1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Trouble removing spools.exe

Discussion in 'Malware and Virus Removal Archive' started by Glimflicker, 2008/06/21.

  1. 2008/06/21
    Glimflicker

    Glimflicker Inactive Thread Starter

    Joined:
    2008/06/21
    Messages:
    3
    Likes Received:
    0
    My mother's computer slowed down, so naturally she decided to download some antivirus software and fix it! Unfortunately, she wound up downloading something even worse, and it appears to be spools.exe. I was unable to run an executable for the longest time, but right before I decided to reformat, I found that I could run a couple nested .bat files in an endless loop, and after enough calls I could launch whatever I wanted to. My attempts at removing it have been unsuccessful, so here's the output from DSS:

    Deckard's System Scanner v20071014.68
    Run by Lorna Jones on 2008-06-21 20:35:06
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Total Physical Memory: 510 MiB (512 MiB recommended).


    -- HijackThis (run as Lorna Jones.exe) -----------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:35:08 PM, on 6/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Documents and Settings\Lorna Jones\My Documents\Installed\dss.exe
    C:\DOCUME~1\LORNAJ~1\MYDOCU~1\INSTAL~1\LORNAJ~1.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4060925
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {0576C568-1DFF-4F13-BAF0-D07F8E96071C} - C:\WINDOWS\system32\wvUmjhhg.dll
    O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\vtUooMCR.dll
    O2 - BHO: {7ff94b1e-f2bb-630b-04a4-7b51bb1530f8} - {8f0351bb-15b7-4a40-b036-bb2fe1b49ff7} - C:\WINDOWS\system32\uveivlbc.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O3 - Toolbar: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - (no file)
    O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
    O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Lorna Jones\cftmon.exe
    O4 - HKLM\..\Run: [086ccfb2] rundll32.exe "C:\WINDOWS\system32\pltqtgaa.dll ",b
    O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
    O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Lorna Jones\cftmon.exe
    O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: vtUooMCR - C:\WINDOWS\SYSTEM32\vtUooMCR.dll
    O20 - Winlogon Notify: __c00F3F70 - C:\WINDOWS\system32\__c00F3F70.dat
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
    O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

    --
    End of file - 6920 bytes

    -- Files created between 2008-05-21 and 2008-06-21 -----------------------------

    2008-06-21 19:45:44 0 d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Identities
    2008-06-21 19:45:44 0 d--h----- C:\Documents and Settings\Administrator.LORNA\Application Data\Gtek
    2008-06-21 19:45:43 0 dr------- C:\Documents and Settings\Administrator.LORNA\Favorites
    2008-06-21 19:45:43 0 d-------- C:\Documents and Settings\Administrator.LORNA\Desktop
    2008-06-21 19:45:43 0 d--hs---- C:\Documents and Settings\Administrator.LORNA\Cookies
    2008-06-21 19:45:43 0 dr-h----- C:\Documents and Settings\Administrator.LORNA\Application Data
    2008-06-21 19:45:43 0 d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Symantec
    2008-06-21 19:45:43 0 d---s---- C:\Documents and Settings\Administrator.LORNA\Application Data\Microsoft
    2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\Templates
    2008-06-21 19:45:42 0 dr------- C:\Documents and Settings\Administrator.LORNA\Start Menu
    2008-06-21 19:45:42 0 dr-h----- C:\Documents and Settings\Administrator.LORNA\SendTo
    2008-06-21 19:45:42 0 dr-h----- C:\Documents and Settings\Administrator.LORNA\Recent
    2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\PrintHood
    2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\NetHood
    2008-06-21 19:45:42 0 dr------- C:\Documents and Settings\Administrator.LORNA\My Documents
    2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\Local Settings
    2008-06-21 19:45:41 786432 --ah----- C:\Documents and Settings\Administrator.LORNA\NTUSER.DAT
    2008-06-21 19:22:33 99328 --a------ C:\WINDOWS\system32\uveivlbc.dll
    2008-06-21 19:22:31 81408 --a------ C:\WINDOWS\system32\pltqtgaa.dll
    2008-06-21 19:20:40 99328 --a------ C:\WINDOWS\system32\qehpfnba.dll
    2008-06-21 19:20:06 25088 --a------ C:\WINDOWS\system32\cbXNeCuT.dll
    2008-06-08 18:36:51 92160 --a------ C:\WINDOWS\system32\xmjviijo.dll
    2008-06-08 18:36:47 108544 --a------ C:\WINDOWS\system32\pwkayfhe.dll
    2008-06-08 17:48:44 56 --a------ C:\xcrashdump.dat
    2008-06-08 17:47:53 0 d-------- C:\Program Files\WinAntivirusPro3.8
    2008-06-08 17:47:53 0 d-------- C:\Program Files\NetFilter
    2008-06-08 17:45:53 18944 --a------ C:\WINDOWS\system32\drivers\spools.exe
    2008-06-08 17:45:53 18944 --a------ C:\Documents and Settings\Lorna Jones\cftmon.exe
    2008-06-08 17:45:51 0 d-------- C:\Program Files\SAV
    2008-06-08 17:45:47 5120 --a------ C:\WINDOWS\system32\ftp34.dll
    2008-06-08 17:45:47 5120 --a------ C:\Documents and Settings\Lorna Jones\ftp34.dll
    2008-06-08 17:44:53 67584 --a------ C:\WINDOWS\system32\__c006B5C4.exe
    2008-06-08 17:41:29 108544 --a------ C:\WINDOWS\system32\hxqtvvkj.dll
    2008-06-08 17:40:01 92160 --a------ C:\WINDOWS\system32\lclcqauq.dll
    2008-06-07 14:11:15 108544 --a------ C:\WINDOWS\system32\xwpylvpe.dll
    2008-06-07 14:09:56 1742 --ahs---- C:\WINDOWS\system32\ghhjmUvw.ini2
    2008-06-07 14:09:53 347136 --a------ C:\WINDOWS\system32\wvUmjhhg.dll
    2008-06-07 14:04:48 59904 --a------ C:\WINDOWS\system32\vtUooMCR.dll
    2008-06-07 14:04:43 25088 --a------ C:\WINDOWS\system32\__c00F3F70.dat
    2008-05-21 07:50:03 0 d-------- C:\Program Files\Adobe Media Player
    2008-05-21 07:49:43 0 d-------- C:\Program Files\Common Files\Adobe AIR


    -- Find3M Report ---------------------------------------------------------------

    2008-06-08 17:39:12 0 d-------- C:\Program Files\SpamBlockerUtility
    2008-05-21 07:49:43 0 d-------- C:\Program Files\Common Files


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0576C568-1DFF-4F13-BAF0-D07F8E96071C}]
    06/07/2008 02:09 PM 347136 --a------ C:\WINDOWS\system32\wvUmjhhg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32341E7E-C319-46DE-91D0-E30BB1A3CABA}]
    06/07/2008 02:04 PM 59904 --a------ C:\WINDOWS\system32\vtUooMCR.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7}]
    06/21/2008 07:22 PM 99328 --a------ C:\WINDOWS\system32\uveivlbc.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Antivirus "= "C:\Program Files\SAV\sav.exe" []
    "ntuser "= "C:\WINDOWS\system32\drivers\spools.exe" [06/08/2008 05:46 PM]
    "autoload "= "C:\Documents and Settings\Lorna Jones\cftmon.exe" [06/08/2008 05:46 PM]
    "086ccfb2 "= "C:\WINDOWS\system32\pltqtgaa.dll" [06/21/2008 07:22 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Antivirus "= "C:\Program Files\SAV\sav.exe" []
    "ntuser "= "C:\WINDOWS\system32\drivers\spools.exe" [06/08/2008 05:46 PM]
    "autoload "= "C:\Documents and Settings\Lorna Jones\cftmon.exe" [06/08/2008 05:46 PM]
    "WinAntivirusPro "= "C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe" [06/08/2008 05:47 PM]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{32341E7E-C319-46DE-91D0-E30BB1A3CABA} "= C:\WINDOWS\system32\vtUooMCR.dll [06/07/2008 02:04 PM 59904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUooMCR]
    vtUooMCR.dll 06/07/2008 02:04 PM 59904 C:\WINDOWS\system32\vtUooMCR.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F3F70]
    C:\WINDOWS\system32\__c00F3F70.dat 06/21/2008 07:16 PM 25088 C:\WINDOWS\system32\__c00F3F70.dat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages "= msv1_0 C:\WINDOWS\system32\wvUmjhhg


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    AutoRun\command- G:\LaunchU3.exe




    -- End of Deckard's System Scanner: finished at 2008-06-21 20:35:35 ------------
     
    Glimflicker,
    #1
  2. 2008/06/22
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Glimflicker :)

    Download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/06/22
    Glimflicker

    Glimflicker Inactive Thread Starter

    Joined:
    2008/06/21
    Messages:
    3
    Likes Received:
    0
    ComboFix log

    ComboFix 08-06-20.4 - Lorna Jones 2008-06-22 7:02:50.1 - NTFSx86
    Running from: C:\Documents and Settings\Lorna Jones\My Documents\Installed\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons
    C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico
    C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
    C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
    C:\Documents and Settings\Lorna Jones\cftmon.exe
    C:\Documents and Settings\Lorna Jones\ftp34.dll
    C:\Program Files\Hotbar
    C:\Program Files\WinAntivirusPro3.8
    C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\__c006B5C4.exe
    C:\WINDOWS\system32\__c00F3F70.dat
    C:\WINDOWS\system32\aagtqtlp.ini
    C:\WINDOWS\system32\cbXNeCuT.dll
    C:\WINDOWS\system32\ctleekva.ini
    C:\WINDOWS\system32\drivers\spools.exe
    C:\WINDOWS\system32\ftp34.dll
    C:\WINDOWS\system32\ghhjmUvw.ini
    C:\WINDOWS\system32\ghhjmUvw.ini2
    C:\WINDOWS\system32\hxqtvvkj.dll
    C:\WINDOWS\system32\lclcqauq.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\ojiivjmx.ini
    C:\WINDOWS\system32\pwkayfhe.dll
    C:\WINDOWS\system32\quaqclcl.ini
    C:\WINDOWS\system32\upawpjyp.ini
    C:\WINDOWS\system32\vtUooMCR.dll
    C:\WINDOWS\system32\wvUmjhhg.dll
    C:\WINDOWS\system32\xmjviijo.dll
    C:\WINDOWS\system32\xwpylvpe.dll
    C:\xcrashdump.dat

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
    .

    2008-06-21 20:46 . 2008-06-21 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-21 20:46 . 2008-06-21 20:46 <DIR> d-------- C:\Applications
    2008-06-21 20:23 . 2008-06-21 20:23 <DIR> d-------- C:\Deckard
    2008-06-21 19:45 . 2006-09-25 10:49 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Symantec
    2008-06-21 19:45 . 2006-09-25 10:57 <DIR> d--h----- C:\Documents and Settings\Administrator.LORNA\Application Data\Gtek
    2008-06-21 19:45 . 2008-06-21 19:45 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA
    2008-06-21 19:43 . 2008-06-22 07:13 294 ---hs---- C:\WINDOWS\system32\aagtqtlp.ini
    2008-06-21 19:22 . 2008-06-21 19:22 99,328 --a------ C:\WINDOWS\system32\uveivlbc.dll
    2008-06-21 19:22 . 2008-06-21 19:22 81,408 --a------ C:\WINDOWS\system32\pltqtgaa.dll
    2008-06-21 19:20 . 2008-06-21 19:20 99,328 --a------ C:\WINDOWS\system32\qehpfnba.dll
    2008-06-08 17:47 . 2008-06-08 17:47 <DIR> d-------- C:\Program Files\NetFilter
    2008-06-08 17:46 . 2008-05-26 16:34 45,056 --a------ C:\WINDOWS\system32\sav.cpl
    2008-06-08 17:45 . 2008-06-08 18:42 <DIR> d-------- C:\Program Files\SAV

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-21 12:50 --------- d-----w C:\Program Files\Adobe Media Player
    2008-05-21 12:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
    2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7}]
    2008-06-21 19:22 99328 --a------ C:\WINDOWS\system32\uveivlbc.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
    "SpybotSD TeaTimer "= "C:\Applications\Spybot\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Antivirus "= "C:\Program Files\SAV\sav.exe" [ ]
    "086ccfb2 "= "C:\WINDOWS\system32\pltqtgaa.dll" [2008-06-21 19:22 81408]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F3F70]
    C:\WINDOWS\system32\__c00F3F70.dat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe "=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
    "Windows "= baseuff32.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\LaunchU3.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job "
    - c:\program files\mcafee\mqc\QcConsol.exe'
    "2008-06-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job "
    - c:\program files\mcafee\mqc\QcConsol.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-22 07:12:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\WINDOWS\system32\aagtqtlp.ini 294 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\csrss.exe
    -> C:\WINDOWS\system32\baseuff32.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-22 7:18:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-22 12:18:21

    Pre-Run: 46,531,600,384 bytes free
    Post-Run: 46,597,918,720 bytes free

    131 --- E O F --- 2008-05-28 12:42:01

    --------------------------------------------------------------------

    HijackThis log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:40:06 AM, on 6/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Applications\Spybot\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Documents and Settings\Lorna Jones\My Documents\Installed\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4060925
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
    O2 - BHO: {7ff94b1e-f2bb-630b-04a4-7b51bb1530f8} - {8f0351bb-15b7-4a40-b036-bb2fe1b49ff7} - C:\WINDOWS\system32\uveivlbc.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
    O4 - HKLM\..\Run: [086ccfb2] rundll32.exe "C:\WINDOWS\system32\pltqtgaa.dll ",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Applications\Spybot\TeaTimer.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Applications\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Applications\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: __c00F3F70 - C:\WINDOWS\system32\__c00F3F70.dat (file missing)
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
    O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

    --
    End of file - 6308 bytes
     
    Glimflicker,
    #3
  5. 2008/06/22
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    First, if listed in Add/Remove programs, uninstall SystemAntivirus2008 (or might be SAV). Let me know if it's not listed.

    Next, highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
http://www.windowsbbs.com/showthread.php?t=74524

Suspect::
C:\WINDOWS\system32\baseuff32.dll
Collect::
C:\WINDOWS\system32\aagtqtlp.ini
C:\WINDOWS\system32\uveivlbc.dll
C:\WINDOWS\system32\pltqtgaa.dll
C:\WINDOWS\system32\qehpfnba.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Antivirus "=-
 "086ccfb2 "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F3F70]
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

    Please let me know if/when the upload is successful. I have included another file that needs to be analyzed.
     
    noahdfear,
    #4
  6. 2008/07/05
    Glimflicker

    Glimflicker Inactive Thread Starter

    Joined:
    2008/06/21
    Messages:
    3
    Likes Received:
    0
    Things appear to have gotten worse. Here's the ComboFix log:

    ComboFix 08-07-04.2 - Lorna Jones 2008-07-04 18:28:02.2 - NTFSx86
    Running from: C:\Documents and Settings\Lorna Jones\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Lorna Jones\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\aagtqtlp.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\pltqtgaa.dll
    C:\WINDOWS\system32\qehpfnba.dll
    C:\WINDOWS\system32\uveivlbc.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
    .

    2008-07-03 14:13 . 2004-08-04 05:00 82,944 --a------ C:\WINDOWS\system32\sockets.dll
    2008-07-03 14:13 . 2008-07-04 18:32 47,616 --a------ C:\WINDOWS\system32\Crypt16.exe
    2008-07-03 14:13 . 2008-07-04 18:32 41,984 --ahs---- C:\WINDOWS\system32\Crypt_16.dll
    2008-06-29 22:10 . 2008-06-29 22:10 46 --a------ C:\WINDOWS\hposf045.dat
    2008-06-22 08:44 . 2008-06-22 08:44 6,790 --a------ C:\WINDOWS\system32\Config.MPF
    2008-06-22 07:50 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-22 07:50 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
    2008-06-21 20:46 . 2008-06-21 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-06-21 20:46 . 2008-06-21 20:46 <DIR> d-------- C:\Applications
    2008-06-21 20:23 . 2008-06-21 20:23 <DIR> d-------- C:\Deckard
    2008-06-21 19:45 . 2006-09-25 10:49 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Symantec
    2008-06-21 19:45 . 2006-09-25 10:57 <DIR> d--h----- C:\Documents and Settings\Administrator.LORNA\Application Data\Gtek
    2008-06-21 19:45 . 2008-06-21 19:45 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA
    2008-06-08 17:47 . 2008-06-08 17:47 <DIR> d-------- C:\Program Files\NetFilter
    2008-06-08 17:46 . 2008-05-26 16:34 45,056 --a------ C:\WINDOWS\system32\sav.cpl
    2008-06-08 17:45 . 2008-06-08 18:42 <DIR> d-------- C:\Program Files\SAV

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-03 11:39 --------- d-----w C:\Program Files\McAfee
    2008-06-30 03:28 --------- d-----w C:\Program Files\HP
    2008-06-24 02:11 --------- d-----w C:\Program Files\SiteAdvisor
    2008-06-23 13:02 --------- d-----w C:\Documents and Settings\Lorna Jones\Application Data\SiteAdvisor
    2008-06-22 13:49 --------- d-----w C:\Program Files\Common Files\McAfee
    2008-06-22 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-05-21 12:50 --------- d-----w C:\Program Files\Adobe Media Player
    2008-05-21 12:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
    2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
    2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
    2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
    2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2008-06-22_ 7.18.09.23 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-22 12:12:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-07-04 23:32:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
    + 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
    + 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
    + 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
    + 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
    + 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
    + 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
    + 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
    + 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
    + 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
    + 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
    + 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
    + 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
    + 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
    + 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
    + 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
    + 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
    + 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
    + 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
    + 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
    + 2008-03-01 23:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
    + 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
    + 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
    + 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
    + 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
    + 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
    + 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
    + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
    + 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
    + 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
    + 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
    + 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
    - 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
    + 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
    + 2004-08-04 10:00:00 24,576 ----a-w C:\WINDOWS\system32\baseqgl32.dll
    - 2006-10-02 00:17:27 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-07-04 19:29:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2006-10-02 00:17:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-07-04 19:29:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
    + 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
    - 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    + 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    - 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
    + 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
    - 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
    + 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
    - 2008-03-01 13:06:21 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
    + 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
    - 2008-03-01 13:06:21 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
    + 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
    - 2008-03-01 13:06:21 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
    + 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
    - 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    + 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    - 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    + 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    - 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
    + 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
    - 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
    + 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
    - 2008-03-01 13:06:25 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
    + 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
    - 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
    + 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
    - 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
    + 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
    - 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    + 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    - 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
    + 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
    - 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
    + 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
    - 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
    + 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
    - 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
    + 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
    - 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    + 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    - 2008-03-01 13:06:29 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
    + 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
    - 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
    + 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
    - 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
    + 2008-04-23 04:16:29 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
    - 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
    + 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
    - 2006-12-22 22:02:40 71,496 ----a-w C:\WINDOWS\system32\drivers\mfeavfk.sys
    + 2007-11-22 11:44:08 79,304 ----a-w C:\WINDOWS\system32\drivers\mfeavfk.sys
    - 2006-12-22 22:02:34 34,184 ----a-w C:\WINDOWS\system32\drivers\mfebopk.sys
    + 2007-11-22 11:44:08 35,240 ----a-w C:\WINDOWS\system32\drivers\mfebopk.sys
    - 2006-12-22 22:02:34 170,408 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
    + 2007-11-22 11:44:08 201,320 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
    - 2006-12-22 22:02:34 32,008 ----a-w C:\WINDOWS\system32\drivers\mferkdk.sys
    + 2007-11-22 11:44:04 33,832 ----a-w C:\WINDOWS\system32\drivers\mferkdk.sys
    - 2006-12-22 22:02:34 37,480 ----a-w C:\WINDOWS\system32\drivers\mfesmfk.sys
    + 2007-12-02 17:51:42 40,488 ----a-w C:\WINDOWS\system32\drivers\mfesmfk.sys
    - 2007-01-09 22:44:44 107,608 ----a-w C:\WINDOWS\system32\drivers\Mpfp.sys
    + 2007-07-13 11:20:24 113,952 ----a-w C:\WINDOWS\system32\drivers\Mpfp.sys
    - 2006-03-03 17:07:02 143,360 ----a-w C:\WINDOWS\system32\dunzip32.dll
    + 2006-03-03 13:07:02 143,360 ----a-w C:\WINDOWS\system32\dunzip32.dll
    - 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    + 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    - 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
    + 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
    - 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
    + 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
    - 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
    + 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
    - 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
    + 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
    - 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
    + 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
    - 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
    + 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
    - 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
    + 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
    - 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
    + 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
    - 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
    + 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
    - 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
    + 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
    - 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
    + 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
    - 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
    + 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
    - 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
    + 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
    - 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
    + 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
    - 2008-05-09 19:35:06 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
    + 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
    - 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
    + 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
    - 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
    + 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
    - 2008-03-01 23:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
    + 2008-04-24 03:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
    - 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
    + 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
    - 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
    + 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
    - 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
    + 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
    - 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
    + 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
    - 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
    + 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
    - 2006-11-17 21:14:30 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
    - 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
    + 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
    - 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
    + 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
    - 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
    + 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
    - 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    + 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    + 2008-07-04 23:32:25 10,240 ----a-w C:\WINDOWS\TEMP\NT8132.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
    "SpybotSD TeaTimer "= "C:\Applications\Spybot\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit "= "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\Crypt16.exe, "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe "=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
    "Windows "= baseqgl32.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\LaunchU3.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job "
    - c:\program files\mcafee\mqc\QcConsol.exe'
    "2008-06-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job "
    - c:\program files\mcafee\mqc\QcConsol.exe
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7} - (no file)


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-04 18:32:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\csrss.exe
    -> C:\WINDOWS\system32\baseqgl32.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\MSK\msksrver.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SiteAdvisor\6261\SAService.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
    C:\WINDOWS\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-04 18:42:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-07-04 23:41:54
    ComboFix2.txt 2008-06-22 12:18:25

    Pre-Run: 46,140,653,568 bytes free
    Post-Run: 46,174,429,184 bytes free

    298 --- E O F --- 2008-06-22 13:16:09
     
    Glimflicker,
    #5
  7. 2008/07/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Thank you for the submission!

    Before we go any further, please install the Recovery Console.
    You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that we can use it to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!

    Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, if successfully installed, exit ComboFix and proceed as follows.


    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
http://www.windowsbbs.com/showthread.php?t=74524

KillAll::
File::
C:\WINDOWS\system32\baseuff32.dll
C:\WINDOWS\system32\sav.cpl
Folder::
C:\Program Files\SAV
Suspect::
C:\WINDOWS\system32\sockets.dll
Collect::
C:\WINDOWS\system32\Crypt16.exe
C:\WINDOWS\system32\Crypt_16.dll
C:\WINDOWS\system32\baseqgl32.dll
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
 "Windows "=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
  32,5c,63,73,72,73,73,2e,65,78,65,20,4f,62,6a,65,63,74,44,69,72,65,63,74,6f,\
  72,79,3d,5c,57,69,6e,64,6f,77,73,20,53,68,61,72,65,64,53,65,63,74,69,6f,6e,\
  3d,31,30,32,34,2c,33,30,37,32,2c,35,31,32,20,57,69,6e,64,6f,77,73,3d,4f,6e,\
  20,53,75,62,53,79,73,74,65,6d,54,79,70,65,3d,57,69,6e,64,6f,77,73,20,53,65,\
  72,76,65,72,44,6c,6c,3d,62,61,73,65,73,72,76,2c,31,20,53,65,72,76,65,72,44,\
  6c,6c,3d,77,69,6e,73,72,76,3a,55,73,65,72,53,65,72,76,65,72,44,6c,6c,49,6e,\
  69,74,69,61,6c,69,7a,61,74,69,6f,6e,2c,33,20,53,65,72,76,65,72,44,6c,6c,3d,\
  77,69,6e,73,72,76,3a,43,6f,6e,53,65,72,76,65,72,44,6c,6c,49,6e,69,74,69,61,\
  6c,69,7a,61,74,69,6f,6e,2c,32,20,50,72,6f,66,69,6c,65,43,6f,6e,74,72,6f,6c,\
  3d,4f,66,66,20,4d,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3d,31,36,\
  00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
 "Userinit "= "C:\\WINDOWS\\system32\\userinit.exe, "
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!
     
    noahdfear,
    #6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...