 21:04 <DIR> d-------- C:\Documents and Settings\Katie\Contacts
2008-04-21 19:56 . 2008-04-21 19:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 18:48 . 2008-04-21 18:48 268 --ah----- C:\sqmdata01.sqm
2008-04-21 18:48 . 2008-04-21 18:48 244 --ah----- C:\sqmnoopt01.sqm
2008-04-21 18:25 . 2008-04-21 18:25 <DIR> d-------- C:\Documents and Settings\Katie\DoctorWeb
2008-04-21 16:47 . 2008-04-22 18:21 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\LimeWire
2008-04-20 19:33 . 2008-04-20 20:09 <DIR> d--hs---- C:\Documents and Settings\Katie\!
2008-04-20 11:38 . 2008-04-20 11:38 53,312 --a------ C:\WINDOWS\system32\vmudtcfc.dll
2008-04-20 11:37 . 2008-04-21 16:37 109,734 --a------ C:\WINDOWS\BM639603ab.xml
2008-04-19 22:59 . 2008-04-19 23:01 <DIR> d--hs---- C:\Documents and Settings\Angie\!
2008-04-19 22:59 . 2008-04-19 22:59 1,773,568 ---hs---- C:\Documents and Settings\Angie\svchost.exe
2008-04-19 22:55 . 2008-04-21 18:04 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-19 22:54 . 2008-04-19 22:55 <DIR> d-------- C:\WINDOWS\system32\xcsDd05
2008-04-19 22:54 . 2008-04-19 22:54 <DIR> d-------- C:\Temp\berDrv11
2008-04-19 22:54 . 2008-04-19 22:54 <DIR> d-------- C:\Temp
2008-04-18 20:10 . 2008-04-18 20:10 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-04-18 20:09 . 2008-04-18 20:09 <DIR> d-------- C:\WINDOWS\Sun
2008-04-10 23:02 . 2008-04-10 23:02 <DIR> d-------- C:\Program Files\PTC
2008-04-10 21:00 . 2008-04-10 22:09 <DIR> d-------- C:\Documents and Settings\Angie\Contacts
2008-04-10 20:33 . 2008-04-10 20:33 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\MSNInstaller
2008-04-10 18:39 . 2008-04-10 18:39 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\Apple Computer
2008-04-10 18:18 . 2008-04-10 18:19 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-10 18:12 . 2008-04-10 18:12 <DIR> d-------- C:\Program Files\MSBuild
2008-04-10 18:01 . 2008-04-10 18:01 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-10 17:59 . 2008-04-10 17:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-10 17:57 . 2008-04-10 17:57 <DIR> d-------- C:\2b39b6cf19e518483c4001a9
2008-04-10 17:57 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-10 17:45 . 2008-04-10 17:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-10 17:41 . 2008-04-10 17:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-10 17:19 . 2008-04-10 17:21 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-04-10 16:26 . 2008-04-10 16:26 268 --ah----- C:\sqmdata00.sqm
2008-04-10 16:26 . 2008-04-10 16:26 244 --ah----- C:\sqmnoopt00.sqm
2008-04-10 16:01 . 2008-04-22 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 16:01 . 2008-04-10 16:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 15:55 . 2008-04-10 15:55 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Apple Computer
2008-04-10 15:53 . 2008-04-10 15:53 <DIR> d-------- C:\Program Files\iPod
2008-04-10 15:51 . 2008-04-10 15:53 <DIR> d-------- C:\Program Files\iTunes
2008-04-10 15:50 . 2008-04-10 15:50 <DIR> d-------- C:\Program Files\Bonjour
2008-04-10 15:45 . 2008-04-10 15:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-10 15:41 . 2008-04-10 15:41 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-10 15:39 . 2008-04-10 16:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-10 15:37 . 2008-04-10 15:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-10 15:36 . 2008-04-10 15:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-04-10 15:18 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-10 14:42 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-10 14:42 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-10 14:42 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-10 14:41 . 2008-04-10 14:41 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Comodo
2008-04-10 14:41 . 2008-04-22 18:03 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\AVG7
2008-04-10 14:40 . 2008-04-22 18:51 <DIR> d-------- C:\Documents and Settings\Katie
2008-04-10 14:40 . 2006-02-28 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-10 14:40 . 2008-04-22 20:22 1,024 --ah----- C:\Documents and Settings\Katie\ntuser.dat.LOG
2008-04-09 22:39 . 2008-04-10 16:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-09 22:38 . 2008-04-10 16:36 <DIR> d-------- C:\Program Files\Windows Live
2008-04-09 22:37 . 2008-04-10 16:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-04-09 22:05 . 2008-04-20 18:23 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\LimeWire
2008-04-09 22:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-09 21:45 . 2008-04-10 14:59 <DIR> d-------- C:\Program Files\Java
2008-04-09 21:42 . 2008-04-09 21:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-09 21:41 . 2008-04-20 18:02 <DIR> d-------- C:\Program Files\LimeWire
2008-04-09 21:40 . 2006-11-13 07:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-04-09 21:40 . 2006-11-13 07:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2008-04-09 21:40 . 2006-11-13 07:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-04-09 21:26 . 2008-04-09 21:26 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\Comodo
2008-04-09 21:26 . 2008-04-09 21:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Comodo
2008-04-09 21:24 . 2007-09-27 18:08 211 --a------ C:\boot.ini.comodofirewall
2008-04-09 21:23 . 2008-04-09 21:23 <DIR> d-------- C:\Program Files\Comodo
2008-04-09 20:43 . 2008-04-20 12:29 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\AVG7
2008-04-09 20:42 . 2008-04-09 20:42 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-04-09 20:41 . 2008-04-09 20:41 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-09 20:40 . 2008-04-09 20:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-04-09 20:40 . 2008-04-10 08:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-09 20:05 . 2004-08-03 23:08 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2008-04-09 20:05 . 2004-08-03 23:08 26,624 --a--c--- C:\WINDOWS\system32\dllcache\usbehci.sys
2008-04-09 20:05 . 2004-08-04 00:56 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2008-04-09 20:05 . 2004-08-04 00:56 7,168 --a--c--- C:\WINDOWS\system32\dllcache\hccoin.dll
2008-04-09 17:58 . 2008-04-09 18:00 <DIR> d-------- C:\59b09f4eb15e117f03a2
2008-04-09 17:42 . 2008-04-09 17:42 <DIR> d-------- C:\Program Files\Creative
2008-04-09 17:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-09 17:42 . 1999-12-17 01:00 6,752 --a------ C:\WINDOWS\system32\PfModNT.sys
2008-04-09 17:41 . 2008-04-09 17:41 <DIR> d-------- C:\WINDOWS\options
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-10 22:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-10 14:49 --------- d-----w C:\Program Files\QuickTime
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 12:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-20 11:38 53312 --a------ C:\WINDOWS\system32\vmudtcfc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ED10090-2269-4205-82A8-C74E1F6A7E5A}]
C:\WINDOWS\system32\ddcCTmKC.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 22:13 579584]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-04-09 21:23 1115728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM639603ab"="C:\WINDOWS\system32\ygtmlndf.dll " [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-09 20:41 219136]
C:\Documents and Settings\Angie\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 22:32:57 147456]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtusqOf]
awtusqOf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 14:47]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{10fcf370-0709-11dd-82d8-00112233be82}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 14:43:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 06:48:21 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
************************************************** ************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 20:21:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2008-04-22 20:33:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 19:33:48
Pre-Run: 19,701,313,536 bytes free
Post-Run: 19,694,358,528 bytes free
195 --- E O F --- 2008-04-09 22:31:39

I hope his is all ok now?

buti still have this error message appearing:

**evilfantasy** · #12 22nd Apr 2008, 12:50

We should be getting rid of the error shortly.

First, do you know what these are?

C:\Documents and Settings\Katie\!
C:\Documents and Settings\Angie\!

**rbscooby** · #13 22nd Apr 2008, 13:00

yes i know they are users on this computer, but i dont know why they have ! at the end, im good with computers but not too good on programming and viruses e.t.c im only 15 lol

**evilfantasy** · #14 22nd Apr 2008, 13:13

Not sure why they have the ! as a name either. Can you open them and see if anything is in them? Just open the folder, don't open anything else that is inside if you don't know what it is. I don't think it is malware but then again it is good to check and be sure rather then just brush it off. Let me know.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

Click Start , then Run
Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KILLALL::

Folder::
C:\WINDOWS\system32\xcsDd05
C:\Temp\berDrv11
C:\Temp

File::
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\WINDOWS\system32\vmudtcfc.dll
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ED10090-2269-4205-82A8-C74E1F6A7E5A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM639603ab"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtusqOf]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Now run a new Hijackthis scan and post that log after Combofix is complete.

----------

Next post please add
Combofix log
New Hijackthis log

**rbscooby** · #15 22nd Apr 2008, 13:44

log from combofix running hijack this now:

ComboFix 08-04-20.5 - Katie 2008-04-22 21:17:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.173 [GMT 1:00]
Running from: C:\Documents and Settings\Katie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Katie\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\WINDOWS\system32\vmudtcfc.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\Temp
C:\WINDOWS\system32\vmudtcfc.dll
C:\WINDOWS\system32\xcsDd05
.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.
2008-04-22 20:12 . 2008-04-22 20:12 1,024 --ah----- C:\Documents and Settings\Default User.WINDOWS\ntuser.dat.LOG
2008-04-22 18:38 . 2008-04-22 18:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-22 18:21 . 2008-04-22 18:55 <DIR> d-------- C:\SDFix
2008-04-21 21:04 . 2008-04-21 21:04 <DIR> d-------- C:\Documents and Settings\Katie\Contacts
2008-04-21 19:56 . 2008-04-21 19:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 18:25 . 2008-04-21 18:25 <DIR> d-------- C:\Documents and Settings\Katie\DoctorWeb
2008-04-21 16:47 . 2008-04-22 18:21 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\LimeWire
2008-04-20 19:33 . 2008-04-20 20:09 <DIR> d--hs---- C:\Documents and Settings\Katie\!
2008-04-20 11:37 . 2008-04-21 16:37 109,734 --a------ C:\WINDOWS\BM639603ab.xml
2008-04-19 22:59 . 2008-04-19 23:01 <DIR> d--hs---- C:\Documents and Settings\Angie\!
2008-04-19 22:59 . 2008-04-19 22:59 1,773,568 ---hs---- C:\Documents and Settings\Angie\svchost.exe
2008-04-19 22:55 . 2008-04-21 18:04 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-18 20:10 . 2008-04-18 20:10 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-04-18 20:09 . 2008-04-18 20:09 <DIR> d-------- C:\WINDOWS\Sun
2008-04-10 23:02 . 2008-04-10 23:02 <DIR> d-------- C:\Program Files\PTC
2008-04-10 21:00 . 2008-04-10 22:09 <DIR> d-------- C:\Documents and Settings\Angie\Contacts
2008-04-10 20:33 . 2008-04-10 20:33 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\MSNInstaller
2008-04-10 18:39 . 2008-04-10 18:39 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\Apple Computer
2008-04-10 18:18 . 2008-04-10 18:19 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-10 18:12 . 2008-04-10 18:12 <DIR> d-------- C:\Program Files\MSBuild
2008-04-10 18:01 . 2008-04-10 18:01 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-10 17:59 . 2008-04-10 17:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-10 17:57 . 2008-04-10 17:57 <DIR> d-------- C:\2b39b6cf19e518483c4001a9
2008-04-10 17:57 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-10 17:45 . 2008-04-10 17:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-10 17:41 . 2008-04-10 17:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-10 17:19 . 2008-04-10 17:21 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-04-10 16:01 . 2008-04-22 21:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 16:01 . 2008-04-10 16:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 15:55 . 2008-04-10 15:55 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Apple Computer
2008-04-10 15:53 . 2008-04-10 15:53 <DIR> d-------- C:\Program Files\iPod
2008-04-10 15:51 . 2008-04-10 15:53 <DIR> d-------- C:\Program Files\iTunes
2008-04-10 15:50 . 2008-04-10 15:50 <DIR> d-------- C:\Program Files\Bonjour
2008-04-10 15:45 . 2008-04-10 15:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-10 15:41 . 2008-04-10 15:41 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-10 15:39 . 2008-04-10 16:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-10 15:37 . 2008-04-10 15:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-10 15:36 . 2008-04-10 15:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-04-10 15:18 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-10 14:42 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-10 14:42 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-10 14:42 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-10 14:41 . 2008-04-10 14:41 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Comodo
2008-04-10 14:41 . 2008-04-22 18:03 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\AVG7
2008-04-10 14:40 . 2008-04-22 18:51 <DIR> d-------- C:\Documents and Settings\Katie
2008-04-10 14:40 . 2006-02-28 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-10 14:40 . 2008-04-22 21:26 1,024 --ah----- C:\Documents and Settings\Katie\ntuser.dat.LOG
2008-04-09 22:39 . 2008-04-10 16:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-09 22:38 . 2008-04-10 16:36 <DIR> d-------- C:\Program Files\Windows Live
2008-04-09 22:37 . 2008-04-10 16:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-04-09 22:05 . 2008-04-20 18:23 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\LimeWire
2008-04-09 22:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-09 21:45 . 2008-04-10 14:59 <DIR> d-------- C:\Program Files\Java
2008-04-09 21:42 . 2008-04-09 21:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-09 21:41 . 2008-04-20 18:02 <DIR> d-------- C:\Program Files\LimeWire
2008-04-09 21:40 . 2006-11-13 07:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-04-09 21:40 . 2006-11-13 07:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2008-04-09 21:40 . 2006-11-13 07:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-04-09 21:26 . 2008-04-09 21:26 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\Comodo
2008-04-09 21:26 . 2008-04-09 21:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Comodo
2008-04-09 21:24 . 2007-09-27 18:08 211 --a------ C:\boot.ini.comodofirewall
2008-04-09 21:23 . 2008-04-09 21:23 <DIR> d-------- C:\Program Files\Comodo
2008-04-09 20:43 . 2008-04-20 12:29 <DIR> d-------- C:\Documents and Settings\Angie\Application Data\AVG7
2008-04-09 20:42 . 2008-04-09 20:42 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-04-09 20:41 . 2008-04-09 20:41 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-09 20:40 . 2008-04-09 20:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-04-09 20:40 . 2008-04-10 08:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-09 20:05 . 2004-08-03 23:08 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2008-04-09 20:05 . 2004-08-03 23:08 26,624 --a--c--- C:\WINDOWS\system32\dllcache\usbehci.sys
2008-04-09 20:05 . 2004-08-04 00:56 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2008-04-09 20:05 . 2004-08-04 00:56 7,168 --a--c--- C:\WINDOWS\system32\dllcache\hccoin.dll
2008-04-09 17:58 . 2008-04-09 18:00 <DIR> d-------- C:\59b09f4eb15e117f03a2
2008-04-09 17:42 . 2008-04-09 17:42 <DIR> d-------- C:\Program Files\Creative
2008-04-09 17:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-09 17:42 . 1999-12-17 01:00 6,752 --a------ C:\WINDOWS\system32\PfModNT.sys
2008-04-09 17:41 . 2008-04-09 17:41 <DIR> d-------- C:\WINDOWS\options
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-10 22:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-10 14:49 --------- d-----w C:\Program Files\QuickTime
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 12:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-22_20.33.21.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 19:19:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 20:25:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ED10090-2269-4205-82A8-C74E1F6A7E5A}]
C:\WINDOWS\system32\ddcCTmKC.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 22:13 579584]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-04-09 21:23 1115728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-09 20:41 219136]
C:\Documents and Settings\Angie\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 22:32:57 147456]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtusqOf]
awtusqOf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 14:47]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{10fcf370-0709-11dd-82d8-00112233be82}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 14:43:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 06:48:21 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
************************************************** ************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 21:25:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2008-04-22 21:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 20:40:54
ComboFix2.txt 2008-04-22 19:33:57
Pre-Run: 19,677,388,800 bytes free
Post-Run: 19,676,737,536 bytes free
196 --- E O F --- 2008-04-09 22:31:39

**rbscooby** · #16 22nd Apr 2008, 13:45

hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:52, on 22/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8ED10090-2269-4205-82A8-C74E1F6A7E5A} - C:\WINDOWS\system32\ddcCTmKC.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: awtusqOf - awtusqOf.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 5381 bytes

is this sorted now?

**evilfantasy** · #17 22nd Apr 2008, 13:53

Quote:

is this sorted now?

We are getting close.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {8ED10090-2269-4205-82A8-C74E1F6A7E5A} - C:\WINDOWS\system32\ddcCTmKC.dll (file missing)
O20 - Winlogon Notify: awtusqOf - awtusqOf.dll (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click Options...
Move the arrow to Standard CleanUp!
Uncheck the following: (if checked)
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!
If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

----------

How is everything now?

**rbscooby** · #18 22nd Apr 2008, 14:49

hey thanks EvilFantasy, you are really helpful and deserve a tap on the back, everything seems to be up and running now just like it should, didnt get that error message so that seems to be working as well, thanks again you are really a good person, and thanks to the people who wrote those programs, even though i dowt they will ever read this comment.

this forum is a nice place to be and very helpful, lets just hope they dont get any more trojons, lol.

god 6 hours work or so i cant belive it.

sorry it took me like an hour to reply had to get home, so im at home sat on my laptop writing the thanks, but i dont deserve the credit, but i know my friends will thank me, but they should be thanking EvilFantasy, thanks mate, you can close this if you want

**evilfantasy** · #19 22nd Apr 2008, 15:00

Glad things are back to normal.

Still a few more important steps.

Time to do some cleanup and secure the work you have done.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:

Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Safe surfing.........

**rbscooby** · #20 22nd Apr 2008, 15:05

yes ok i will complete that final process when next around there which will definatly be friday, thanks for all the help.

EDIT: will it be ok tell friday, it will only be used for msn and web browsing

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Infected by Trojon.Vundo.H. Not Able to Clean It.	janeswami	Virus, Spyware & Security	20	25th May 2009 11:49
Mirascan Won't Be Removed Via Add/Remove or Windows Install Cleanup Utility!	stephencastellani	Windows Operating Systems	1	8th May 2009 17:11
Vundo H most likely removed, but just to make sure...	Kalle	Virus, Spyware & Security	9	3rd Jan 2009 13:09
Virus/Worm/Trojon Killing Computer!	MichaelCrichton12	Virus, Spyware & Security	16	29th Oct 2008 13:42
Just removed ZoneAlarm	Mike0001	Virus, Spyware & Security	2	15th Jul 2008 02:42