Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/malware Infection!


  • Please log in to reply
19 replies to this topic

#1 iamkali

iamkali

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 20 January 2008 - 05:10 PM

Hey guys, I have a fun little virus on my comp and I cannot get rid of it. It shows up as gebcb.exe in my system32 file. It does not allow me to run IE (closes as soon as I open it). It also does not allow me to install programs through Windows Installer, it says that the dependency service failed to open. I also cannot open pictures, videos or hear sound. :thumbsup: How fun! When I run Spybot, it pulls up Virtumonde each time and links it to gebcb.exe. I have ran every type of spyware and malware remover and removed hundreds on infections, but this one just wants to stick. I have done all the procedures prior to posting this, so here is my updated HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:03 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcb.exe
O2 - BHO: (no name) - {18354FDF-33A2-4A9A-9933-ED9FB3732971} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA506] command /c del "C:\WINDOWS\system32\gebcb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3621] cmd /c del "C:\WINDOWS\system32\gebcb.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1644491937-113007714-682003330-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1644491937-113007714-682003330-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-1644491937-113007714-682003330-1003 Startup: Trillian.lnk = ? (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137093745500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137093713015
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6669 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 26 January 2008 - 04:11 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 iamkali

iamkali
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 26 January 2008 - 04:20 AM

Hey Richie, thanks for the reply. I have yet to receive help, so I will be gladly working with you.

As previously stated, I have followed all of the steps prior to posting the most recent HijackThis log. The log should not be much different now, as no changes have been made to the computer since the topic has been posted. However, I will post a fresh log.

As previously stated, I cannot open IE. It closes immediately upon opening. I also cannot install or remove anything that uses windows installer as it says the dependency service has failed to initialize. Also sound does not work. I cannot open pictures or videos, and I cannot rearrange items on my desktop as they seem to be locked. One other thing I have noticed is that System Restore does not work at all.

Here is a fresh log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:23 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcb.exe
O2 - BHO: (no name) - {18354FDF-33A2-4A9A-9933-ED9FB3732971} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA506] command /c del "C:\WINDOWS\system32\gebcb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3621] cmd /c del "C:\WINDOWS\system32\gebcb.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1644491937-113007714-682003330-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1644491937-113007714-682003330-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-1644491937-113007714-682003330-1003 Startup: Trillian.lnk = ? (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137093745500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137093713015
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6669 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 26 January 2008 - 04:32 AM

Bit of a mess you're in,try this first,see if it will install:
Download/unzip/install Dial-a-Fix from here:
http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip
Launch the program,place a check in the 'MSI' box 'Fix Windows Installer'.
Then click on 'GO' at the bottom.
Restart your pc when Dial-a-Fix has done.

Please visit this webpage for instructions for downloading and running ComboFix.
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the entire contents of C:\ComboFix.txt into your next reply.
Also post a new Hijackthis log.

Edited by RichieUK, 26 January 2008 - 04:32 AM.

Posted Image
Posted Image

#5 iamkali

iamkali
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 26 January 2008 - 04:52 AM

Richie, thank you for the reply.

Before I continue, I must inform you again that I am unable to drag objects on my desktop. They seem to be locked and I have tried to unlock them but so far have been unsuccessful. This is preventing me from dragging the Recovery Console onto the ComboFix icon. If there is anything I can do to fix this or if I should just continue, please let me know. Thanks!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 26 January 2008 - 04:57 AM

Just carry on with the Combofix steps then.
Posted Image
Posted Image

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 26 January 2008 - 05:07 AM

I must inform you again that I am unable to drag objects on my desktop.

See if this helps:
Right click on your Taskbar,click Properties.
Click on the Start Menu tab.
Click on the Customize button,then click the Advanced tab.
In the Start menu items: window,check the box 'Enable dragging and dropping'.
Press OK/Apply/OK.
Posted Image
Posted Image

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 26 January 2008 - 05:32 AM

If you're struggling,try running in 'Safe Mode with Networking':
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode with Networking".
Posted Image
Posted Image

#9 iamkali

iamkali
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 26 January 2008 - 08:51 PM

Alright, here are both logs. I tried the drag and drop option, but it was already checked and made no difference. I ran combofix last night and when I came home this morning it looks like my computer restarted. I dont know if that matters, but I just repeated the process. Here are the logs:

ComboFix 08-01-23.1C - Mike 2008-01-26 17:04:37.2 - NTFSx86
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mhdeymos.ini
C:\WINDOWS\system32\wfidmhdm.ini
.
---- Previous Run -------
.
C:\Documents and Settings\Mike\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Mike\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Mike\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInstall.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\curity~1
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\wnscpit32.exe
C:\WINDOWS\timessquare1.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\nm




((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-26 02:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-20 06:23 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-17 20:38 . 2008-01-10 00:49 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-16 21:50 . 2008-01-26 17:05 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-01-15 00:12 . 2007-11-22 15:37 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-01-15 00:11 . 2008-01-15 00:12 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-15 00:11 . 2007-11-23 11:48 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-01-15 00:11 . 2007-11-23 11:48 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-01-15 00:11 . 2007-11-23 11:48 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-01-15 00:11 . 2007-11-23 11:48 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-01-15 00:11 . 2007-11-23 11:48 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-01-15 00:11 . 2007-11-23 11:48 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-01-15 00:11 . 2007-11-23 11:48 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-01-15 00:11 . 2007-11-23 11:48 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-01-15 00:11 . 2007-11-23 11:48 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-01-15 00:10 . 2008-01-15 00:10 <DIR> d-------- C:\Program Files\CA
2008-01-14 23:47 . 2008-01-14 23:47 <DIR> d-------- C:\Program Files\Comodo
2008-01-14 23:47 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-14 23:47 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-14 23:47 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-14 23:47 . 2008-01-15 00:12 943 --a------ C:\WINDOWS\BOC425.INI
2008-01-14 23:14 . 2008-01-14 23:14 <DIR> d-------- C:\kav
2008-01-14 01:03 . 2007-07-19 22:42 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-14 01:01 . 2008-01-14 01:01 164 --a------ C:\install.dat
2008-01-14 00:56 . 2008-01-14 07:25 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-01-14 00:56 . 2008-01-14 00:56 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-01-14 00:56 . 2007-12-06 16:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-01-14 00:56 . 2007-12-06 16:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-01-14 00:56 . 2007-12-10 10:59 21,912 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-01-09 22:08 . 2008-01-09 22:08 <DIR> d-------- C:\Program Files\Netscape
2008-01-07 01:03 . 2008-01-14 19:22 221,184 --a------ C:\WINDOWS\system32\LVCOMSX .EXE
2008-01-06 18:47 . 2008-01-20 14:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-06 18:47 . 2008-01-06 18:47 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 14:17 . 2007-12-29 14:17 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-29 14:15 . 2007-07-30 14:44 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2007-12-29 14:15 . 2007-06-28 14:09 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2007-12-29 14:02 . 2007-12-29 14:06 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-12-29 11:42 . 2007-12-29 11:42 <DIR> d-------- C:\Program Files\Akamai

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 09:43 1,486,424 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-21 08:26 --------- d-----w C:\Program Files\FriendBlasterPro
2008-01-20 22:09 --------- d-----w C:\Program Files\Trend Micro
2008-01-20 03:07 --------- d-----w C:\Program Files\Trillian
2008-01-15 08:28 --------- d-----w C:\Program Files\PC Alarm Clock
2008-01-14 15:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-13 02:47 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 09:16 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-10 02:32 --------- d-----w C:\Program Files\QuickTime
2008-01-09 02:37 --------- d-----w C:\Program Files\Winamp
2007-12-19 08:39 --------- d-----w C:\Program Files\Full Tilt Poker
2007-12-05 06:00 --------- d-----w C:\Program Files\UltimateBet
2007-12-02 21:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 21:17 --------- d-----w C:\Program Files\ICQ6
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-01-28 17:58 5,329,408 ----a-w C:\WINDOWS\Internet Logs\xDB114.tmp
2007-01-28 17:58 3,055,616 ----a-w C:\WINDOWS\Internet Logs\xDB113.tmp
2006-12-31 17:12 141,358 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_30_06_01_28_small.dmp.zip
2006-12-29 17:34 15,872 ----a-w C:\WINDOWS\Internet Logs\xDB112.tmp
2006-12-29 17:27 4,349,952 ----a-w C:\WINDOWS\Internet Logs\xDB111.tmp
2006-12-29 14:51 60,416 ----a-w C:\WINDOWS\Internet Logs\xDB110.tmp
2006-12-29 14:51 4,349,952 ----a-w C:\WINDOWS\Internet Logs\xDB10F.tmp
2006-12-24 19:41 4,349,952 ----a-w C:\WINDOWS\Internet Logs\xDB10D.tmp
2006-12-24 19:41 214,016 ----a-w C:\WINDOWS\Internet Logs\xDB10E.tmp
2006-12-17 20:41 4,331,520 ----a-w C:\WINDOWS\Internet Logs\xDB10B.tmp
2006-12-17 20:41 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB10C.tmp
2006-12-17 16:14 4,331,520 ----a-w C:\WINDOWS\Internet Logs\xDB109.tmp
2006-12-17 15:56 18,432 ----a-w C:\WINDOWS\Internet Logs\xDB10A.tmp
2006-12-17 02:35 4,330,496 ----a-w C:\WINDOWS\Internet Logs\xDB107.tmp
2006-12-17 02:35 131,072 ----a-w C:\WINDOWS\Internet Logs\xDB108.tmp
2006-12-08 14:10 4,256,256 ----a-w C:\WINDOWS\Internet Logs\xDB105.tmp
2006-12-08 14:07 66,560 ----a-w C:\WINDOWS\Internet Logs\xDB106.tmp
2006-12-08 08:10 41,472 ----a-w C:\WINDOWS\Internet Logs\xDB104.tmp
2006-12-08 08:10 4,345,344 ----a-w C:\WINDOWS\Internet Logs\xDB103.tmp
2006-12-07 01:28 43,520 ----a-w C:\WINDOWS\Internet Logs\xDB102.tmp
2006-12-07 01:28 4,259,840 ----a-w C:\WINDOWS\Internet Logs\xDB101.tmp
2006-12-05 08:12 4,261,888 ----a-w C:\WINDOWS\Internet Logs\xDBFF.tmp
2006-12-05 07:54 791,552 ----a-w C:\WINDOWS\Internet Logs\xDB100.tmp
2006-12-02 11:36 4,257,792 ----a-w C:\WINDOWS\Internet Logs\xDBFD.tmp
2006-12-02 10:40 111,616 ----a-w C:\WINDOWS\Internet Logs\xDBFE.tmp
2006-12-01 09:07 4,256,256 ----a-w C:\WINDOWS\Internet Logs\xDBFB.tmp
2006-12-01 07:55 206,848 ----a-w C:\WINDOWS\Internet Logs\xDBFC.tmp
2006-11-30 06:06 4,256,256 ----a-w C:\WINDOWS\Internet Logs\xDBF8.tmp
2006-11-30 03:04 580,096 ----a-w C:\WINDOWS\Internet Logs\xDBFA.tmp
2006-11-29 06:05 4,285,440 ----a-w C:\WINDOWS\Internet Logs\xDBF7.tmp
2006-11-29 02:47 2,903,040 ----a-w C:\WINDOWS\Internet Logs\xDBF9.tmp
2006-10-17 23:29 4,206,080 ----a-w C:\WINDOWS\Internet Logs\xDBF5.tmp
2006-10-17 23:29 2,106,368 ----a-w C:\WINDOWS\Internet Logs\xDBF6.tmp
2006-10-15 06:32 2,676,224 ----a-w C:\WINDOWS\Internet Logs\xDBF4.tmp
2006-09-06 23:47 60,928 ----a-w C:\WINDOWS\Internet Logs\xDBF3.tmp
2006-09-06 23:47 3,893,760 ----a-w C:\WINDOWS\Internet Logs\xDBF2.tmp
2006-09-06 22:22 3,898,368 ----a-w C:\WINDOWS\Internet Logs\xDBF0.tmp
2006-09-06 22:22 1,827,840 ----a-w C:\WINDOWS\Internet Logs\xDBF1.tmp
2006-09-04 18:45 3,914,240 ----a-w C:\WINDOWS\Internet Logs\xDBEE.tmp
2006-09-04 18:45 2,661,376 ----a-w C:\WINDOWS\Internet Logs\xDBEF.tmp
2006-08-31 23:47 3,998,720 ----a-w C:\WINDOWS\Internet Logs\xDBEC.tmp
2006-08-31 23:47 2,931,200 ----a-w C:\WINDOWS\Internet Logs\xDBED.tmp
2006-08-29 23:29 37,376 ----a-w C:\WINDOWS\Internet Logs\xDBEB.tmp
2006-08-29 23:29 3,891,712 ----a-w C:\WINDOWS\Internet Logs\xDBEA.tmp
2006-08-29 21:13 4,002,816 ----a-w C:\WINDOWS\Internet Logs\xDBE8.tmp
2006-08-29 21:13 2,659,328 ----a-w C:\WINDOWS\Internet Logs\xDBE9.tmp
2006-07-29 00:14 3,867,648 ----a-w C:\WINDOWS\Internet Logs\xDBE6.tmp
2006-07-29 00:14 2,869,248 ----a-w C:\WINDOWS\Internet Logs\xDBE7.tmp
2006-07-26 22:50 3,863,552 ----a-w C:\WINDOWS\Internet Logs\xDBE4.tmp
2006-07-26 22:50 1,716,736 ----a-w C:\WINDOWS\Internet Logs\xDBE5.tmp
2006-07-24 21:05 3,863,552 ----a-w C:\WINDOWS\Internet Logs\xDBE2.tmp
2006-07-24 21:05 2,622,976 ----a-w C:\WINDOWS\Internet Logs\xDBE3.tmp
2006-07-23 16:36 3,864,576 ----a-w C:\WINDOWS\Internet Logs\xDBE0.tmp
2006-07-23 16:36 299,520 ----a-w C:\WINDOWS\Internet Logs\xDBE1.tmp
2006-07-22 20:17 3,861,504 ----a-w C:\WINDOWS\Internet Logs\xDBDE.tmp
2006-07-22 20:17 13,312 ----a-w C:\WINDOWS\Internet Logs\xDBDF.tmp
2006-07-22 20:08 404,480 ----a-w C:\WINDOWS\Internet Logs\xDBDD.tmp
2006-07-22 20:08 3,863,040 ----a-w C:\WINDOWS\Internet Logs\xDBDC.tmp
2006-07-19 20:34 3,861,504 ----a-w C:\WINDOWS\Internet Logs\xDBDA.tmp
2006-07-19 20:34 2,678,272 ----a-w C:\WINDOWS\Internet Logs\xDBDB.tmp
2006-06-25 02:23 3,811,840 ----a-w C:\WINDOWS\Internet Logs\xDBD8.tmp
2006-06-25 02:23 2,704,896 ----a-w C:\WINDOWS\Internet Logs\xDBD9.tmp
2006-05-26 01:09 2,719,744 ----a-w C:\WINDOWS\Internet Logs\xDBD7.tmp
2006-04-14 09:24 2,658,816 ----a-w C:\WINDOWS\Internet Logs\xDBD6.tmp
2006-04-14 09:23 3,728,896 ----a-w C:\WINDOWS\Internet Logs\xDBD5.tmp
2006-03-25 17:52 983,040 ----a-w C:\WINDOWS\Internet Logs\xDBD4.tmp
2006-03-25 17:52 3,650,560 ----a-w C:\WINDOWS\Internet Logs\xDBD3.tmp
2006-03-24 23:18 3,646,976 ----a-w C:\WINDOWS\Internet Logs\xDBD1.tmp
2006-03-24 23:18 1,252,352 ----a-w C:\WINDOWS\Internet Logs\xDBD2.tmp
2006-03-24 03:41 3,671,552 ----a-w C:\WINDOWS\Internet Logs\xDBCF.tmp
2006-03-24 03:41 2,639,360 ----a-w C:\WINDOWS\Internet Logs\xDBD0.tmp
2006-03-15 22:07 3,660,800 ----a-w C:\WINDOWS\Internet Logs\xDBCD.tmp
2006-03-15 22:07 2,690,048 ----a-w C:\WINDOWS\Internet Logs\xDBCE.tmp
2006-01-28 19:07 3,502,592 ----a-w C:\WINDOWS\Internet Logs\xDBCB.tmp
2006-01-28 19:07 259,072 ----a-w C:\WINDOWS\Internet Logs\xDBCC.tmp
2006-01-28 08:47 3,500,544 ----a-w C:\WINDOWS\Internet Logs\xDBC9.tmp
2006-01-28 08:47 2,887,168 ----a-w C:\WINDOWS\Internet Logs\xDBCA.tmp
2006-01-18 20:21 3,465,216 ----a-w C:\WINDOWS\Internet Logs\xDBC7.tmp
2006-01-18 20:21 2,695,680 ----a-w C:\WINDOWS\Internet Logs\xDBC8.tmp
2006-01-15 18:55 3,504,640 ----a-w C:\WINDOWS\Internet Logs\xDBC5.tmp
2006-01-15 18:55 2,715,136 ----a-w C:\WINDOWS\Internet Logs\xDBC6.tmp
2006-01-11 06:19 11,776 ----a-w C:\WINDOWS\Internet Logs\xDBC4.tmp
2006-01-11 06:18 3,371,008 ----a-w C:\WINDOWS\Internet Logs\xDBC3.tmp
2005-05-14 01:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 19:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 05:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2003-01-17 23:40 32 --sha-w C:\WINDOWS\{DA1CBB0E-A708-414E-96F0-9143A026FD68}.dat
2005-10-08 03:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 20:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 08:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 18:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 21:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 08:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2003-01-17 23:40 32 --sha-w C:\WINDOWS\system32\{BEC9C3AD-9278-42E1-8586-FA23973B7B40}.dat
.
<pre>
----a-w			54,296 2008-01-14 11:01:12  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			58,392 2008-01-14 11:01:13  C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w		   132,496 2008-01-14 11:01:17  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			79,480 2008-01-15 03:22:46  C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w		 1,026,048 2008-01-15 03:22:56  C:\Program Files\PC Alarm Clock\pac .exe
----a-w		 1,238,928 2008-01-14 15:24:59  C:\Program Files\PC Tools AntiVirus\PCTAV .exe
----a-w		   286,720 2008-01-11 04:46:10  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-01-11 04:46:11  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-01-11 04:46:11  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-01-11 04:46:11  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,460,560 2008-01-15 06:20:59  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			36,352 2008-01-08 03:25:49  C:\Program Files\Winamp\winampa .exe
----a-w		   221,184 2008-01-15 03:22:49  C:\WINDOWS\system32\LVCOMSX .EXE
----a-w		   172,032 2008-01-15 03:22:47  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18354FDF-33A2-4A9A-9933-ED9FB3732971}]
C:\WINDOWS\system32\gebcb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE" [ ]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [2006-01-10 23:28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperDown]
C:\Documents and Settings\Mike\Local Settings\Temp\ms2.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2002-06-11 09:38 1036288 C:\Program Files\ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--------- 2004-06-01 11:09 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--------- 2004-06-01 11:03 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M3Tray]
C:\Program Files\Movielink\MovielinkManager\M3Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]
C:\WINDOWS\System32\msgked.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 14:34:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~2\NAVW32.EXEG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-01-14 08:06:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 17:14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 17:17:39
ComboFix-quarantined-files.txt 2008-01-27 01:17:13
.
2007-12-29 23:03:17 --- E O F ---




++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:42 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {18354FDF-33A2-4A9A-9933-ED9FB3732971} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1644491937-113007714-682003330-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1644491937-113007714-682003330-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-1644491937-113007714-682003330-1003 Startup: Trillian.lnk = ? (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137093745500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137093713015
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6275 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 27 January 2008 - 03:49 AM

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
Read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\{DA1CBB0E-A708-414E-96F0-9143A026FD68}.dat
C:\WINDOWS\system32\{BEC9C3AD-9278-42E1-8586-FA23973B7B40}.dat


Return to OTMoveIt, right click on the "Paste Standard List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18354FDF-33A2-4A9A-9933-ED9FB3732971}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperDown]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]
RenV::
----a-w 54,296 2008-01-14 11:01:12 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 58,392 2008-01-14 11:01:13 C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w 132,496 2008-01-14 11:01:17 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 79,480 2008-01-15 03:22:46 C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w 1,026,048 2008-01-15 03:22:56 C:\Program Files\PC Alarm Clock\pac .exe
----a-w 1,238,928 2008-01-14 15:24:59 C:\Program Files\PC Tools AntiVirus\PCTAV .exe
----a-w 286,720 2008-01-11 04:46:10 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-11 04:46:11 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-11 04:46:11 C:\Program Files\QuickTime\qttask .exe
----a-w 286,720 2008-01-11 04:46:11 C:\Program Files\QuickTime\qttask .exe
----a-w 1,460,560 2008-01-15 06:20:59 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 36,352 2008-01-08 03:25:49 C:\Program Files\Winamp\winampa .exe
----a-w 221,184 2008-01-15 03:22:49 C:\WINDOWS\system32\LVCOMSX .EXE
----a-w 172,032 2008-01-15 03:22:47 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

Edited by RichieUK, 27 January 2008 - 05:53 AM.

Posted Image
Posted Image

#11 iamkali

iamkali
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 27 January 2008 - 07:16 AM

Thanks for your reply. I have removed whatever Viewpoint that was in my control panel. I am moving on and there are 2 issues.

1) I can't copy and paste for some reason. I can copy stuff from notepad to somewhere, but I am unable to copy and paste from a webpage. Is it possible to attach the code in notepad?

2) As I am reading through what is asked, I noticed you need me to drag and drop the CFScript file onto ComboFix. Unfortunately I am still unable to drag and drop.

Big mess eh? :thumbsup:

;) Thanks for your help!

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 27 January 2008 - 07:37 AM

Big mess eh?

Sure is.

You have CA Internet Security Suite and several Symantec entries in your log,i'm presuming the Symantec entries are from a previously install of Norton AntiVirus.
If the above is indeed the case the Symantec entries need removing,please do the following:
If there is no Norton AntiVirus/Symantec uninstaller available in Add\Remove Programs then you will need to download and run the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgen...005033108162039
*Please Note*
The Norton Removal Tool will remove all Norton/Symantec products from your pc.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

Also post a new Hijackthis log.
Posted Image
Posted Image

#13 iamkali

iamkali
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 27 January 2008 - 08:00 AM

Thanks for the reply Ritchie. I am beginning the process but I would like to note that I cannot print lol, it doesnt find my printer anymore. So I have to write it all down, haha.

also for Kapersky, I am unable to run internet explorer. I am also assuming I will not be in safe mode at the time of the kapersky scan?

One other thing I just noticed, I cannot install super anti spyware as it uses Windows Installer and it does not work for me at the moment.

I'm gonna shoot myself, lol...

:thumbsup:

Edited by iamkali, 27 January 2008 - 08:08 AM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 27 January 2008 - 08:21 AM

Not having much luck are you :thumbsup:

If you have the Microsoft Windows XP installation disk.
Click Start>Run,type sfc /scannow then press Ok.
Leave a space in between sfc and /scannow
Reboot when you've done.

If you have the Microsoft Windows XP installation disk try doing a Repair Install.
Configure your computer to start from the CD-ROM drive.
[Boot into the Bios and set your CD-Rom drive as first boot device].
For more information about how to do this,refer to your computer's documentation or contact your computer manufacturer.
Then insert your Microsoft Windows XP Setup CD,and restart your computer.
When the 'Press any key to boot from CD' message is displayed on screen, press a key.
Press ENTER when you see the message to setup Windows XP now, and then press ENTER displayed on the 'Welcome to Setup' screen.
Do not choose the option to press R to use the Recovery Console.
In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.
Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.
Follow the instructions on the screen to complete Setup.
Posted Image
Posted Image

#15 iamkali

iamkali
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 27 January 2008 - 08:26 AM

lol no, not much luck at all haha. Typical though for me :thumbsup: Once we get through will this fun little mess Ill make sure to compensate you :blink:

So um, what do I do if I don't have the XP disk? :wacko:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users