help me please!! virtumonde

[alancaplan]

sbybot keeps telling me i have the virtumonde but no matter how many times i click fit it and it tells me it removed it - its always back. i am getting all these pop ups even though i have a pop up blocker. it has disabled my microsoft auto updates.

the files arein system32 directory but obviously cannot be removed. it created a couple of bho's that cannot be disabled also.
i have tried a couple of different downloaded programs for removal and none has worked.

anyone have any ideas how to get rid of this thing?

thank you in advance for any assistance.

 

[shelf life]

hi alancaplan,

a hjt log as a starting point would help:

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into your (Click --> ) own new topic

* DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
* DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a helper will guide you.

Provide:

* a) The HJT log.

 

[alancaplan]

ok i ran a hijack this

here is the copy of the report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:36 AM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Common Files\Lacerte Shared\update scheduler\updsched.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\NotePro\notepro.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [e8a807cb] rundll32.exe "C:\WINDOWS\system32\riealhyo.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [Updates Scheduler] C:\Program Files\Common Files\Lacerte Shared\update scheduler\updsched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search on TER - file:///C:\Program Files\Search On TER/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1211376481640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe

--
End of file - 8332 bytes

 

[shelf life]

hi,

we will use combofix first:

Download combofix from one of these links and save it to your Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" in your reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

 

[alancaplan]

combo fix result

here is the result file. sbybot still shows virtumonde as an active invader
the entries that it thinks it deletes each time are:

Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-796845957-573735546-839522115-1004\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde.dll: [SBI $7442D4BC] Library (File, fixed)
C:\WINDOWS\system32\efcCtsSK.dll

Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5B7181D-9AF8-4E93-8BEC-5347715FC5AC}

Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5B7181D-9AF8-4E93-8BEC-5347715FC5AC}


but every time i run it they still pop back up.

anyway - here is the combo fix file and thank you again for your help.



ComboFix 08-05-26.2 - Alan Caplan 2008-05-27 17:18:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1307 [GMT -5:00]
Running from: C:\Documents and Settings\Alan Caplan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\system32\BHRAKRqr.ini
C:\WINDOWS\system32\BHRAKRqr.ini2
C:\WINDOWS\system32\BIRXyJjl.ini
C:\WINDOWS\system32\BIRXyJjl.ini2
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\KSstCcfe.ini
C:\WINDOWS\system32\KSstCcfe.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\quhdqlcg.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 16:30 . 2008-05-27 16:31 <DIR> d-------- C:\Program Files\ACDSee32
2008-05-27 09:23 . 2008-05-27 09:31 3,160 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-27 09:03 . 2008-05-27 17:21 1,528,791 ---hs---- C:\WINDOWS\system32\ircuhplu.ini
2008-05-27 09:03 . 2008-05-27 09:03 94,208 --a------ C:\WINDOWS\system32\ulphucri.dll
2008-05-26 09:02 . 2008-05-27 08:15 1,425,827 --ahs---- C:\WINDOWS\system32\gksaixwg.ini
2008-05-26 09:02 . 2008-05-26 09:02 90,112 --------- C:\WINDOWS\system32\gwxiaskg.dll
2008-05-24 09:02 . 2008-05-25 09:03 1,421,362 --ahs---- C:\WINDOWS\system32\rjhwhydo.ini
2008-05-23 09:18 . 2008-05-23 09:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 08:59 . 2008-05-24 09:00 1,421,302 --ahs---- C:\WINDOWS\system32\oyhlaeir.ini
2008-05-23 08:59 . 2008-05-23 08:59 318,848 --a------ C:\WINDOWS\system32\efcCtsSK.dll_old
2008-05-22 15:51 . 2008-05-23 08:54 1,398,314 --ahs---- C:\WINDOWS\system32\sbeifkap.ini
2008-05-21 15:54 . 2008-05-21 15:54 1,133,850 --ahs---- C:\WINDOWS\system32\tqqlrmjf.ini
2008-05-21 13:50 . 2008-05-27 17:19 31,056 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
2008-05-21 13:50 . 2008-05-27 17:19 31,056 --a------ C:\WINDOWS\system32\BMXState-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
2008-05-21 13:50 . 2008-05-27 17:19 30,528 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
2008-05-21 13:50 . 2008-05-27 17:19 30,528 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
2008-05-21 13:50 . 2008-05-27 17:19 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.rfx
2008-05-21 11:51 . 2008-05-21 11:51 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-05-21 11:51 . 2008-05-21 11:51 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-05-20 18:03 . 2008-05-20 18:03 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-20 16:52 . 2008-05-20 16:52 <DIR> d-------- C:\Documents and Settings\Alan Caplan\Application Data\Sunbelt Software
2008-05-20 16:10 . 2008-05-20 16:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-20 16:10 . 2008-05-20 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 16:09 . 2008-05-20 16:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 11:59 . 2008-05-20 11:59 <DIR> d-------- C:\VundoFix Backups
2008-05-20 11:52 . 2008-05-21 09:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-20 11:15 . 2008-05-20 11:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-20 11:15 . 2008-05-21 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 11:11 . 2008-05-20 11:11 61,224 --a------ C:\Documents and Settings\Alan Caplan\GoToAssistDownloadHelper.exe
2008-05-20 10:49 . 2008-05-20 10:49 0 --a------ C:\WINDOWS\VPC32.INI
2008-05-20 10:33 . 2008-05-20 10:33 <DIR> d-------- C:\Documents and Settings\Alan Caplan\Application Data\Uniblue
2008-05-20 10:16 . 2008-05-20 05:45 94,208 --a------ C:\WINDOWS\exbk.exe
2008-05-20 10:16 . 2008-05-20 05:45 81,920 --a------ C:\WINDOWS\mdtgkswr.exe
2008-05-12 17:08 . 2008-05-12 17:08 <DIR> d-------- C:\WINDOWS\Sun
2008-05-12 17:08 . 2008-05-12 17:08 <DIR> d-------- C:\Program Files\Java
2008-05-12 17:08 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-12 17:07 . 2008-05-12 17:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 14:58 . 2008-05-06 14:58 <DIR> d-------- C:\Documents and Settings\Alan Caplan\Application Data\Sonic
2008-05-06 14:56 . 2008-05-06 14:56 <DIR> d-------- C:\Documents and Settings\Alan Caplan\Application Data\Leadertech
2008-05-01 18:23 . 2008-05-01 18:23 <DIR> d-------- C:\Program Files\StorageCrypt v2.0
2008-04-30 07:43 . 2008-04-30 07:43 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-30 06:36 . 2008-05-23 06:36 260 --a------ C:\WINDOWS\updsched.INI
2008-04-29 09:53 . 1998-06-09 05:00 244,984 --a------ C:\WINDOWS\system32\tutil32.dll
2008-04-29 09:53 . 2008-04-29 09:53 78 --a------ C:\WINDOWS\TSREMOTE.INI
2008-04-29 09:52 . 2006-06-15 18:28 2,752,040 --a------ C:\WINDOWS\system32\TSDBAp32.dll
2008-04-29 09:52 . 2006-06-15 18:28 1,654,824 --a------ C:\WINDOWS\system32\TSDlgApi.dll
2008-04-29 09:52 . 2006-06-15 18:17 705,024 --a------ C:\WINDOWS\system32\TSSchBkpService.exe
2008-04-29 09:52 . 2006-06-15 18:28 161,832 --a------ C:\WINDOWS\system32\TSDB0132.dll
2008-04-29 09:51 . 2008-04-29 10:09 <DIR> d-------- C:\Program Files\TIMESLIPS
2008-04-29 09:36 . 2008-04-29 09:36 <DIR> d-------- C:\Program Files\Borland
2008-04-28 11:13 . 2008-04-28 11:13 <DIR> d-------- C:\Program Files\PKWARE
2008-04-28 11:13 . 2008-04-28 11:13 <DIR> d-------- C:\Program Files\Common Files\PKWARE
2008-04-28 10:07 . 2008-04-28 10:07 <DIR> d-------- C:\Program Files\Search On TER
2008-04-28 08:16 . 2008-04-28 08:16 <DIR> d-------- C:\Documents and Settings\Alan Caplan\Application Data\Corel
2008-04-28 08:14 . 2008-04-28 08:14 543 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-04-28 08:13 . 2008-04-28 08:13 <DIR> d-------- C:\Program Files\WordPerfect Office 12
2008-04-28 08:13 . 2008-04-28 08:13 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-04-28 08:13 . 2008-04-28 08:13 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-04-27 18:20 . 2008-03-21 15:30 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-04-27 18:20 . 2008-03-21 15:30 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-04-27 18:20 . 2008-03-21 15:30 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-04-27 17:55 . 2008-04-27 17:55 <DIR> d-------- C:\Program Files\NotePro
2008-04-27 17:55 . 2005-06-23 01:58 297,984 --a------ C:\WINDOWS\system32\midas.dll
2008-04-27 17:06 . 2008-04-27 17:06 <DIR> d-------- C:\Program Files\X-Setup
2008-04-27 17:02 . 2008-04-27 17:02 <DIR> d-------- C:\Program Files\smr-usenet
2008-04-27 17:02 . 2008-04-27 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-27 17:02 . 2001-03-28 09:38 69,632 --a------ C:\WINDOWS\system32\GkSui18.EXE
2008-04-27 16:53 . 2008-04-27 16:53 <DIR> d-------- C:\Program Files\Real
2008-04-27 16:53 . 2008-04-30 07:43 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-27 16:49 . 2008-05-19 15:54 552 --a------ C:\WINDOWS\TIMESLIP.INI
2008-04-27 16:31 . 2008-04-27 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lacerte
2008-04-27 16:25 . 2008-05-23 11:01 47 --a------ C:\WINDOWS\TaxSetup.INI
2008-04-27 16:25 . 2008-05-23 11:01 46 --a------ C:\WINDOWS\LTBUI07.INI
2008-04-27 16:24 . 2008-05-23 11:02 3,899 --a------ C:\WINDOWS\w07tax.ini
2008-04-27 16:13 . 2008-04-27 16:13 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-27 16:13 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-04-27 16:13 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-04-27 16:12 . 2008-04-27 16:12 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-04-27 16:11 . 2008-05-23 11:01 159 --a------ C:\WINDOWS\WTAXSYNC.INI
2008-04-27 16:11 . 2008-04-27 16:11 114 --a------ C:\WINDOWS\LTBUI06.INI
2008-04-27 16:10 . 2008-04-27 16:10 <DIR> d-------- C:\Program Files\06WebSetup
2008-04-27 16:08 . 2008-04-27 16:08 3,743 --a------ C:\WINDOWS\setups06.ini
2008-04-27 16:07 . 2008-04-27 16:29 3,045 --a------ C:\WINDOWS\W06Tax.ini
2008-04-27 16:02 . 2008-04-27 16:04 1,855 --a------ C:\WINDOWS\W04TAX.INI
2008-04-27 15:54 . 2008-04-27 16:07 263 --a------ C:\WINDOWS\w05updat.INI
2008-04-27 15:52 . 2008-04-27 15:52 47 --a------ C:\WINDOWS\W05Setup.INI
2008-04-27 15:49 . 2008-05-23 11:01 29 --a------ C:\WINDOWS\lacerte.ini
2008-04-27 15:46 . 2008-04-27 15:50 <DIR> d-------- C:\Program Files\05WebSetup
2008-04-27 15:46 . 2001-10-30 10:18 18,704 --a------ C:\WINDOWS\system32\pdfmon.dll
2008-04-27 15:42 . 2008-05-23 11:01 <DIR> d-------- C:\Program Files\Common Files\Lacerte Shared
2008-04-27 15:42 . 2008-04-27 16:24 <DIR> d-------- C:\Lacerte
2008-04-27 15:42 . 2008-04-27 15:42 2,920 --a------ C:\WINDOWS\setups05.ini
2008-04-27 15:41 . 2002-02-04 02:43 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-04-27 15:41 . 2008-04-27 16:07 1,910 --a------ C:\WINDOWS\W05Tax.ini
2008-04-27 15:26 . 2008-04-28 11:13 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-27 15:26 . 2005-10-20 20:47 30,592 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-27 15:26 . 2005-10-20 20:47 12,800 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-27 14:48 . 2001-08-17 22:36 89,088 --a------ C:\WINDOWS\system32\hpgt33.dll
2008-04-27 14:48 . 2001-08-17 22:36 89,088 --a--c--- C:\WINDOWS\system32\dllcache\hpgt33.dll
2008-04-27 14:48 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-04-27 14:48 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-04-27 14:48 . 2001-08-17 22:36 48,128 --a------ C:\WINDOWS\system32\hpgt33tk.dll
2008-04-27 14:48 . 2001-08-17 22:36 48,128 --a--c--- C:\WINDOWS\system32\dllcache\hpgt33tk.dll
2008-04-27 14:48 . 2001-08-17 22:36 32,768 --a------ C:\WINDOWS\system32\hpgtmcro.dll
2008-04-27 14:48 . 2001-08-17 22:36 32,768 --a--c--- C:\WINDOWS\system32\dllcache\hpgtmcro.dll
2008-04-27 14:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-27 14:48 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-27 14:37 . 2008-04-27 14:37 <DIR> d-------- C:\Program Files\DYMO Stamps
2008-04-27 14:10 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-27 14:10 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-27 14:10 . 2005-03-17 19:39 7,680 --a------ C:\WINDOWS\system32\LW400MON.DLL
2008-04-27 14:10 . 2005-03-18 12:45 7,680 --a------ C:\WINDOWS\system32\DUO_D1MON.DLL
2008-04-27 14:10 . 2008-05-01 16:38 56 --a------ C:\WINDOWS\Addrfixr.ini
2008-04-27 14:10 . 2008-05-06 15:14 36 --a------ C:\WINDOWS\iltwain.ini
2008-04-27 14:09 . 2008-05-06 15:14 <DIR> d-------- C:\Program Files\DYMO Label
2008-04-27 14:09 . 2003-10-30 03:03 418,304 --a------ C:\WINDOWS\system32\DYMOSmartPaste.dll
2008-04-27 14:09 . 2005-04-20 16:26 184,320 --a------ C:\WINDOWS\system32\DymoInst.dll
2008-04-27 14:09 . 2005-03-11 15:24 180,224 --a------ C:\WINDOWS\system32\Clw.dll
2008-04-27 14:09 . 2002-03-26 08:59 57,344 --a------ C:\WINDOWS\system32\DYMOCFG.DLL
2008-04-27 14:09 . 2005-03-28 14:20 5,563 --a------ C:\WINDOWS\system32\dymourl.ini
2008-04-27 13:34 . 2008-04-27 13:36 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-04-27 13:33 . 2008-04-27 13:37 <DIR> d-------- C:\Program Files\Quicken
2008-04-27 13:33 . 2008-04-27 13:33 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software
2008-04-27 13:33 . 2008-04-27 13:33 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-04-27 13:33 . 2008-04-27 13:33 <DIR> d-------- C:\Documents and Settings\Alan Caplan\Application Data\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 22:19 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-18 18:07 --------- d-----w C:\Documents and Settings\Alan Caplan\Application Data\AdobeUM
2008-04-29 14:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 23:29 --------- d-----w C:\Documents and Settings\Alan Caplan\Application Data\DivX
2008-04-27 23:21 --------- d-----w C:\Program Files\DivX
2008-04-27 20:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-27 19:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-27 18:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-26 22:08 --------- d-----w C:\Documents and Settings\Alan Caplan\Application Data\OfficeUpdate12
2008-04-26 21:57 --------- d-----w C:\Program Files\Microsoft Works
2008-04-26 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-26 21:50 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-26 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-04-26 21:29 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-26 21:28 --------- d-----w C:\Program Files\Pinnacle
2008-04-26 21:03 --------- d-----w C:\Program Files\GNU
2008-04-26 20:57 --------- d-----w C:\Program Files\Google
2008-04-26 20:56 --------- d-----w C:\Documents and Settings\Alan Caplan\Application Data\GRETECH
2008-04-26 20:50 --------- d-----w C:\Program Files\VideoLAN
2008-04-26 20:49 --------- d-----w C:\Program Files\GRETECH
2008-04-26 20:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-26 20:02 57,344 ----a-w C:\WINDOWS\uneng.exe
2008-04-26 20:02 --------- d-----w C:\Program Files\Roxio
2008-04-26 20:02 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-04-26 19:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-26 19:49 --------- d-----w C:\Program Files\HP
2008-04-26 19:46 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-04-26 19:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 19:08 --------- d-----w C:\Program Files\Symantec
2008-04-26 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-26 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-26 18:27 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-04-26 18:26 --------- d-----w C:\Program Files\Sonic
2008-04-26 18:26 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-04-26 18:21 --------- d-----w C:\Program Files\Citrix
2008-04-26 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-26 18:15 --------- d-----w C:\Documents and Settings\Alan Caplan\Application Data\Creative
2008-04-26 18:14 --------- d-----w C:\Program Files\Creative
2008-04-26 18:06 --------- d-----w C:\Program Files\ATI Technologies
2008-04-26 18:00 --------- d-----w C:\Program Files\Intel
2008-04-26 17:59 --------- d-----w C:\Program Files\Dell
2008-04-26 17:46 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-17 19:49 524,288 ----a-w C:\WINDOWS\opuc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B9928CA-2B38-43C8-BE19-A4A6386DE417}]
C:\WINDOWS\system32\cbXPfEtS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{473332C8-A056-4454-A9E7-309D909A71B3}]
C:\WINDOWS\system32\ljJyXRIB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5B7181D-9AF8-4E93-8BEC-5347715FC5AC}]
C:\WINDOWS\system32\efcCtsSK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-03 12:12 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 15:21 50528]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44 1200128]
"Updates Scheduler"="C:\Program Files\Common Files\Lacerte Shared\update scheduler\updsched.exe" [2008-03-14 17:15 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2007-04-09 12:32 19456 C:\WINDOWS\system32\CtHelper.exe]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-10-06 17:56 161096]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29 61440]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 11:40 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 13:02 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-30 07:43 185896]
"e8a807cb"="C:\WINDOWS\system32\ulphucri.dll" [2008-05-27 09:03 94208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0B9928CA-2B38-43C8-BE19-A4A6386DE417}"= C:\WINDOWS\system32\cbXPfEtS.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXPfEtS]
cbXPfEtS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 2008-05-20 11:11 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.norun]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.norun
backup=C:\WINDOWS\pss\Service Manager.norunCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-03-16 05:33 127037 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCLoader]
--a------ 2007-08-15 13:54 109640 C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--------- 2007-08-07 08:03 257096 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-30 07:43 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSTimer]
--a------ 2006-06-15 18:28 2429992 C:\Program Files\TIMESLIPS\TSTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"e8a807cb"=rundll32.exe "C:\WINDOWS\system32\fjmrlqqt.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 TSScheduleBackup;TimeslipsBackup;C:\WINDOWS\system32\TSSchBkpService.exe [2006-06-15 18:17]
R3 OmniTV;Cx2388x AvStream Video Capture;C:\WINDOWS\system32\DRIVERS\OmniTV.sys [2007-08-06 15:53]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service []
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe [2002-12-17 17:26]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE [2002-12-17 17:23]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 17:21:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-05-27 17:22:55 - machine was rebooted [Alan Caplan]
ComboFix-quarantined-files.txt 2008-05-27 22:22:51

Pre-Run: 232,130,654,208 bytes free
Post-Run: 232,074,960,896 bytes free

308 --- E O F --- 2008-05-16 12:44:56

 

[shelf life]

hi alancaplan

thanks for the info. first we will use combofix then get a copy of malwarebytes to run.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
C:\WINDOWS\system32\ircuhplu.ini
C:\WINDOWS\system32\ulphucri.dll
C:\WINDOWS\system32\gksaixwg.ini
C:\WINDOWS\system32\gwxiaskg.dll
C:\WINDOWS\system32\rjhwhydo.ini
C:\WINDOWS\system32\oyhlaeir.ini
C:\WINDOWS\system32\efcCtsSK.dll_old
C:\WINDOWS\system32\sbeifkap.ini
C:\WINDOWS\system32\tqqlrmjf.ini
C:\WINDOWS\exbk.exe
C:\WINDOWS\mdtgkswr.exe
C:\WINDOWS\system32\cbXPfEtS.dll
C:\WINDOWS\system32\ljJyXRIB.dll
C:\WINDOWS\system32\efcCtsSK.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B9928CA-2B38-43C8-BE19-A4A6386DE417}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{473332C8-A056-4454-A9E7-309D909A71B3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5B7181D-9AF8-4E93-8BEC-5347715FC5AC}]

Name the Notepad file CFScript.txt and Save it to your desktop.

now locate the file you just saved and the combofix icon, both on the desktop

using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log
-----------------------------------------------------
next:

Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the combofix log and the malwarebytes log.

 

[alancaplan]

i got it out

i played with the registry and was able to delete one of the enries.
i also went to the sys32 folder and while i couldn't delete the files i was able to rename it.

rebooted and then deleted the files. reran spybot and it came up clean.

thank you for all your help

 

[shelf life]

hi,

ok your welcome. post one final hjt log.