1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

D@mn this virus. D@mn it to h3ll. (Trojan.gaslide b)

Discussion in 'Windows - Virus and spyware problems' started by DeliverMe, Aug 6, 2008.

  1. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    2OG,

    Yes i ran BO Clean before starting Combofix. It installed, then i restarted. Then i made that file in notepad exactly like you said, then i dragged it into ComboFix, then it started, when it was done it restarted the cpu. When it got back i noticed the background didnt change and for the fist time there were no pop ups asking me to download things. Looks like it worked, at least fixed it up better. Let me know what u find.

    Thanks again.
     
  2. dburak

    dburak Member

    Joined:
    Aug 20, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    @2oldGeek

    Just a quick question about your post about Comodo BOClean. I'm currently using the Spyware Doctor (along with Norton). Would you advise me to uninstall SpyDoc and install Comodo instead?

    Cheers.
     
  3. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    naw, they get along just fine. kissy, kissy, huggy, huggy
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    It’s looking real good, you may not need to reformat. [​IMG]

    First, let’s use HJT to clean some orphans out. All of these have had the file removed.


    Fix entries using HiJackThis

    Launch HiJackThis
    Click the Do a system scan only button
    Put a check next to the entries listed below (if they still remain)

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)



    IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    Click the Fix checked button and close HiJackThis



    Now, we need to delete some files that were created after I made the first Fix….
    We’ll have to run ComboFix again..

    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C

    Go to the Notepad window and click Edit > Paste
    Then click File > Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop


    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



    2OG
     
  5. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Combo Fix log:

    ComboFix 08-08-23.01 - Craig Whitham 2008-08-23 20:23:21.6 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.716 [GMT -4:00]
    Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Craig Whitham\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Program Files\gnfgay
    C:\WINDOWS\system32\gpwhstmr.exe
    C:\WINDOWS\system32\mxmxytkj.exe
    C:\WINDOWS\system32\qxqzkbed.exe
    C:\WINDOWS\system32\sdezadit.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\edubqncj
    C:\Documents and Settings\All Users\Application Data\edubqncj\wlmtqpqf.exe
    C:\Documents and Settings\All Users\Application Data\rmlsdkby
    C:\Program Files\gnfgay
    C:\Program Files\gnfgay\enstr.dll
    C:\WINDOWS\system32\gpwhstmr.exe
    C:\WINDOWS\system32\mxmxytkj.exe
    C:\WINDOWS\system32\qxqzkbed.exe
    C:\WINDOWS\system32\sdezadit.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
    .

    2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
    2008-08-23 17:38 . 2008-08-23 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
    2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
    2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-08-23 17:38 . 2008-08-23 20:28 11,578 --a------ C:\WINDOWS\BOC427.INI
    2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
    2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
    2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
    2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
    2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
    2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
    2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-24 00:28 --------- d-----w C:\Program Files\PC Tools AntiVirus
    2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
    2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
    2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
    2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
    2008-07-23 00:34 --------- d-----w C:\Program Files\Java
    2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
    2005-11-03 23:29 72,832 -c--a-r C:\WINDOWS\inf\CamAvb.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
    + 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
    + 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
    + 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
    "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
    "PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
    "BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]

    C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.SEDG"= mcs_vfw.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    --a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    -----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
    --a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
    --a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-23 20:27:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCore.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Apoint\ApntEx.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-23 20:33:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-24 00:33:39
    ComboFix2.txt 2008-08-23 22:19:38
    ComboFix3.txt 2008-08-22 05:59:30
    ComboFix4.txt 2008-08-22 03:38:52
    ComboFix5.txt 2008-08-24 00:22:35

    Pre-Run: 44,484,485,120 bytes free
    Post-Run: 44,469,288,960 bytes free

    193 --- E O F --- 2008-08-15 01:03:04






    Highjack this log:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:35:47 PM, on 8/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\PC Tools AntiVirus\PCTAV.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
    O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
    O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
    O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 7668 bytes

     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @cw322,

    I can find nothing detrimental.

    I would like to see 1 more MBAM log and 1 more combofix log that are completely clean, If you could run those and post the logs, please.

    After that, we will have a little final straightening up to do to complete this and I will make a few suggestions on how to keep from getting infected again.

    2OG
     
  7. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Here is the MBAM. Im happy to say it didnt find anything!! :D
    Ill run the combofix now.


    Malwarebytes' Anti-Malware 1.25
    Database version: 1076
    Windows 5.1.2600 Service Pack 2

    10:05:59 PM 8/23/2008
    mbam-log-08-23-2008 (22-05-59).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 82302
    Time elapsed: 27 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  8. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    ComboFix 08-08-23.01 - Craig Whitham 2008-08-23 22:12:45.7 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT -4:00]
    Running from: C:\Documents and Settings\Craig Whitham\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
    .

    2008-08-23 17:38 . 2008-08-23 17:38 <DIR> d-------- C:\Program Files\Comodo
    2008-08-23 17:38 . 2008-08-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
    2008-08-23 17:38 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
    2008-08-23 17:38 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
    2008-08-23 17:38 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
    2008-08-23 17:38 . 2008-08-23 22:11 11,715 --a------ C:\WINDOWS\BOC427.INI
    2008-08-22 01:02 . 2008-08-22 01:02 <DIR> d--h----- C:\WINDOWS\PIF
    2008-08-22 00:07 . 2008-08-22 00:44 250 --a------ C:\WINDOWS\gmer.ini
    2008-08-20 23:48 . 2008-08-20 23:48 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-20 22:25 . 2008-08-20 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-20 22:25 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-19 20:09 . 2008-08-19 20:09 <DIR> d--hs---- C:\Documents and Settings\Craig Whitham\UserData
    2008-08-19 19:15 . 2008-08-19 19:14 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-08-19 19:14 . 2008-08-19 19:33 <DIR> d-------- C:\Documents and Settings\Craig Whitham\.housecall6.6
    2008-08-19 01:06 . 2008-08-19 01:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-08-19 00:56 . 2008-08-19 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-08-19 00:55 . 2008-08-19 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-08-19 00:55 . 2008-08-19 02:12 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\SUPERAntiSpyware.com
    2008-08-18 22:35 . 2008-08-18 22:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-18 20:48 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-18 20:48 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-18 18:48 . 2006-01-25 23:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2008-08-18 18:48 . 2006-01-25 23:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2008-08-18 18:48 . 2006-01-25 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
    2008-08-18 18:48 . 2008-08-20 23:23 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-13 19:28 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-07-25 13:39 . 2008-07-25 13:40 <DIR> d-------- C:\Documents and Settings\Craig Whitham\Application Data\U3

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-24 02:11 --------- d-----w C:\Program Files\PC Tools AntiVirus
    2008-08-22 02:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-22 02:58 --------- d-----w C:\Program Files\Spyware Doctor
    2008-08-22 02:25 --------- d-----w C:\Program Files\Privacy Guardian
    2008-08-21 02:46 --------- d-----w C:\Program Files\RegSweep
    2008-08-05 06:03 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
    2008-07-23 00:34 --------- d-----w C:\Program Files\Java
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
    2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
    2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
    2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
    2008-05-31 03:31 28,264 ----a-w C:\Documents and Settings\Craig Whitham\Application Data\GDIPFONTCACHEV1.DAT
    2005-11-03 23:29 72,832 -c--a-r C:\WINDOWS\inf\CamAvb.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-21_20.25.41.03 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-22 04:07:37 884,736 ----a-w C:\WINDOWS\gmer.dll
    + 2008-08-22 04:06:26 811,008 ----a-w C:\WINDOWS\gmer.exe
    + 2004-08-04 11:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
    + 2008-08-22 04:07:37 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
    "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
    "PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-03-08 19:19 1074736]
    "BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "PrivacyGuardianIndex"="C:\Program Files\Privacy Guardian\PgIndex.exe" [2006-10-30 13:57 38488]

    C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-25 23:04:19 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.SEDG"= mcs_vfw.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Craig Whitham^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\Craig Whitham\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    --a------ 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    -----c--- 2005-02-23 18:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
    --a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Guardian]
    --a------ 2007-06-12 10:20 2401832 C:\Program Files\Privacy Guardian\pg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-05-15 20:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 02:03]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
    .
    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = www.yahoo.ca/
    R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
    R1 -: HKCU-Internet Settings,ProxyOverride = *.local
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O18 -: Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-23 22:15:05
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-23 22:17:10
    ComboFix-quarantined-files.txt 2008-08-24 02:16:17
    ComboFix2.txt 2008-08-24 00:33:48
    ComboFix3.txt 2008-08-23 22:19:38
    ComboFix4.txt 2008-08-22 05:59:30
    ComboFix5.txt 2008-08-24 02:12:24

    Pre-Run: 44,478,570,496 bytes free
    Post-Run: 44,463,505,408 bytes free

    182 --- E O F --- 2008-08-15 01:03:04
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Congratulations cw322, your log now looks CLEAN [​IMG]

    Your log is as clean as an old maid’s parlor.
    Please perform these final steps and we can call it done…..
    I must drop out now but if you have any questions I’ll be back tomorrow..


    Hhere are a few other things you must do once you are completely clean:

    1. Time for some housekeeping

    Please download the OTMoveIt2 by OldTimer

    Save it to your desktop.
    Run the tool by clicking on the icon.
    • Click the Cleanup button.

    • The tools that we used as well as this one will be removed from your system.


    2. Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only


    Double-click ATF-Cleaner.exe to run the program.

    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.

    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • Click Exit on the Main menu to close the program.



    3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".

    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    • Then go to Start > Run and type: Cleanmgr
    • Click "OK"
    Select the drive you want to clean usually C:
    Click OK
    When it completes the scan:
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


    4. Defragment your Hard Drive

    1.Open My Computer.
    2.Right-click the local disk volume that you want to defragment, and then click Properties.
    3.On the Tools tab, click Defragment Now.
    4.Click Defragment.




    And here are some tips to reduce the potential for spyware infection in the future:


    I use and recommend a layered protection plan that BLOCKS malware BEFORE it enters your computer.

    Layer 1 – Firewall - this can be a router with SPI (stateful packet inspection) or a 3rd party software firewall – Comodo Pro Free for the geeks and ZoneAlarm Free for the novice.

    Layer 2 – HOST file –> HERE This is the most important layer it blocks Bad Sites from being able to get into your computer – MVPS Host file only, for the novice and a combination of MVPS and HP Hosts with HostXpert.exe to manage them for the geeks.

    Layer 3 – AntiVirusAvira AntiVir for everyone – the free version has Nag screens but can be stopped by googling avira antivir nag disable – This is the best of the free AV’s and I like it better than any AV I’ve tried Free or Paid.

    Layer 4 – AntiMalware Comodo BOClean – for everyone – for the paranoid I suggest adding a weekly scan with MalwareBytes’ AntiMalware or SUPERAntiSpyware or BOTH but If you have this full plan in place you won’t need them.

    Layer 5 – HIPS ( Host Intrusion Prevention Software) – WinPatrol or if you’re using Comodo Pro Firewall you probably don’t need it.



    For a backup system, I use and recommend Acronis True Image Home.



    2OG [​IMG]
     
  10. cw322

    cw322 Member

    Joined:
    Aug 20, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    2OG,

    Thanks a lot 2OG. I owe you so much. I got like a 300$ serive for free.
    Thanks again!!!
     
  11. gyqrr

    gyqrr Member

    Joined:
    Jul 5, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    2OG,
    Hi its me again... i just have a quick question before i start doing combofix.... How do you disable "script blocking"? :)

    Thanks again!
    gyqrr
     
  12. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @gyqrr,

    I don’t think you caught what I asked you to do. The thread was a little crowded.

    If you will post a fresh HijackThis Log, I will then tell you what needs to be disabled.

    2OG
     
  13. gyqrr

    gyqrr Member

    Joined:
    Jul 5, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    great! thank's again O2G!
     
  14. AJx77x

    AJx77x Member

    Joined:
    Aug 26, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    ***Edit

    Nevermind, I found a way to install Malwarebytes' Anti-Malware. Scanning now...
     
    Last edited: Aug 26, 2008

Share This Page