D@mn this virus. D@mn it to h3ll. (Trojan.gaslide b)

2OG,

Yes i ran BO Clean before starting Combofix. It installed, then i restarted. Then i made that file in notepad exactly like you said, then i dragged it into ComboFix, then it started, when it was done it restarted the cpu. When it got back i noticed the background didnt change and for the fist time there were no pop ups asking me to download things. Looks like it worked, at least fixed it up better. Let me know what u find.

Thanks again.

 

@2oldGeek

Just a quick question about your post about Comodo BOClean. I'm currently using the Spyware Doctor (along with Norton). Would you advise me to uninstall SpyDoc and install Comodo instead?

Cheers.

 

naw, they get along just fine. kissy, kissy, huggy, huggy

 

It’s looking real good, you may not need to reformat.

First, let’s use HJT to clean some orphans out. All of these have had the file removed.


Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)


IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis



Now, we need to delete some files that were created after I made the first Fix….
We’ll have to run ComboFix again..

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop




Referring to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



2OG

 

Combo Fix log:

ComboFix 08-08-23.01 - Craig Whitham 2008-08-23 20:23:21.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.716 [GMT -4:00]
Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Craig Whitham\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\gnfgay
C:\WINDOWS\system32\gpwhstmr.exe
C:\WINDOWS\system32\mxmxytkj.exe
C:\WINDOWS\system32\qxqzkbed.exe
C:\WINDOWS\system32\sdezadit.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\edubqncj
C:\Documents and Settings\All Users\Application Data\edubqncj\wlmtqpqf.exe
C:\Documents and Settings\All Users\Application Data\rmlsdkby
C:\Program Files\gnfgay
C:\Program Files\gnfgay\enstr.dll
C:\WINDOWS\system32\gpwhstmr.exe
C:\WINDOWS\system32\mxmxytkj.exe
C:\WINDOWS\system32\qxqzkbed.exe
C:\WINDOWS\system32\sdezadit.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
2008-08-23 17:38 . 2008-08-23 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-08-23 17:38 . 2008-08-23 20:28 11,578 --a------ C:\WINDOWS\BOC427.INI
2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 00:28 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2008-07-23 00:34 --------- d-----w C:\Program Files\Java
2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
2005-11-03 23:29 72,832 -c--a-r C:\WINDOWS\inf\CamAvb.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
"BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]

C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.SEDG"= mcs_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
--a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 20:27:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-08-23 20:33:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-24 00:33:39
ComboFix2.txt 2008-08-23 22:19:38
ComboFix3.txt 2008-08-22 05:59:30
ComboFix4.txt 2008-08-22 03:38:52
ComboFix5.txt 2008-08-24 00:22:35

Pre-Run: 44,484,485,120 bytes free
Post-Run: 44,469,288,960 bytes free

193 --- E O F --- 2008-08-15 01:03:04






Highjack this log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:47 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7668 bytes

 

@cw322,

I can find nothing detrimental.

I would like to see 1 more MBAM log and 1 more combofix log that are completely clean, If you could run those and post the logs, please.

After that, we will have a little final straightening up to do to complete this and I will make a few suggestions on how to keep from getting infected again.

2OG

 

Here is the MBAM. Im happy to say it didnt find anything!!
Ill run the combofix now.


Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2

10:05:59 PM 8/23/2008
mbam-log-08-23-2008 (22-05-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 82302
Time elapsed: 27 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

ComboFix 08-08-23.01 - Craig Whitham 2008-08-23 22:12:45.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT -4:00]
Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
2008-08-23 17:38 . 2008-08-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-08-23 17:38 . 2008-08-23 22:11 11,715 --a------ C:\WINDOWS\BOC427.INI
2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 02:11 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2008-07-23 00:34 --------- d-----w C:\Program Files\Java
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
2005-11-03 23:29 72,832 -c--a-r C:\WINDOWS\inf\CamAvb.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
"BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]

C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.SEDG"= mcs_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
--a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.yahoo.ca/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O18 -: Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 22:15:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 22:17:10
ComboFix-quarantined-files.txt 2008-08-24 02:16:17
ComboFix2.txt 2008-08-24 00:33:48
ComboFix3.txt 2008-08-23 22:19:38
ComboFix4.txt 2008-08-22 05:59:30
ComboFix5.txt 2008-08-24 02:12:24

Pre-Run: 44,478,570,496 bytes free
Post-Run: 44,463,505,408 bytes free

182 --- E O F --- 2008-08-15 01:03:04

 

Congratulations cw322, your log now looks CLEAN

Your log is as clean as an old maid’s parlor.
Please perform these final steps and we can call it done…..
I must drop out now but if you have any questions I’ll be back tomorrow..


Hhere are a few other things you must do once you are completely clean:

1. Time for some housekeeping

Please download the OTMoveIt2 by OldTimer

• Save it to your desktop.
• Run the tool by clicking on the icon.
• Click the Cleanup button.

• The tools that we used as well as this one will be removed from your system.


2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.



3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".

• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then go to Start > Run and type: Cleanmgr
• Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


4. Defragment your Hard Drive

1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.




And here are some tips to reduce the potential for spyware infection in the future:


I use and recommend a layered protection plan that BLOCKS malware BEFORE it enters your computer.

Layer 1 – Firewall - this can be a router with SPI (stateful packet inspection) or a 3rd party software firewall – Comodo Pro Free for the geeks and ZoneAlarm Free for the novice.

Layer 2 – HOST file –> HERE This is the most important layer it blocks Bad Sites from being able to get into your computer – MVPS Host file only, for the novice and a combination of MVPS and HP Hosts with HostXpert.exe to manage them for the geeks.

Layer 3 – AntiVirus – Avira AntiVir for everyone – the free version has Nag screens but can be stopped by googling avira antivir nag disable – This is the best of the free AV’s and I like it better than any AV I’ve tried Free or Paid.

Layer 4 – AntiMalware – Comodo BOClean – for everyone – for the paranoid I suggest adding a weekly scan with MalwareBytes’ AntiMalware or SUPERAntiSpyware or BOTH but If you have this full plan in place you won’t need them.

Layer 5 – HIPS ( Host Intrusion Prevention Software) – WinPatrol or if you’re using Comodo Pro Firewall you probably don’t need it.



For a backup system, I use and recommend Acronis True Image Home.



2OG

 

2OG,

Thanks a lot 2OG. I owe you so much. I got like a 300$ serive for free.
Thanks again!!!

 

2OG,
Hi its me again... i just have a quick question before i start doing combofix.... How do you disable "script blocking"?

Thanks again!
gyqrr

 

@gyqrr,

I don’t think you caught what I asked you to do. The thread was a little crowded.

If you will post a fresh HijackThis Log, I will then tell you what needs to be disabled.

2OG

 

great! thank's again O2G!

 

***Edit

Nevermind, I found a way to install Malwarebytes' Anti-Malware. Scanning now...