Virus I think

knowledgepower1

I ran combofix yesterday but I cant locate the logs

knowledgepower1

omg Browntoa is trying to run away from me after giving him my girl lol.

Anyway,I'm taking inputs from everybody just to resole this !!!!!!.

Thanks a bunch mate!

SaqibQ

Thanks Browntoa! I only know what I'm talking about because I've studied it.

Knowledgepower, what do you mean "can't locate ComboFix"?

1. Go to the drive where your Operating System is (most likely <b>C:</b>).
2. Find ComboFix.txt and open it
3. Copy and paste the entire contents here

ComboFix is an extremely powerful tool, and so I really need to see what changes it has made.

knowledgepower1

Saqib, Its not allowing me to open it,so I have savedit on my desktop going to send it to my other desktop via email and post here
I hope its going to work

knowledgepower1

here it is Saqib,

ComboFix 08-12-20.01 - Tunde 2008-12-20 20:28:02.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.162 [GMT 0:00]
Running from: c:\documents and settings\Tunde\Desktop\remover.exe.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
c:\windows\VHVuZGU\asappsrv.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\Tunde\Application Data\gadcom
c:\documents and settings\Tunde\Application Data\gadcom\gadcom.exe
c:\documents and settings\Tunde\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Tunde\lsass.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\start.exe
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\byXPFUOh.dll
c:\windows\system32\drivers\ati6jnxx.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\TDSSmqct.sys
c:\windows\system32\fahaohgg.ini
c:\windows\system32\gghoahaf.dll
c:\windows\system32\gwafwf.dll
c:\windows\system32\jkkJcCtT.dll
c:\windows\system32\jkse73hedfdgf.dll
c:\windows\system32\jmvtcofc.dll
c:\windows\system32\jwoojqnl.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mlJCRkhF.dll
c:\windows\system32\NorCeMoq.ini
c:\windows\system32\NorCeMoq.ini2
c:\windows\system32\ofkhjkxn.ini
c:\windows\system32\otpfitdu.dll
c:\windows\system32\pac.txt
c:\windows\system32\Packet.dll
c:\windows\system32\pdfbxrsh.dll
c:\windows\system32\porcqk.dll
c:\windows\system32\qoMeCroN.dll
c:\windows\system32\rs32net.exe
c:\windows\system32\spqqzz.dll
c:\windows\system32\svawtoit.ini
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSScfmm.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxcp.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSotqt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSservers.dat
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxhyf.log
c:\windows\system32\tiotwavs.dll
c:\windows\system32\tuvULFWM.dll
c:\windows\system32\ulwvpfcl.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xolwdiop.dll
c:\windows\system32\xxywUOfC.dll
c:\windows\Tasks\ygdcbljf.job
c:\windows\uninstall_nmon.vbs
c:\windows\VHVuZGU\
c:\windows\VHVuZGU\\asappsrv.dll
c:\windows\VHVuZGU\\command.exe
c:\windows\VHVuZGU\\pJpRt3o.vbs
c:\windows\VHVuZGU\command.exe
c:\windows\Web\default.htt
E:\Autorun.inf
c:\windows\system32\fefecbbaafcbb.dll . . . . failed to delete

---

BITS: Possible infected sites

---

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Service_TDSSSERV.SYS

---

\Legacy_TDSSSERV.SYS

---

\Legacy_ati6jnxx

---

\Legacy_CMDSERVICE

---

\Legacy_icf

---

\Legacy_NETWORK_MONITOR

---

\Legacy_NPF

---

\Service_ati6jnxx

---

\Service_cmdService

---

\Service_icf

---

\Service_Network Monitor

---

\Service_NPF

---

\Service_restore

((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.
2008-12-20 20:40 . 71,680 c:\windows\SYSTEM32\clcr.exe
2008-12-20 20:06 . 2008-12-18 06:17 <DIR> d

---

C:\32788R22FWJFW
2008-12-20 19:47 . 2008-12-20 19:47 222,080 --a

---

c:\documents and settings\Tunde\msiexec.exe
2008-12-20 19:35 . 2008-12-20 19:35 <DIR> d

---

c:\program files\Malwarebytes' Anti-Malware
2008-12-20 19:35 . 2008-12-20 19:35 <DIR> d

---

c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 19:35 . 2008-12-03 19:53 38,496 --a

---

c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-20 19:35 . 2008-12-03 19:53 15,504 --a

---

c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-20 16:08 . 94,444 c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
2008-12-20 16:05 . 2008-12-20 16:05 51,712 --a

---

c:\windows\SYSTEM32\ddcYsQif.dll
2008-12-20 12:58 . 94,444 c:\windows\SYSTEM32\DRIVERS\78af9614.sys
2008-12-20 12:56 . 2008-12-20 12:56 51,712 --a

---

c:\windows\SYSTEM32\byXQIAsS.dll
2008-12-20 10:15 . 2008-12-20 10:15 <DIR> d--hs---- c:\documents and settings\Tunde\Searched
2008-12-20 10:14 . 2008-12-20 10:14 1,519,616 ---hs---- c:\documents and settings\Tunde\nview.exe
2008-12-20 10:13 . 2008-12-20 10:13 51,712 --a

---

c:\windows\SYSTEM32\efcYQGWN.dll
2008-12-18 23:44 . 2008-12-18 23:44 140,288 --a

---

c:\windows\SYSTEM32\ccc.dll
2008-12-18 23:42 . 2008-12-18 23:56 94,444 --a

---

c:\windows\SYSTEM32\DRIVERS\5f519e34.sys
2008-12-15 00:29 . 93,420 c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
2008-12-15 00:12 . 2008-12-18 23:42 39,936 --a

---

c:\windows\SYSTEM32\72ba74fdc4a237f9f42cf1539bdffcb7.sys
2008-12-15 00:12 . 2008-12-15 00:12 160 --a

---

C:\log.udt
2008-12-15 00:05 . 2008-12-15 00:28 184,848 --a

---

C:\aasejx.exe
2008-12-15 00:05 . 93,420 c:\windows\SYSTEM32\DRIVERS\76275edc.sys
2008-12-14 17:42 . 93,420 c:\windows\SYSTEM32\DRIVERS\d672bae.sys
2008-12-14 17:41 . 2008-12-14 17:41 <DIR> d

---

c:\windows\SYSTEM32\whSLD02
2008-12-14 17:41 . 2008-12-14 17:41 <DIR> d

---

c:\windows\SYSTEM32\izp
2008-12-14 17:41 . 2008-12-14 17:41 <DIR> d

---

c:\windows\SYSTEM32\ai1
2008-12-14 17:41 . 2008-12-14 17:41 <DIR> d

---

c:\temp\REX81
2008-12-14 17:41 . 2008-12-14 17:41 <DIR> d

---

C:\Temp
2008-12-14 17:41 . 2008-12-20 16:08 705 --a

---

C:\xohlv.exe
2008-12-14 17:41 . 2008-12-20 16:08 705 --a

---

C:\uuyrv.exe
2008-12-14 17:41 . 2008-12-20 16:07 2 --a

---

C:\572787211
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 20:40 312,847 ----a-w c:\windows\SYSTEM32\fefecbbaafcbb.dll
2008-12-20 20:40 312,847

---

w c:\windows\SYSTEM32\a9477af293ca223675422d011c5f0247.TMP
2008-12-19 00:00 90,112 ----a-w c:\windows\DUMP48a4.tmp
2008-11-07 18:32 2,109,440 ----a-w c:\windows\SYSTEM32\dllcache\WMVCore.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632

---

w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\dllcache\gdi32.dll
2008-10-17 02:08 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824

---

w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ----a-w c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\dllcache\strmdll.dll
2007-07-16 23:56 83 ----a-w c:\program files\ACCA1.1_Int.ini
2006-10-10 17:46 1,600 ----a-w c:\program files\uninstal.log
2006-10-09 21:00 266 --sh--w c:\program files\desktop.ini
2006-10-09 21:00 11,079 ---h--w c:\program files\folder.htt
2004-10-01 15:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="!!7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\!!7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-26 03:36 8454656 --a

---

c:\windows\SYSTEM32\SHELL32.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-07-02 23237416]
"H/PC Connection Agent"="c:\tunde\Wcescomm.exe" [2006-11-13 1289000]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TPPOLL"="c:\program files\TOPRO\TPPOLL.EXE" [2005-03-02 24576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-08 49152]
"Domino"="c:\windows\Domino.exe" [2006-07-04 49152]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NVIDIA nView"="c:\documents and settings\Tunde\nview.exe" [2008-12-20 1519616]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"= "c:\windows\system32\ccc.dll" [2008-12-18 140288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fefecbbaafcbb]
2008-12-20 20:40 312847 c:\windows\SYSTEM32\fefecbbaafcbb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\notifyc]
2008-12-18 23:44 140288 c:\windows\SYSTEM32\ccc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=spqqzz.dll porcqk.dll gwafwf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\tunde\rapimgr.exe"= c:\tunde\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\tunde\wcescomm.exe"= c:\tunde\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\tunde\WCESMgr.exe"= c:\tunde\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!3a308160-3cf2-11dc-98f7-08004670b29a}]
\shell\autorun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\m.exe /s
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6190960-ca03-11dd-99a3-08004670b29a}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 c:\windows\Tasks\User_Feed_Synchronization-!!92DD0F20-A315-4392-9DCE-5C7AAB59C00B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
2008-12-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2008-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-!!279205d3-301b-4610-a11a-278d86ad835f} - c:\windows\system32\qoMeCroN.dll
BHO-!!6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\tuvULFWM.dll
BHO-{c5bf49a2-94f3-42bd-f434-3604812c897d} - c:\windows\system32\jkse73hedfdgf.dll
WebBrowser-!!07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
HKLM-Run-workflow - d:\installs\workflow.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C897D} - c:\windows\system32\jkse73hedfdgf.dll
ShellExecuteHooks-!!6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\tuvULFWM.dll

.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: !!52FEE0DA-452C-42D7-8DE5-BE5671C40E37} = 192.168.1.254
O16 -: DirectAnimation Java Classes - [URL]file://c:\windows\SYSTEM\dajava.cab[/URL]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Internet Explorer Classes for Java - [URL]file://c:\windows\SYSTEM\iejava.cab[/URL]
c:\windows\Downloaded Program Files\Internet Explorer Classes for Java.osd
O16 -: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 20:40:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\controlset004\Services\3c67c1f5]
"ImagePath"="\SystemRoot\System32\drivers\3c67c1f5.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\76275edc]
"ImagePath"="\SystemRoot\System32\drivers\76275edc.sys"
[HKEY_LOCAL_MACHINE\System\controlset004\Services\78af9614]
"ImagePath"="\SystemRoot\System32\drivers\78af9614.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\b316a6ed]
"ImagePath"="\SystemRoot\System32\drivers\b316a6ed.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\d672bae]
"ImagePath"="\SystemRoot\System32\drivers\d672bae.sys"
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(416)
c:\windows\system32\fefecbbaafcbb.dll
c:\windows\system32\ccc.dll
.

---

Other Running Processes

---

.
c:\program files\AHEAD\INCD\INCDSRV.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\windows\SYSTEM32\ATIEVXX.EXE
c:\windows\system32\clcr.exe
c:\tunde\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-12-20 20:52:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-20 20:51:52
Pre-Run: 2,160,467,968 bytes free
Post-Run: 3,253,493,760 bytes free
312 --- E O F --- 2008-12-11 03:09:34

SaqibQ

Hi Knowledgepwer1,

I've sent you a PM.

knowledgepower1

and I have also responded

SaqibQ

Hi,

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

• Double-click ATF Cleaner.exe to open it.
• Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

2. Open Notepad and copy/paste the text in the Quote Box below into it:

File::
c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
c:\windows\SYSTEM32\ddcYsQif.dll
c:\windows\SYSTEM32\DRIVERS\78af9614.sys
c:\windows\SYSTEM32\byXQIAsS.dll
c:\windows\SYSTEM32\efcYQGWN.dll
c:\windows\SYSTEM32\ccc.dll
c:\windows\SYSTEM32\DRIVERS\5f519e34.sys
c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
c:\windows\SYSTEM32\72ba74fdc4a237f9f42cf1539bdffc b7.sys
C:\aasejx.exe
c:\windows\SYSTEM32\DRIVERS\76275edc.sys
c:\windows\SYSTEM32\DRIVERS\d672bae.sys
C:\xohlv.exe
C:\uuyrv.exe
c:\windows\SYSTEM32\fefecbbaafcbb.dll
c:\windows\SYSTEM32\a9477af293ca223675422d011c5f02 47.TMP
c:\windows\DUMP48a4.tmp

Folder::
c:\windows\SYSTEM32\whSLD02
c:\windows\SYSTEM32\izp
c:\windows\SYSTEM32\ai1
c:\temp\REX81
C:\572787211

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fefecbbaafcbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\notifyc]

Save this as CFScript.txt to your Desktop



Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

knowledgepower1

It is running now...I will let you know the outcome later.

Do I need townload hijackthis afterwards? cos it has not been allowing me to do this.

SaqibQ

Yes! You should be able to download it now.