Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumond..please Help!


  • This topic is locked This topic is locked
49 replies to this topic

#1 angelP

angelP

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 23 February 2008 - 04:42 PM

Have Windows XP -Pro, and Norton. Have followed your steps and done spybot and adaware and have ZOne Alarm (d/l this week) McCafee stinger found nothing.

Last weekend computer acted really wonky. Spybot found Virtumond trojan. D/l a vundofix, ran it many times until it stopped finding files. Computer is running better but I want to make sure it's really all gone. Norton is still blocking virtumond attempts.

Please advise:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:14 PM, on 23/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6F9F270-A1CE-4B8B-966E-42AD9CAA4416} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C5B1C0B0-757B-44EA-B513-1AA13B12BEBD} - (no file)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - (no file)
O2 - BHO: (no name) - {EEC57C51-D7A7-4265-8F8F-22F1637BA5D7} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [cc9d3bfb] rundll32.exe "C:\WINDOWS\system32\cpushcry.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://pbctbc.bc.motive.com
O15 - Trusted Zone: http://pbctbcivr.bc.motive.com
O15 - Trusted Zone: http://fix.sympatico.ca
O15 - Trusted Zone: http://rc.sympatico.ca
O15 - Trusted Zone: http://rcfr.sympatico.ca
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9903087B-C65B-4BC8-A9A3-6B6F0E9A2DEB}: NameServer = 206.47.244.50 206.47.244.106
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12641 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 AM

Posted 25 February 2008 - 03:33 PM

Hello angelP,

If Norton is still finding virtumond, you are still infected.

We will run ComboFix.

You need to disable your Norton Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


Make sure Teatimer and Norton Antivirus are disabled before proceeding.



You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.

Edited by SifuMike, 25 February 2008 - 03:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 angelP

angelP
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 25 February 2008 - 10:54 PM

Thanks for your speedy reply. It all looks straightforward and I have printed out the pages to follow. I'll go step by step tomorrow.

One thing I forgot to mention....when i d/l a VundoFix and ran it several times...one of the files it found (and then deleted) was Rundll32.exe "C:\WINDOWS\system32\cpushcry.dll",b

Each time i reboot, I now get a Rundll error message saying that file Rundll32.exe "C:\WINDOWS\system32\cpushcry.dll",b cannot be found.

Also each time I reboot, Windows Security Centre becomes disabled

I'll fun the Combo fix and other steps tomorrow and post results...thanks again :thumbsup:

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 AM

Posted 26 February 2008 - 12:52 AM

No rush, I'll be here. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 angelP

angelP
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 February 2008 - 07:59 PM

Sorry for the delay..here is my combofix log:

ComboFix 08-03-01 - Pam 2008-02-29 19:50:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.213 [GMT -5:00]
Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\isgTi19
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-29 19:44 . 2004-08-04 06:00 388,608 --a------ C:\CF27124.exe
2008-02-27 16:40 . 2008-02-27 16:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 16:40 . 2008-02-27 16:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 23:19 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 23:17 . 2008-02-25 23:19 <DIR> d-------- C:\Program Files\Java
2008-02-25 23:17 . 2008-02-25 23:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-24 20:32 . 2008-02-24 20:32 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Viewpoint
2008-02-23 15:18 . 2008-02-23 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 13:15 . 2008-02-23 13:15 <DIR> d-------- C:\Program Files\CCleaner
2008-02-22 17:12 . 2008-02-22 17:12 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Uniblue
2008-02-21 22:16 . 2008-02-21 22:16 78,967,462 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-02-19 22:22 . 2008-02-22 22:18 <DIR> d-------- C:\VundoFix Backups
2008-02-19 20:03 . 2008-02-19 21:16 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-19 20:02 . 2008-02-29 14:15 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-19 20:02 . 2008-02-19 20:02 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-19 20:02 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-19 20:02 . 2008-02-29 18:43 352,185 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-19 20:01 . 2008-02-29 19:40 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-19 03:01 . 2008-02-19 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-18 19:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 19:57 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-18 19:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-18 19:35 . 2008-02-18 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-18 18:49 . 2008-02-25 23:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-02-18 18:25 . 2008-02-18 18:43 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-18 18:24 . 2008-02-25 23:23 <DIR> d-------- C:\Program Files\Windows Live
2008-02-18 18:24 . 2008-02-18 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-18 15:38 . 2008-02-18 15:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 15:38 . 2008-02-18 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 15:37 . 2008-02-18 15:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 15:29 . 2008-02-18 15:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-18 15:29 . 2008-02-18 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 12:06 . 2008-02-18 18:58 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\HouseCall 6.6
2008-02-18 11:58 . 2008-02-18 11:58 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-02-18 11:53 . 2004-08-04 06:00 2,178,131 --a------ C:\WINDOWS\system32\dllcache\shvlres.dll
2008-02-18 11:52 . 2004-08-04 06:00 169,984 --a------ C:\WINDOWS\system32\dllcache\iisui.dll
2008-02-18 11:51 . 2004-08-04 06:00 2,134,528 --a------ C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-18 11:50 . 2008-02-18 16:00 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2008-02-18 11:50 . 2008-02-18 11:58 <DIR> d-------- C:\Inetpub
2008-02-18 11:35 . 2008-02-18 11:35 <DIR> d-------- C:\WINDOWS\system32\FxsTmp
2008-02-18 11:31 . 2008-02-18 11:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-18 10:36 . 2008-02-19 18:11 1,494 ---hs---- C:\WINDOWS\system32\iclaxnnc.ini
2008-02-17 18:05 . 2008-02-29 19:50 <DIR> d-------- C:\Temp
2008-02-11 10:56 . 2008-02-11 10:56 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Motive
2008-02-11 10:47 . 2008-02-11 10:47 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Motive
2008-02-11 10:41 . 2008-02-11 10:49 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-02-11 10:41 . 2008-02-11 10:44 <DIR> d-------- C:\Program Files\BellCanada
2008-02-11 10:31 . 2008-02-11 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-01 00:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 23:39 421,888 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-02-29 23:39 1,944,064 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-02-29 19:14 462,336 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-02-28 04:06 413,184 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-02-28 04:06 1,939,968 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-02-27 02:53 337,408 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-02-26 04:11 299,520 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-02-26 04:11 1,925,120 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-02-25 04:19 166,912 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-25 04:19 1,920,512 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-02-25 02:22 320,512 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-25 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 21:58 388,608 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-23 21:58 1,916,416 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-23 06:36 973,312 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-23 06:36 1,898,496 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-23 05:29 157,696 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-02-22 22:32 393,728 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-22 22:32 1,892,864 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-22 21:05 466,944 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-22 05:47 354,816 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-22 05:47 1,880,064 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-22 03:35 1,876,480 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-22 03:35 1,000,448 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-21 03:09 128,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_20_21_39_19_small.dmp.zip
2008-02-14 18:34 --------- d-----w C:\Documents and Settings\Pam\Application Data\AdobeUM
2008-02-11 15:44 1,068 ----a-w C:\Program Files\INSTALL.LOG
2008-01-24 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-23 14:48 --------- d-----w C:\Documents and Settings\Guest\Application Data\GTek
2008-01-23 14:46 --------- d-----w C:\Documents and Settings\Guest\Application Data\Bell
2008-01-23 13:49 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 18:44 369,664 ----a-w C:\WINDOWS\system32\dllcache\asp51.dll
2008-01-10 05:20 257,024 ----a-w C:\WINDOWS\system32\dllcache\infocomm.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 02:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-06 10:05 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F9F270-A1CE-4B8B-966E-42AD9CAA4416}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B1C0B0-757B-44EA-B513-1AA13B12BEBD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC57C51-D7A7-4265-8F8F-22F1637BA5D7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2006-09-27 15:08 1992184]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-12 00:00 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-12 00:01 98304]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 12:00 196608]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34 106496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2007-11-19 09:33 1468928]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"cc9d3bfb"="C:\WINDOWS\system32\cpushcry.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-01 10:59]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-10-31 16:51]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-10-31 16:51]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 01:41:52 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Pam.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 19:52:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-29 19:53:28
ComboFix-quarantined-files.txt 2008-03-01 00:53:26
.
2008-02-19 08:03:06 --- E O F ---




HERE IS A NEW HIJACK LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:44 PM, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6F9F270-A1CE-4B8B-966E-42AD9CAA4416} - (no file)
O2 - BHO: (no name) - {C5B1C0B0-757B-44EA-B513-1AA13B12BEBD} - (no file)
O2 - BHO: (no name) - {EEC57C51-D7A7-4265-8F8F-22F1637BA5D7} - (no file)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [cc9d3bfb] rundll32.exe "C:\WINDOWS\system32\cpushcry.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://pbctbc.bc.motive.com
O15 - Trusted Zone: http://pbctbcivr.bc.motive.com
O15 - Trusted Zone: http://fix.sympatico.ca
O15 - Trusted Zone: http://rc.sympatico.ca
O15 - Trusted Zone: http://rcfr.sympatico.ca
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9903087B-C65B-4BC8-A9A3-6B6F0E9A2DEB}: NameServer = 206.47.244.50 206.47.244.106
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12058 bytes


HOPE YOU CAN HELP :thumbsup:

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 AM

Posted 29 February 2008 - 10:17 PM

Hi angelP,

Make sure you have Teatimer disabled.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts




Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\iclaxnnc.ini
C:\WINDOWS\system32\cpushcry.dll
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F9F270-A1CE-4B8B-966E-42AD9CAA4416}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B1C0B0-757B-44EA-B513-1AA13B12BEBD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC57C51-D7A7-4265-8F8F-22F1637BA5D7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cc9d3bfb"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 29 February 2008 - 10:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 angelP

angelP
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 February 2008 - 10:46 PM

Weird but I did disable teatime...but then it started back up itself. I'll take your steps and get back to you :thumbsup:

Thanks so much

#8 angelP

angelP
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 February 2008 - 11:02 PM

OK..here it is....

ComboFix 08-03-01 - Pam 2008-02-29 22:55:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.213 [GMT -5:00]
Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pam\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-29 19:44 . 2004-08-04 06:00 388,608 --a------ C:\CF27124.exe
2008-02-27 16:40 . 2008-02-27 16:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 16:40 . 2008-02-27 16:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 23:19 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 23:17 . 2008-02-25 23:19 <DIR> d-------- C:\Program Files\Java
2008-02-25 23:17 . 2008-02-25 23:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-24 20:32 . 2008-02-24 20:32 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Viewpoint
2008-02-23 15:18 . 2008-02-23 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 17:12 . 2008-02-22 17:12 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Uniblue
2008-02-21 22:16 . 2008-02-21 22:16 78,967,462 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-02-19 22:22 . 2008-02-22 22:18 <DIR> d-------- C:\VundoFix Backups
2008-02-19 20:03 . 2008-02-19 21:16 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-19 20:02 . 2008-02-29 14:15 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-19 20:02 . 2008-02-19 20:02 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-19 20:02 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-19 20:02 . 2008-02-29 20:05 352,185 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-19 20:01 . 2008-02-29 22:51 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-19 03:01 . 2008-02-19 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-18 19:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 19:57 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-18 19:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-18 19:35 . 2008-02-18 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-18 18:49 . 2008-02-25 23:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-02-18 18:25 . 2008-02-18 18:43 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-18 18:24 . 2008-02-25 23:23 <DIR> d-------- C:\Program Files\Windows Live
2008-02-18 18:24 . 2008-02-18 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-18 15:38 . 2008-02-18 15:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 15:38 . 2008-02-18 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 15:37 . 2008-02-18 15:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 15:29 . 2008-02-18 15:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-18 15:29 . 2008-02-18 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 12:06 . 2008-02-18 18:58 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\HouseCall 6.6
2008-02-18 11:58 . 2008-02-18 11:58 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-02-18 11:53 . 2004-08-04 06:00 2,178,131 --a------ C:\WINDOWS\system32\dllcache\shvlres.dll
2008-02-18 11:52 . 2004-08-04 06:00 169,984 --a------ C:\WINDOWS\system32\dllcache\iisui.dll
2008-02-18 11:51 . 2004-08-04 06:00 2,134,528 --a------ C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-18 11:50 . 2008-02-18 16:00 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2008-02-18 11:50 . 2008-02-18 11:58 <DIR> d-------- C:\Inetpub
2008-02-18 11:35 . 2008-02-18 11:35 <DIR> d-------- C:\WINDOWS\system32\FxsTmp
2008-02-18 11:31 . 2008-02-18 11:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-18 10:36 . 2008-02-19 18:11 1,494 ---hs---- C:\WINDOWS\system32\iclaxnnc.ini
2008-02-17 18:05 . 2008-02-29 19:50 <DIR> d-------- C:\Temp
2008-02-11 10:56 . 2008-02-11 10:56 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Motive
2008-02-11 10:47 . 2008-02-11 10:47 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Motive
2008-02-11 10:41 . 2008-02-11 10:49 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-02-11 10:41 . 2008-02-11 10:44 <DIR> d-------- C:\Program Files\BellCanada
2008-02-11 10:31 . 2008-02-11 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-01 00:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 23:39 421,888 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-02-29 23:39 1,944,064 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-02-29 19:14 462,336 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-02-28 04:06 413,184 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-02-28 04:06 1,939,968 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-02-27 02:53 337,408 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-02-26 04:11 299,520 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-02-26 04:11 1,925,120 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-02-25 04:19 166,912 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-25 04:19 1,920,512 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-02-25 02:22 320,512 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-25 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 21:58 388,608 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-23 21:58 1,916,416 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-23 06:36 973,312 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-23 06:36 1,898,496 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-23 05:29 157,696 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-02-22 22:32 393,728 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-22 22:32 1,892,864 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-22 21:05 466,944 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-22 05:47 354,816 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-22 05:47 1,880,064 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-22 03:35 1,876,480 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-22 03:35 1,000,448 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-21 03:09 128,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_20_21_39_19_small.dmp.zip
2008-02-14 18:34 --------- d-----w C:\Documents and Settings\Pam\Application Data\AdobeUM
2008-02-11 15:44 1,068 ----a-w C:\Program Files\INSTALL.LOG
2008-01-24 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-23 14:48 --------- d-----w C:\Documents and Settings\Guest\Application Data\GTek
2008-01-23 14:46 --------- d-----w C:\Documents and Settings\Guest\Application Data\Bell
2008-01-23 13:49 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 18:44 369,664 ----a-w C:\WINDOWS\system32\dllcache\asp51.dll
2008-01-10 05:20 257,024 ----a-w C:\WINDOWS\system32\dllcache\infocomm.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 02:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-06 10:05 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F9F270-A1CE-4B8B-966E-42AD9CAA4416}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B1C0B0-757B-44EA-B513-1AA13B12BEBD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC57C51-D7A7-4265-8F8F-22F1637BA5D7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2006-09-27 15:08 1992184]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-12 00:00 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-12 00:01 98304]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 12:00 196608]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34 106496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2007-11-19 09:33 1468928]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"cc9d3bfb"="C:\WINDOWS\system32\cpushcry.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-01 10:59]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-10-31 16:51]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-10-31 16:51]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 01:41:52 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Pam.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 22:58:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-29 22:58:55
ComboFix-quarantined-files.txt 2008-03-01 03:58:51
ComboFix2.txt 2008-03-01 00:53:29
.
2008-02-19 08:03:06 --- E O F ---


NEW HIJACK:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:52 PM, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6F9F270-A1CE-4B8B-966E-42AD9CAA4416} - (no file)
O2 - BHO: (no name) - {C5B1C0B0-757B-44EA-B513-1AA13B12BEBD} - (no file)
O2 - BHO: (no name) - {EEC57C51-D7A7-4265-8F8F-22F1637BA5D7} - (no file)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [cc9d3bfb] rundll32.exe "C:\WINDOWS\system32\cpushcry.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://pbctbc.bc.motive.com
O15 - Trusted Zone: http://pbctbcivr.bc.motive.com
O15 - Trusted Zone: http://fix.sympatico.ca
O15 - Trusted Zone: http://rc.sympatico.ca
O15 - Trusted Zone: http://rcfr.sympatico.ca
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9903087B-C65B-4BC8-A9A3-6B6F0E9A2DEB}: NameServer = 206.47.244.50 206.47.244.106
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11733 bytes


Thanks :thumbsup:

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 AM

Posted 29 February 2008 - 11:15 PM

Hi angelP

None of the files, folders or registry entries were deleted. :blink: I see the no change in the log. :thumbsup:

You must have done something incorrectly, as this fix always works.


Go back to my previous thread, read it carefully and do it again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 angelP

angelP
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 February 2008 - 11:42 PM

Did it again....Norton was diabled, Zonealarm was off, Spybot was off, Windows firewall hasn't worked since this whole thing started so it's always off. All programs closed

Dragged the notepad file over the combofix icon and clicked run

Results below:



ComboFix 08-03-01 - Pam 2008-02-29 23:36:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT -5:00]
Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pam\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-29 19:44 . 2004-08-04 06:00 388,608 --a------ C:\CF27124.exe
2008-02-27 16:40 . 2008-02-27 16:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 16:40 . 2008-02-27 16:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 23:19 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 23:17 . 2008-02-25 23:19 <DIR> d-------- C:\Program Files\Java
2008-02-25 23:17 . 2008-02-25 23:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-24 20:32 . 2008-02-24 20:32 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Viewpoint
2008-02-23 15:18 . 2008-02-23 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 17:12 . 2008-02-22 17:12 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Uniblue
2008-02-21 22:16 . 2008-02-21 22:16 78,967,462 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-02-19 22:22 . 2008-02-22 22:18 <DIR> d-------- C:\VundoFix Backups
2008-02-19 20:03 . 2008-02-19 21:16 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-19 20:02 . 2008-02-29 14:15 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-19 20:02 . 2008-02-19 20:02 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-19 20:02 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-19 20:02 . 2008-02-29 20:05 352,185 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-19 20:01 . 2008-02-29 22:51 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-19 03:01 . 2008-02-19 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-18 19:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 19:57 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-18 19:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-18 19:35 . 2008-02-18 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-18 18:49 . 2008-02-25 23:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-02-18 18:25 . 2008-02-18 18:43 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-18 18:24 . 2008-02-25 23:23 <DIR> d-------- C:\Program Files\Windows Live
2008-02-18 18:24 . 2008-02-18 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-18 15:38 . 2008-02-18 15:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 15:38 . 2008-02-18 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 15:37 . 2008-02-18 15:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 15:29 . 2008-02-18 15:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-18 15:29 . 2008-02-18 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 12:06 . 2008-02-18 18:58 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\HouseCall 6.6
2008-02-18 11:58 . 2008-02-18 11:58 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-02-18 11:53 . 2004-08-04 06:00 2,178,131 --a------ C:\WINDOWS\system32\dllcache\shvlres.dll
2008-02-18 11:52 . 2004-08-04 06:00 169,984 --a------ C:\WINDOWS\system32\dllcache\iisui.dll
2008-02-18 11:51 . 2004-08-04 06:00 2,134,528 --a------ C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-18 11:50 . 2008-02-18 16:00 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2008-02-18 11:50 . 2008-02-18 11:58 <DIR> d-------- C:\Inetpub
2008-02-18 11:35 . 2008-02-18 11:35 <DIR> d-------- C:\WINDOWS\system32\FxsTmp
2008-02-18 11:31 . 2008-02-18 11:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-18 10:36 . 2008-02-19 18:11 1,494 ---hs---- C:\WINDOWS\system32\iclaxnnc.ini
2008-02-17 18:05 . 2008-02-29 19:50 <DIR> d-------- C:\Temp
2008-02-11 10:56 . 2008-02-11 10:56 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Motive
2008-02-11 10:47 . 2008-02-11 10:47 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Motive
2008-02-11 10:41 . 2008-02-11 10:49 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-02-11 10:41 . 2008-02-11 10:44 <DIR> d-------- C:\Program Files\BellCanada
2008-02-11 10:31 . 2008-02-11 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 03:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-01 00:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 23:39 421,888 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-02-29 23:39 1,944,064 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-02-29 19:14 462,336 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-02-28 04:06 413,184 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-02-28 04:06 1,939,968 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-02-27 02:53 337,408 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-02-26 04:11 299,520 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-02-26 04:11 1,925,120 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-02-25 04:19 166,912 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-25 04:19 1,920,512 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-02-25 02:22 320,512 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-25 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 21:58 388,608 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-23 21:58 1,916,416 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-23 06:36 973,312 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-23 06:36 1,898,496 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-23 05:29 157,696 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-02-22 22:32 393,728 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-22 22:32 1,892,864 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-22 21:05 466,944 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-22 05:47 354,816 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-22 05:47 1,880,064 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-22 03:35 1,876,480 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-22 03:35 1,000,448 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-21 03:09 128,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_20_21_39_19_small.dmp.zip
2008-02-14 18:34 --------- d-----w C:\Documents and Settings\Pam\Application Data\AdobeUM
2008-02-11 15:44 1,068 ----a-w C:\Program Files\INSTALL.LOG
2008-01-24 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-23 14:48 --------- d-----w C:\Documents and Settings\Guest\Application Data\GTek
2008-01-23 14:46 --------- d-----w C:\Documents and Settings\Guest\Application Data\Bell
2008-01-23 13:49 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 18:44 369,664 ----a-w C:\WINDOWS\system32\dllcache\asp51.dll
2008-01-10 05:20 257,024 ----a-w C:\WINDOWS\system32\dllcache\infocomm.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 02:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-06 10:05 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F9F270-A1CE-4B8B-966E-42AD9CAA4416}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B1C0B0-757B-44EA-B513-1AA13B12BEBD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC57C51-D7A7-4265-8F8F-22F1637BA5D7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2006-09-27 15:08 1992184]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-12 00:00 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-12 00:01 98304]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 12:00 196608]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34 106496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2007-11-19 09:33 1468928]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"cc9d3bfb"="C:\WINDOWS\system32\cpushcry.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-01 10:59]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-10-31 16:51]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-10-31 16:51]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 01:41:52 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Pam.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 23:38:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-29 23:39:35
ComboFix-quarantined-files.txt 2008-03-01 04:39:31
ComboFix2.txt 2008-03-01 03:58:56
ComboFix3.txt 2008-03-01 00:53:29
.
2008-02-19 08:03:06 --- E O F ---

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 AM

Posted 01 March 2008 - 12:06 AM

Hi angelP

I see no change in the log. :blink: I should see the files listed for deletion at the top of the log and then the folders listed for deletion, but I see nothing.
This fix has worked for millions of people, so you are doing something incorrectly.

1. Did you Click Start, then Run and type Notepad and click OK.
It will not work if you use any other text editor.

2. Did you Copy/paste the text in the code box below into notepad? Be sure not to include the word CODE, but only the text in the box.

3. Did you name the Notepad file CFScript.txt and Save it to your desktop.
It must be called CFScript.txt, and it must be on your desktop.


4. Did you Then drag the CFScript into ComboFix.exe as you see in the screenshot?


Dragged the notepad file over the combofix icon and clicked run


clicking run was not in the instructions.

Try it again. If it still does not work, We can always go to plan B. :thumbsup:

Edited by SifuMike, 01 March 2008 - 01:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 AM

Posted 01 March 2008 - 05:33 PM

Hi angelP,


Time for plan B. LOL :thumbsup:

I just had another person with the same problem running CFScript, so I am thinking it is a problem with the version of ComboFix you are using.

1. Delete the version of ComboFix and CFscript you have on your desktop.

2. Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 angelP

angelP
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 02 March 2008 - 04:41 PM

. Did you Click Start, then Run and type Notepad and click OK.
It will not work if you use any other text editor. YES

2. Did you Copy/paste the text in the code box below into notepad? Be sure not to include the word CODE, but only the text in the box. YES

3. Did you name the Notepad file CFScript.txt and Save it to your desktop.
It must be called CFScript.txt, and it must be on your desktop. YES


4. Did you Then drag the CFScript into ComboFix.exe as you see in the screenshot? YES

All my malware, antivirus, spybot things were off and i used BC's version of Combo fix. I'll try all steps again :thumbsup:

#14 angelP

angelP
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 02 March 2008 - 05:04 PM

I deleted combo fix and the CFscript file from my desktop and emptied my garbage can
I d/l the version of combofix from Link 1, saved it to my desktop
I closed all windows, de-activated Zone Alrm and Norton. Turned off Spybots resisdent. I disconnected from the internet.
I ran combofix and didn't touch my mouse til it was done.
All the screens showed in sequence like they do in the intructions, the clock changed, the desktop icons flickered, then all stages were listed and the noptepad results posted.

ComboFix 08-03-03.6 - Pam 2008-03-03 16:57:26.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.174 [GMT -5:00]
Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-02-29 19:44 . 2004-08-04 06:00 388,608 --a------ C:\CF27124.exe
2008-02-27 16:40 . 2008-02-27 16:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 16:40 . 2008-02-27 16:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 23:19 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 23:17 . 2008-02-25 23:19 <DIR> d-------- C:\Program Files\Java
2008-02-25 23:17 . 2008-02-25 23:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-24 20:32 . 2008-02-24 20:32 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Viewpoint
2008-02-23 15:18 . 2008-02-23 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 17:12 . 2008-02-22 17:12 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Uniblue
2008-02-21 22:16 . 2008-02-21 22:16 78,967,462 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-02-19 22:22 . 2008-02-22 22:18 <DIR> d-------- C:\VundoFix Backups
2008-02-19 20:03 . 2008-02-19 21:16 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-19 20:02 . 2008-02-29 14:15 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-19 20:02 . 2008-02-19 20:02 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-19 20:02 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-19 20:02 . 2008-03-02 15:23 352,185 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-19 20:01 . 2008-03-02 16:41 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-19 03:01 . 2008-02-19 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-18 19:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 19:57 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-18 19:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-18 19:35 . 2008-02-18 19:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2008-02-18 18:49 . 2008-02-25 23:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-02-18 18:25 . 2008-02-18 18:43 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-18 18:24 . 2008-02-25 23:23 <DIR> d-------- C:\Program Files\Windows Live
2008-02-18 18:24 . 2008-02-18 18:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2008-02-18 15:38 . 2008-02-18 15:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 15:38 . 2008-02-18 17:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-02-18 15:37 . 2008-02-18 15:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 15:29 . 2008-02-18 15:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-18 15:29 . 2008-02-18 18:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-18 12:06 . 2008-02-18 18:58 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\HouseCall 6.6
2008-02-18 11:58 . 2008-02-18 11:58 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-02-18 11:53 . 2004-08-04 06:00 2,178,131 --a------ C:\WINDOWS\system32\dllcache\shvlres.dll
2008-02-18 11:52 . 2004-08-04 06:00 169,984 --a------ C:\WINDOWS\system32\dllcache\iisui.dll
2008-02-18 11:51 . 2004-08-04 06:00 2,134,528 --a------ C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-18 11:50 . 2008-02-18 16:00 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2008-02-18 11:50 . 2008-02-18 11:58 <DIR> d-------- C:\Inetpub
2008-02-18 11:35 . 2008-02-18 11:35 <DIR> d-------- C:\WINDOWS\system32\FxsTmp
2008-02-18 11:31 . 2008-02-18 11:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-18 10:36 . 2008-02-19 18:11 1,494 ---hs---- C:\WINDOWS\system32\iclaxnnc.ini
2008-02-17 18:05 . 2008-02-29 19:50 <DIR> d-------- C:\Temp
2008-02-11 10:56 . 2008-02-11 10:56 <DIR> d-------- C:\Documents and Settings\Margaret\Application Data\Motive
2008-02-11 10:47 . 2008-02-11 10:47 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Motive
2008-02-11 10:41 . 2008-02-11 10:49 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-02-11 10:41 . 2008-02-11 10:44 <DIR> d-------- C:\Program Files\BellCanada
2008-02-11 10:31 . 2008-02-11 10:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 21:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-02 20:32 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-03-01 17:13 400,896 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-02-29 23:39 421,888 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-02-29 23:39 1,944,064 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-02-29 19:14 462,336 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-02-28 04:06 413,184 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-02-28 04:06 1,939,968 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-02-27 02:53 337,408 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-02-26 04:11 299,520 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-02-26 04:11 1,925,120 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-02-25 04:19 166,912 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-25 04:19 1,920,512 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-02-25 02:22 320,512 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-25 01:32 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-02-23 21:58 388,608 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-02-23 21:58 1,916,416 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-02-23 06:36 973,312 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-23 06:36 1,898,496 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-23 05:29 157,696 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-02-22 22:32 393,728 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-22 22:32 1,892,864 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-22 21:05 466,944 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-22 05:47 354,816 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-22 05:47 1,880,064 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-22 03:35 1,876,480 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-22 03:35 1,000,448 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-21 03:09 128,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_20_21_39_19_small.dmp.zip
2008-02-14 18:34 --------- d-----w C:\Documents and Settings\Pam\Application Data\AdobeUM
2008-02-11 15:44 1,068 ----a-w C:\Program Files\INSTALL.LOG
2008-01-24 23:58 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Dell
2008-01-23 14:48 --------- d-----w C:\Documents and Settings\Guest\Application Data\GTek
2008-01-23 14:46 --------- d-----w C:\Documents and Settings\Guest\Application Data\Bell
2008-01-23 13:49 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 18:44 369,664 ----a-w C:\WINDOWS\system32\dllcache\asp51.dll
2008-01-10 05:20 257,024 ----a-w C:\WINDOWS\system32\dllcache\infocomm.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 02:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-06 10:05 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F9F270-A1CE-4B8B-966E-42AD9CAA4416}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B1C0B0-757B-44EA-B513-1AA13B12BEBD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC57C51-D7A7-4265-8F8F-22F1637BA5D7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2006-09-27 15:08 1992184]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-12 00:00 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-12 00:01 98304]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 12:00 196608]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34 106496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2007-11-19 09:33 1468928]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"cc9d3bfb"="C:\WINDOWS\system32\cpushcry.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-01 10:59]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-10-31 16:51]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-10-31 16:51]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 16:58:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-03 16:59:12
ComboFix-quarantined-files.txt 2008-03-03 21:59:09
ComboFix2.txt 2008-03-03 21:53:36
ComboFix3.txt 2008-03-01 04:39:36
ComboFix4.txt 2008-03-01 03:58:56
ComboFix5.txt 2008-03-01 00:53:29
.
2008-02-19 08:03:06 --- E O F ---

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:02 AM

Posted 02 March 2008 - 05:27 PM

Hi angelP,

Hopefully the CFscript will work this time. :thumbsup:

Make sure you have Teatimer disabled.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts




Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\iclaxnnc.ini
C:\WINDOWS\system32\cpushcry.dll
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F9F270-A1CE-4B8B-966E-42AD9CAA4416}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5B1C0B0-757B-44EA-B513-1AA13B12BEBD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC57C51-D7A7-4265-8F8F-22F1637BA5D7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cc9d3bfb"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users