Solved essential services do not load at startup

Great!

I tested a few items, they all work:

Windows explorer: Search, copy, paste, drag.
Task Manager: More than full page of processes.
Wireless network: Able to connect.

I think everything is back to normal.

A thousand thanks.

Anything else I need to do?

 

Great work jharry!!

Do you have an internet connection? If not, as soon as you do run ComboFix again. Allow it to update and allow it to install the Recovery Console. Post the log it produces.

I gotta get some sleep now. Will check back after work.

 

Do I run the Combofix without any script or with the same CFscript.txt?

 

No scripts. Matter of fact, download a fresh copy from here and run it. Be sure to close out all other applications and windows, and disable any realtime protection (antivirus, etc).

 

Here is the latest combofix log.

ComboFix 08-12-16.03 - Owner 2008-12-17 17:02:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.1263.808 [GMT 8:00]
执行位置: c:\downloads\windowsbbs\ComboFix.exe
* successfully created new restore point
.

((((((((((((((((((((((((( 2008-11-17 to 2008-12-17 new files )))))))))))))))))))))))))))))))
.

2008-12-18 03:25 . 2008-12-18 03:25 <DIR> d-------- C:\~ErdUserProfile.$$$
2008-12-14 09:41 . 2008-12-14 09:43 <DIR> d-------- c:\documents and settings\Administrator
2008-12-14 08:55 . 2008-12-14 08:55 250 --a------ c:\windows\gmer.ini
2008-12-12 14:17 . 2008-12-12 14:18 <DIR> d-------- C:\subinacl
2008-12-11 11:46 . 2008-04-14 05:42 108,544 --a------ c:\windows\system32\services.exe
2008-12-11 10:12 . 2008-04-14 05:42 14,336 --a------ c:\windows\system32\svchost.exe
2008-12-11 08:53 . 2008-04-14 05:51 20,056,462 --a--c--- c:\windows\system32\dllcache\sp3.cab
2008-12-11 08:52 . 2007-04-03 00:09 11,053,008 --a--c--- c:\windows\system32\dllcache\msncli.exe
2008-12-11 08:51 . 2008-04-13 21:09 2,775,842 --a--c--- c:\windows\system32\dllcache\cimwin32.mof
2008-12-11 08:50 . 2008-04-14 05:41 1,057,760 --a--c--- c:\windows\system32\dllcache\ati3d2ag.dll
2008-11-18 16:44 . 2008-11-18 20:19 <DIR> d-------- c:\program files\数独博士

.
(((((((((((((((((((((((((((((((((((((((( Files modified in last 3 months

))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 08:42 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-11-23 00:10 --------- d-----w c:\program files\McAfee
2008-11-22 14:14 --------- d-----w c:\program files\Common Files\McAfee
2008-11-10 09:06 --------- d-----w c:\program files\电子成语词典
2008-11-10 09:05 772,188 ----a-w c:\windows\GPInstall.exe
2008-11-10 08:29 --------- d-----w c:\program files\Revo Uninstaller
2008-11-10 07:38 --------- d-----w c:\program files\Nero 8
2008-11-10 07:38 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 07:38 --------- d-----w c:\documents and settings\Owner\Application Data\Nero
2008-11-07 00:01 --------- d-----w c:\program files\eMule
2008-11-07 00:00 --------- d-----w c:\program files\Realtek Sound Manager
2008-11-07 00:00 --------- d-----w c:\program files\AvRack
2008-11-06 23:59 --------- d-----w c:\program files\NewTech Infosystems
2008-11-06 23:59 --------- d-----w c:\program files\Netscape
2008-11-06 23:59 --------- d-----w c:\program files\china_emap2008
2008-11-06 12:50 --------- d-----w c:\program files\Foxit Software
2008-11-06 12:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008bin
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008
2008-11-05 13:31 --------- d-----w c:\documents and settings\Owner\Application Data\Ulead Systems
2008-11-05 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-05 13:03 --------- d-----w c:\program files\Ulead Systems
2008-11-05 09:33 --------- d-----w c:\program files\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\Owner\Application Data\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kingsoft
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 12:13 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-10-18 11:50 --------- d-----w c:\program files\Common Files\InterVideo
2008-10-18 11:49 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 06:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2007-10-04 12:04 284 ----a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2002-08-08 15:40 153,088 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS "= "c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-04-25 94208]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-16 385024]
"EOUApp "= "c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-16 356352]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-20 98394]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-20 688218]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IMSCMig "= "c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-02 17248]
"PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-12-05 406016]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-18 196608]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4 "= "c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"UVS11 Preload "= "c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"NeroFilterCheck "= "c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-07-23 c:\windows\AGRSMMSG.exe]
"SoundMan "= "SOUNDMAN.EXE" [2005-05-17 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-16 02:27 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG "= Pvmjpg21.dll
"VIDC.PIM1 "= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-19 18:30 155648 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Sony Corporation\\Picture Package\\Picture Package Applications\\AutoVideo.exe "=
"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe "=
"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCP:*isabledxpsp2res.dll,-22009

R2 CMB8100;CMB8100;\??\c:\windows\system32\Drivers\CertClient.dat [2007-04-27 3038]
R2 CMBProtector;CMBProtector;\??\c:\windows\system32\Drivers\CMBProtector.dat [2007-04-27 3584]
R3 WBFIRDMA;Winbond Infrared Device Driver;c:\windows\system32\DRIVERS\wbfirdma.sys [2005-07-01 39424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a01-73bf-11dc-9ccc-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1a9fd64-5fe8-11db-9bb6-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FBD561C7-3FD5-2B0E-2DD8-5F3F1C46D6E6}]
C:\WINDOWS:fwcagent.exe
.
Contents in Scheduled Tasks folder

2007-10-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2007-10-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-fwcagent - C:\WINDOWS:fwcagent.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-UVS10 Preload - c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe


.
------- 而外的扫描 -------
.
uStart Page = about:blank
mWindow Title = -
uInternet Settings,ProxyOverride = local
IE: 上传到QQ网络硬盘 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ彩信发送该图片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9xvx9re7.default\
FF - prefs.js: browser.search.selectedEngine - Creative Commons
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 127.0.0.1:8567
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava131_07.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJPI141_02.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npoji600.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 17:04:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes。。。 ...

scanning hidden startup groups。。。

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
fwcagent =

C:\WINDOWS:fwcagent.exe??????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????

scanning hidden files。。。

scanning completed
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMB8100]
"ImagePath "= "\??\c:\windows\system32\Drivers\CertClient.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMBProtector]
"ImagePath "= "\??\c:\windows\system32\Drivers\CMBProtector.dat "
.
--------------------- 运行进程下的 dynamic link libraries ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Time completed: 2008-12-17 17:05:43
ComboFix-quarantined-files.txt 2008-12-17 09:05:26
ComboFix2.txt 2008-12-17 06:28:16
ComboFix3.txt 2008-12-12 05:09:18
ComboFix4.txt 2008-12-12 04:03:57
ComboFix5.txt 2008-12-17 07:43:15

Pre-Run: 12,907,675,648 bytes free
Post-Run: 12,894,683,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

215 --- E O F --- 2008-11-24 13:24:45

 

New restore point was created, Recovery Console installed, looks like things are in much better shape.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

ADS::
C:\Windows
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FBD561C7-3FD5-2B0E-2DD8-5F3F1C46D6E6}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

Here is the latest combofix log.

ComboFix 08-12-16.03 - Owner 2008-12-18 21:33:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.1263.705 [GMT 8:00]
执行位置: c:\downloads\windowsbbs\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Successfully created new restore point
.

((((((((((((((((((((((((( 2008-11-18 to 2008-12-18 new files )))))))))))))))))))))))))))))))
.

2008-12-18 03:25 . 2008-12-18 03:25 <DIR> d-------- C:\~ErdUserProfile.$$$
2008-12-17 17:18 . 2008-10-03 18:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2008-12-14 09:41 . 2008-12-14 09:43 <DIR> d-------- c:\documents and settings\Administrator
2008-12-14 08:55 . 2008-12-14 08:55 250 --a------ c:\windows\gmer.ini
2008-12-12 14:17 . 2008-12-12 14:18 <DIR> d-------- C:\subinacl
2008-12-11 11:46 . 2008-04-14 05:42 108,544 --a------ c:\windows\system32\services.exe
2008-12-11 10:12 . 2008-04-14 05:42 14,336 --a------ c:\windows\system32\svchost.exe
2008-12-11 08:53 . 2008-04-14 05:51 20,056,462 --a--c--- c:\windows\system32\dllcache\sp3.cab
2008-12-11 08:52 . 2007-04-03 00:09 11,053,008 --a--c--- c:\windows\system32\dllcache\msncli.exe
2008-12-11 08:51 . 2008-04-13 21:09 2,775,842 --a--c--- c:\windows\system32\dllcache\cimwin32.mof
2008-12-11 08:50 . 2008-04-14 05:41 1,057,760 --a--c--- c:\windows\system32\dllcache\ati3d2ag.dll
2008-11-18 16:44 . 2008-11-18 20:19 <DIR> d-------- c:\program files\数独博士

.
(((((((((((((((((((((((((((((((((((((((( files modified in last 3 months ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 08:42 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-11-23 00:10 --------- d-----w c:\program files\McAfee
2008-11-22 14:14 --------- d-----w c:\program files\Common Files\McAfee
2008-11-10 09:06 --------- d-----w c:\program files\电子成语词典
2008-11-10 09:05 772,188 ----a-w c:\windows\GPInstall.exe
2008-11-10 08:29 --------- d-----w c:\program files\Revo Uninstaller
2008-11-10 07:38 --------- d-----w c:\program files\Nero 8
2008-11-10 07:38 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 07:38 --------- d-----w c:\documents and settings\Owner\Application Data\Nero
2008-11-07 00:01 --------- d-----w c:\program files\eMule
2008-11-07 00:00 --------- d-----w c:\program files\Realtek Sound Manager
2008-11-07 00:00 --------- d-----w c:\program files\AvRack
2008-11-06 23:59 --------- d-----w c:\program files\NewTech Infosystems
2008-11-06 23:59 --------- d-----w c:\program files\Netscape
2008-11-06 23:59 --------- d-----w c:\program files\china_emap2008
2008-11-06 12:50 --------- d-----w c:\program files\Foxit Software
2008-11-06 12:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008bin
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008
2008-11-05 13:31 --------- d-----w c:\documents and settings\Owner\Application Data\Ulead Systems
2008-11-05 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-05 13:03 --------- d-----w c:\program files\Ulead Systems
2008-11-05 09:33 --------- d-----w c:\program files\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\Owner\Application Data\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kingsoft
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 12:13 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-10-18 11:50 --------- d-----w c:\program files\Common Files\InterVideo
2008-10-18 11:49 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 06:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2007-10-04 12:04 284 ----a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2002-08-08 15:40 153,088 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-12-17_17.04.58.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 00:26:35 593,920 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-12-17 09:30:22 593,920 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-11-23 00:26:35 12,288 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-12-17 09:30:22 12,288 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-11-23 00:26:35 86,016 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-12-17 09:30:22 86,016 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-11-23 00:26:34 135,168 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-12-17 09:30:21 135,168 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-11-23 00:26:35 11,264 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-12-17 09:30:22 11,264 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-11-23 00:26:35 27,136 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-12-17 09:30:22 27,136 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-11-23 00:26:35 4,096 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-12-17 09:30:22 4,096 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-11-23 00:26:35 794,624 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-12-17 09:30:22 794,624 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-11-23 00:26:34 249,856 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-12-17 09:30:22 249,856 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-11-23 00:26:34 61,440 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-12-17 09:30:21 61,440 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-11-23 00:26:35 23,040 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-12-17 09:30:22 23,040 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-11-23 00:26:34 286,720 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-12-17 09:30:21 286,720 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-11-23 00:26:33 409,600 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-12-17 09:30:21 409,600 ----a-r c:\windows\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-12-17 07:10:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-18 13:34:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-17 07:10:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-18 13:34:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-17 07:10:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-18 13:34:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 19:11:20 103,936 -c----w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-09 22:11:46 1,053,696 -c----w c:\windows\system32\dllcache\WMNetmgr.dll
+ 2008-11-07 08:45:32 2,174,976 -c----w c:\windows\system32\dllcache\WMVCore.dll
- 2008-04-13 21:42:26 103,936 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-09 19:11:20 103,936 ----a-w c:\windows\system32\logagent.exe
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-07-27 01:41:40 16,760 ------w c:\windows\system32\spmsg.dll
- 2008-04-13 21:42:10 1,053,184 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-09 22:11:46 1,053,696 ----a-w c:\windows\system32\WMNetmgr.dll
- 2008-04-13 21:43:00 2,109,440 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-11-07 08:45:32 2,174,976 ----a-w c:\windows\system32\WMVCore.dll
+ 2008-12-18 13:18:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_650.dat
.
-- snapshot 技术重新设置 --
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS "= "c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-04-25 94208]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-16 385024]
"EOUApp "= "c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-16 356352]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-20 98394]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-20 688218]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IMSCMig "= "c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-02 17248]
"PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-12-05 406016]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-18 196608]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4 "= "c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"UVS11 Preload "= "c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"NeroFilterCheck "= "c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-07-23 c:\windows\AGRSMMSG.exe]
"SoundMan "= "SOUNDMAN.EXE" [2005-05-17 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-16 02:27 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG "= Pvmjpg21.dll
"VIDC.PIM1 "= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-19 18:30 155648 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Sony Corporation\\Picture Package\\Picture Package Applications\\AutoVideo.exe "=
"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe "=
"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCP:*isabledxpsp2res.dll,-22009

R2 CMB8100;CMB8100;\??\c:\windows\system32\Drivers\CertClient.dat [2007-04-27 3038]
R2 CMBProtector;CMBProtector;\??\c:\windows\system32\Drivers\CMBProtector.dat [2007-04-27 3584]
R3 WBFIRDMA;Winbond Infrared Device Driver;c:\windows\system32\DRIVERS\wbfirdma.sys [2005-07-01 39424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a01-73bf-11dc-9ccc-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1a9fd64-5fe8-11db-9bb6-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
contents in scheduled tasks folder

2007-10-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2007-10-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
mWindow Title = -
uInternet Settings,ProxyOverride = local
IE: 上传到QQ网络硬盘 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ彩信发送该图片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE -
TCP: {3A5795BF-04E1-4C85-BEDD-C75340477103} = 202.96.209.6 202.96.209.133
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9xvx9re7.default\
FF - prefs.js: browser.search.selectedEngine - Creative Commons
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - 127.0.0.1:8567
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava131_07.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJPI141_02.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npoji600.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 21:36:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes。。。 ...

scanning hidden startup groups。。。

scanning hidden files。。。

scanning completed
hiddeen files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMB8100]
"ImagePath "= "\??\c:\windows\system32\Drivers\CertClient.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMBProtector]
"ImagePath "= "\??\c:\windows\system32\Drivers\CMBProtector.dat "
.
--------------------- 运行进程下的dynamic link libraries ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
time completed: 2008-12-18 21:38:16
ComboFix-quarantined-files.txt 2008-12-18 13:37:52
ComboFix2.txt 2008-12-17 09:05:47
ComboFix3.txt 2008-12-17 06:28:16
ComboFix4.txt 2008-12-12 05:09:18
ComboFix5.txt 2008-12-18 13:32:33

Pre-Run: 12,799,926,272 bytes free
Post-Run: 12,781,584,384 bytes free

252 --- E O F --- 2008-12-17 09:30:26

 

Looks great! Lets get an online scan. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

 

The download from Kaspersky.com is extremely slow. It keeps changing the update source URL. Some times it times out and instructs me to close the Kaspersky Online Scanner window and open it again. Then it starts from scratch. Is there some other scanner with similar ccapabilities?

 

I have McAfee Security Center on my computer. It is up-to-date. I just did a full scan including the registry. There were 4 items detected:

Detection type: Potentially unwanted program
Detection name: RemAdm-Prolaunch!171
Status: Detected
Items: C:\downloads\windowsbbs\ComboFix.exe

Detection type: Trojan
Detection name: Generic.dx
Status: Quarantined
Items: C:\documents & settings\all users\documents\downloads\freegate\gtunnel.zip

Detection type: Trojan
Detection name: Generic.Backdoor
Status: Quarantined
Items: C:\Program Files\Kingsoft\powerword 2007\kavpassport.dll

Detection type: Trojan
Detection name: Generic.Packed
Status: Quarantined
Items: C:\Program Files\China emap 2008\bin\analysis.dll

What should I do with these items?

The ComboFix.exe does not seem to be a malware.
The gtunnel.zip file I can delete (I don't need it).
The 2 dll files, I'm not sure, although I can uninstall the 2 programs and re-install them while McAfee is on.

 

ComboFix is fine, the other 3 have already been placed in quarantine by McAfee.

This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I only want to see a Report of what it finds.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click 'Start' to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

• Once the short scan has finished, we need to change the default settings.
• In the Menu Bar at the top, click 'Setting'>Change Settings.
• Click on the Actions tab
• Using the drop down menus, change each item under Objects and Malware to [color= "Blue"] Report[/color]
• Next, 'tick' Complete Scan.
• Click the green arrow at the right, and the scan will start.
• Click 'No to All' if it asks if you want to cure/move the file.
• After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Post the contents of the log from Dr.Web you saved previously in your next reply.

 

There were no viruses found in the quick scan.

Here is the content of the DrWeb.csv file:

stream004\data024;C:\Documents and Settings\All Users\Documents\downloads\freegate\aol\avs.msi\stream004;Adware.Softomate.origin;;
stream004;C:\Documents and Settings\All Users\Documents\downloads\freegate\aol\avs.msi;Archive contains infected objects;;
avs.msi;C:\Documents and Settings\All Users\Documents\downloads\freegate\aol;Archive contains infected objects;;
dmap2_00000000000.exe;C:\downloads\51ditu;Adware.Bandbar;;
data002\32788R22FWJFW\mtee.cfexe;C:\downloads\windowsbbs\ComboFix.exe\data002;Probably Trojan.Packed.258;;
data002\32788R22FWJFW\psexec.cfexe;C:\downloads\windowsbbs\ComboFix.exe\data002;Program.PsExec.171;;
data002;C:\downloads\windowsbbs\ComboFix.exe;Archive contains infected objects;;
ComboFix.exe;C:\downloads\windowsbbs;Archive contains infected objects;;
Dc10.exe;C:\RECYCLER\S-1-5-21-2949690814-3967619336-3786873581-1003;Trojan.Proxy.2989;;
Dc6.exe;C:\RECYCLER\S-1-5-21-2949690814-3967619336-3786873581-1003;Trojan.Proxy.3864;;
Dc7.exe;C:\RECYCLER\S-1-5-21-2949690814-3967619336-3786873581-1003;BackDoor.Zhou;;
u86.exe;C:\RECYCLER\S-1-5-21-2949690814-3967619336-3786873581-1003\Dc11;Tool.Proxy.2518;;
A0056624.exe;C:\System Volume Information\_restore{99CFD0E0-DFCF-4ABD-BDE8-BF70FC68F4B7}\RP225;Adware.Msearch;;
A0056999.exe;C:\System Volume Information\_restore{99CFD0E0-DFCF-4ABD-BDE8-BF70FC68F4B7}\RP225;Trojan.PWS.Qqgame;;

 

After posting the DrWeb.csv log, I deleted from my computer the affected files listed in the DrWeb.csv, EXCEPT ComboFix.exe and the one in the C:\System_Volume_Information folder, because the latter was not accessible to me.

 

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

If things are working normally, that should wrap things up.

 

I ran combofix /u. The C:\Qoobox folder was removed. But the C:\Combofix.txt file and C:\combofix folder remained (the folder contained 2 files, badclsid.c and clsid.c, both time stamped 8/31/2000)

 

Just manually remove the txt file and folder.

 

OK. That pretty much wraps it up. Thanks a million for your help.
How do I label this thread "Resolved "? Or are you the one who makes that decision?

 

You're most welcome jharry. I'll mark the topic resolved. Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!