Deleting ComboFix

[Jade_Dragon]

Hello

New to the forums. Need help removing combofix.

I was getting help on "that computer guy forums" and had some family issues and couldn't get on for a week. Now it seems they are possibly shutting down the forums and I cannot access the last step of my help. I only needed to perform the last step of removing some items and combofix was one of them. Can anyone help me with that?

Thanks In Advance,
JD

[Ried]

Hello Jade_Dragon and welcome,

I'm not crazy about working blindly here. I'd like to get an idea of what has been done, and what remains.

Please post the C:\ComboFix.txt for review

[Jade_Dragon]

Here you go:

ComboFix 08-11-13.01 - Jordan 2008-11-15 13:17:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.176 [GMT -6:00]
Running from: c:\documents and settings\Jordan\Desktop\ComboFix.exe
Command switches used :: f:\tammy\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\bepimobaz.dll
c:\documents and settings\All Users\Application Data\pobysamu.bat
c:\documents and settings\All Users\Application Data\ytew.dll
c:\documents and settings\All Users\Application Data\zofaqeqa.bat
c:\documents and settings\Jordan\Application Data\faniga.exe
c:\documents and settings\Jordan\Application Data\GetModule
c:\documents and settings\Jordan\Application Data\GetModule\dicik.gz
c:\documents and settings\Jordan\Application Data\GetModule\ofadik.gz
c:\documents and settings\Jordan\Application Data\medabolevo.exe
c:\documents and settings\Jordan\Application Data\ribe.reg
c:\documents and settings\Jordan\Application Data\yjuxako.scr
c:\program files\Common Files\ifuze.dll
c:\program files\Common Files\inohiha.reg
c:\program files\Common Files\vidygubale.bin
c:\program files\Common Files\vofyluhixo.reg
c:\program files\Common Files\yfycag.exe
c:\windows\arek.dat
c:\windows\cibivaka.bat
c:\windows\gyjyxa._dl
c:\windows\icekyro.pif
c:\windows\junugaj.bat
c:\windows\mqkm
c:\windows\mqkm\mqkm.dat
c:\windows\mqkm\wu
c:\windows\pyjypilut.dll
c:\windows\qidubo.vbs
c:\windows\Sm9yZGFuIE1vbnRnb21lcnk
c:\windows\synevu.db
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\voqylyqati.pif
c:\windows\ykila.sys

.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-15 10:18 . 2008-11-15 10:18 <DIR> d-------- c:\windows\LastGood
2008-11-13 09:57 . 2008-11-13 09:57 <DIR> d-------- C:\_OTMoveIt
2008-11-12 22:02 . 2008-11-12 22:16 <DIR> d-------- C:\Lop SD
2008-11-12 17:05 . 2008-11-12 17:05 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-11 18:18 . 2008-11-11 18:20 <DIR> d-------- c:\program files\SuperAdBlocker.com
2008-11-11 18:18 . 2008-11-11 18:18 <DIR> d-------- c:\documents and settings\Jordan\Application Data\SuperAdBlocker.com
2008-11-11 18:11 . 2008-11-11 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-11 18:10 . 2008-11-11 18:15 <DIR> d-------- c:\program files\CCleaner
2008-11-11 18:00 . 2008-11-11 18:00 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-11 13:23 . 2008-11-11 13:23 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2008-11-11 13:23 . 2008-11-15 09:51 <DIR> d-------- c:\documents and settings\Jordan\Application Data\AVG7
2008-11-11 13:23 . 2008-11-11 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-11 13:23 . 2008-11-11 13:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7
2008-11-11 13:07 . 2008-11-11 13:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-11 12:23 . 2008-11-11 12:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2008-11-11 12:03 . 2008-11-11 13:23 <DIR> d-------- c:\documents and settings\Administrator
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-10 20:14 . 2008-11-10 20:14 <DIR> d-------- c:\documents and settings\Jordan\Application Data\Malwarebytes
2008-11-10 20:13 . 2008-11-10 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-24 06:29 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 23:19 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 23:18 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 23:18 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 23:18 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 23:18 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 23:18 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 18:02 --------- d-----w c:\documents and settings\Jordan\Application Data\U3
2008-11-12 00:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 00:10 --------- d-----w c:\program files\Yahoo!
2008-11-11 14:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-11 14:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-07 02:58 --------- d-----w c:\program files\DivX
2008-11-06 03:32 19,936 ----a-w c:\program files\Common Files\povof.ban
2008-10-12 20:00 --------- d-----w c:\program files\Photo Toolkit
2008-10-07 20:49 --------- d-----w c:\program files\Java
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-05-26 01:44 0 ----a-w c:\documents and settings\Jordan\Application Data\internaldb6334.dat
2007-08-07 19:09 18,432 ----a-w c:\documents and settings\Jordan\Application Data\internaldb41.dat
2007-08-07 18:42 556 ----a-w c:\documents and settings\Jordan\Application Data\internaldb8467.dat
2006-12-24 17:28 24,192 ----a-w c:\documents and settings\Jordan\usbsermptxp.sys
2006-12-24 17:28 22,768 ----a-w c:\documents and settings\Jordan\usbsermpt.sys
2006-06-15 21:03 56 --sh--r c:\windows\system32\3F8AEB7D4E.sys
2007-12-18 03:29 168 --sh--r c:\windows\system32\4E7DEB8A3F.sys
2007-12-18 03:29 9,188 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-15_10.21.01.28 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-14 1576176]
"I&F Viewer toolbar"="c:\program files\Photo Toolkit\ivbar\phototoolkitmem.exe" [2006-10-27 65536]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SuperAdBlocker"="c:\program files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe" [2007-08-01 1564672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-19 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-04-29 158624]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-11 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-11 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-19 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-10 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-14 17:11 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135549269\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135549269\\ee\\aim6.exe"=
"c:\\Program Files\\Infogrames\\Tactical Ops\\System\\TacticalOps.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 SABKUTIL;SABKUTIL;c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 32256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
S1 SABDIFSV;SABDIFSV;c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 5632]
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2008-10-24 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 13:20:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-11-15 13:25:41
ComboFix-quarantined-files.txt 2008-11-15 19:24:37
ComboFix2.txt 2008-11-15 16:21:52

Pre-Run: 53,361,868,800 bytes free
Post-Run: 53,336,608,768 bytes free

196 --- E O F --- 2008-10-24 13:47:50

[Ried]

Thank you.

Has an online scan been performed to search for any remnants that may be lurking about?

[Jade_Dragon]

Yes, Kaspersky from 11-16-08 and I did another on 12-04-08 which still shows stuff.

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 15, 2008 22:50:37
Records in database: 1386277
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 73681
Threat name: 19
Infected objects: 33
Suspicious objects: 0
Duration of the scan: 01:48:38


File name / Threat name / Threats count
C:\Documents and Settings\Jordan\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Jordan\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Jordan\Incomplete\T-3877629-kanye west - love locked down (1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Jordan\Shared\kanye west - love locked down .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Qoobox\Quarantine\C\Documents and Settings\Jordan\Application Data\gadcom\gadcom.exe.vir Infected: Trojan.Win32.Agent.amus 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ajkgdmsd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\atrxcepb.dll.vir Infected: Trojan.Win32.Monder.yis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\av.dat.vir Infected: Hoax.Win32.Renos.vavf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\axomfn.dll.vir Infected: Trojan.Win32.Monder.yis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bxlhjcdd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dradjx.dll.vir Infected: Trojan.Win32.Monder.xwb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmaxt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\egvfhs.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\grtfywpr.dll.vir Infected: Trojan.Win32.Monder.yis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hnfqhu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.etl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kucgwxeo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.etl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kuyuzf.dll.vir Infected: Trojan.Win32.Monder.xwb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mtvxes.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pcyksu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcseblj.dll.vir Infected: Trojan.Win32.Monder.xys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqutbmtu.dll.vir Infected: Trojan.Win32.Monder.ybf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbrsr.dll.vir Infected: Rootkit.Win32.Clbd.lb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqh.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSosvd.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\telkijvq.dll.vir Infected: Trojan.Win32.Monder.xwb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tfijcmps.dll.vir Infected: Trojan.Win32.Pakes.lpo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uoauyb.dll.vir Infected: Trojan.Win32.Monder.xys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uulksd.dll.vir Infected: Trojan.Win32.Monder.yis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vstefy.dll.vir Infected: Trojan.Win32.Monder.ybf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vupfkpvx.dll.vir Infected: Trojan.Win32.Pakes.lpo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\WinNB55.dll.vir Infected: not-a-virus:AdWare.Win32.Mirar.ai 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xvwgyifw.dll.vir Infected: Trojan.Win32.Monder.xwb 1

The selected area was scanned.



12-04-08


KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 04, 2008 20:42:50
Records in database: 1436944
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 74689
Threat name: 10
Infected objects: 16
Suspicious objects: 0
Duration of the scan: 02:13:07


File name / Threat name / Threats count
C:\Documents and Settings\Jordan\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Jordan\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Jordan\Incomplete\T-460090-what would you do city high sexy girl has shaking orgasm during sex.mp3 Infected: Trojan-Downloader.WMA.Wimad.o 1
C:\Documents and Settings\Jordan\Shared\extacy techno.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Jordan\Shared\when im gone rockell.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ajkgdmsd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bxlhjcdd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\egvfhs.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pcyksu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbrsr.dll.vir Infected: Rootkit.Win32.Clbd.lb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tfijcmps.dll.vir Infected: Trojan.Win32.Pakes.lpo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vupfkpvx.dll.vir Infected: Trojan.Win32.Pakes.lpo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\WinNB55.dll.vir Infected: not-a-virus:AdWare.Win32.Mirar.ai 1
C:\WINDOWS\system32\scui.cpl Infected: not-a-virus:FraudTool.Win32.XPAntivirus.oj 1
C:\_OTMoveIt\MovedFiles\11172008_014621\Documents and Settings\Jordan\Incomplete\T-3877629-kanye west - love locked down (1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\_OTMoveIt\MovedFiles\11172008_014621\Documents and Settings\Jordan\Shared\kanye west - love locked down .mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1

The selected area was scanned.

[Ried]

Hello Jade_Dragon,

Take a look at the files that are infected. The file sharing that is going on is the source of the rootkit you previously sustained as well as the latest infections as shown by Kaspersky.

I urge you to read our sticky topic Perils of P2P file sharing

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\Documents and Settings\Jordan\Incomplete\T-3877629-kanye west - love locked down (1).mp3
C:\Documents and Settings\Jordan\Incomplete\T-460090-what would you do city high sexy girl has shaking orgasm during sex.mp3
C:\Documents and Settings\Jordan\Shared\extacy techno.mp3
C:\Documents and Settings\Jordan\Shared\when im gone rockell.mp3
C:\WINDOWS\system32\scui.cpl

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please return with the C:\ComboFix.txt for further review.

[Jade_Dragon]

ComboFix 08-12-09.02 - Jordan 2008-12-10 8:48:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.235 [GMT -6:00]
Running from: c:\documents and settings\Jordan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jordan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Jordan\Incomplete\T-3877629-kanye west - love locked down (1).mp3
c:\documents and settings\Jordan\Incomplete\T-460090-what would you do city high sexy girl has shaking orgasm during sex.mp3
c:\documents and settings\Jordan\Shared\extacy techno.mp3
c:\documents and settings\Jordan\Shared\when im gone rockell.mp3
c:\windows\system32\scui.cpl
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Jordan\Incomplete\T-460090-what would you do city high sexy girl has shaking orgasm during sex.mp3
c:\documents and settings\Jordan\Shared\extacy techno.mp3
c:\documents and settings\Jordan\Shared\when im gone rockell.mp3
c:\windows\system32\CMMGR32.EXE
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 07:13 . 2008-12-10 07:13 118 --a------ c:\windows\system32\MRT.INI
2008-12-03 18:16 . 2008-12-03 18:16 <DIR> d-------- c:\program files\Infogrames
2008-12-02 21:48 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-01 07:15 . 2008-12-01 07:15 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-01 07:15 . 2008-12-01 07:15 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-01 07:12 . 2008-12-01 07:12 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-11-27 15:47 . 2008-05-02 07:25 465,920 --------- c:\windows\system32\imapi2fs.dll
2008-11-27 15:47 . 2008-05-02 07:25 465,920 --------- c:\windows\system32\dllcache\imapi2fs.dll
2008-11-27 15:47 . 2008-05-02 07:25 317,952 --------- c:\windows\system32\imapi2.dll
2008-11-27 15:47 . 2008-05-02 07:25 317,952 --------- c:\windows\system32\dllcache\imapi2.dll
2008-11-27 15:47 . 2008-05-02 04:49 62,976 --------- c:\windows\system32\dllcache\cdrom.sys
2008-11-16 03:01 . 2008-12-10 07:15 1,393 --a------ c:\windows\imsins.BAK
2008-11-15 22:08 . 2008-11-15 22:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 22:08 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 22:08 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-15 10:19 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-15 10:17 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 09:57 . 2008-11-13 09:57 <DIR> d-------- C:\_OTMoveIt
2008-11-12 22:02 . 2008-11-12 22:16 <DIR> d-------- C:\Lop SD
2008-11-12 17:05 . 2008-11-12 17:05 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-11 18:18 . 2008-11-11 18:20 <DIR> d-------- c:\program files\SuperAdBlocker.com
2008-11-11 18:18 . 2008-11-11 18:18 <DIR> d-------- c:\documents and settings\Jordan\Application Data\SuperAdBlocker.com
2008-11-11 18:11 . 2008-11-11 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-11 18:10 . 2008-11-11 18:15 <DIR> d-------- c:\program files\CCleaner
2008-11-11 18:00 . 2008-12-03 09:04 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-11 13:23 . 2008-11-11 13:23 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2008-11-11 13:23 . 2008-12-10 08:23 <DIR> d-------- c:\documents and settings\Jordan\Application Data\AVG7
2008-11-11 13:23 . 2008-11-11 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-11 13:23 . 2008-11-20 18:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7
2008-11-11 13:07 . 2008-11-11 13:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-11 12:23 . 2008-11-11 12:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2008-11-11 12:03 . 2008-11-11 13:23 <DIR> d-------- c:\documents and settings\Administrator
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-10 22:33 . 2008-11-10 22:33 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-10 20:14 . 2008-11-10 20:14 <DIR> d-------- c:\documents and settings\Jordan\Application Data\Malwarebytes
2008-11-10 20:13 . 2008-11-10 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-10 12:23 . 2008-11-10 12:23 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 . 2008-11-10 12:23 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe
2008-11-10 12:09 . 2008-11-10 12:09 310,272 --a------ c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 . 2008-11-10 12:09 57,344 --a------ c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 . 2008-11-10 12:09 18,944 --a------ c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 . 2008-11-10 12:09 12,800 --a------ c:\windows\system32\ZunePTDNS.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 01:36 --------- d-----w c:\documents and settings\Jordan\Application Data\SUPERAntiSpyware.com
2008-12-02 01:35 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-28 06:16 --------- d-----w c:\program files\Photo Toolkit
2008-11-27 22:16 --------- d-----w c:\program files\Zune
2008-11-18 02:10 --------- d-----w c:\program files\LimeWire
2008-11-12 18:02 --------- d-----w c:\documents and settings\Jordan\Application Data\U3
2008-11-12 00:10 --------- d-----w c:\program files\Yahoo!
2008-11-11 14:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-11 14:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 18:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 18:09 40,832 ----a-w c:\windows\system32\drivers\zumbus.sys
2008-11-10 18:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-08 16:55 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\gadcom
2008-11-07 02:58 --------- d-----w c:\program files\DivX
2008-11-07 02:44 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\GetModule
2008-11-06 03:32 19,936 ----a-w c:\program files\Common Files\povof.ban
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-17 08:08 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-12 20:39 581,192 ----a-w c:\windows\system32\WinUSBCoInstaller.dll
2008-09-12 20:39 1,302,600 ----a-w c:\windows\system32\WUDFUpdate_01007.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-05-26 01:44 0 ----a-w c:\documents and settings\Jordan\Application Data\internaldb6334.dat
2007-08-07 19:09 18,432 ----a-w c:\documents and settings\Jordan\Application Data\internaldb41.dat
2007-08-07 18:42 556 ----a-w c:\documents and settings\Jordan\Application Data\internaldb8467.dat
2006-12-24 17:28 24,192 ----a-w c:\documents and settings\Jordan\usbsermptxp.sys
2006-12-24 17:28 22,768 ----a-w c:\documents and settings\Jordan\usbsermpt.sys
2006-06-15 21:03 56 --sh--r c:\windows\system32\3F8AEB7D4E.sys
2007-12-18 03:29 168 --sh--r c:\windows\system32\4E7DEB8A3F.sys
2007-12-18 03:29 9,188 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"I&F Viewer toolbar"="c:\program files\Photo Toolkit\ivbar\phototoolkitmem.exe" [2006-10-27 65536]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-19 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-20 590848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-11 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-19 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135549269\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135549269\\ee\\aim6.exe"=
"c:\\Program Files\\Infogrames\\Tactical Ops\\System\\TacticalOps.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-09-10 24652]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2008-12-05 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jordan\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jordan\Start Menu\Programs\IMVU\Run IMVU.lnk -

O16 -: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin.cab
c:\windows\Downloaded Program Files\imikimi.inf
FireFox -: Profile - c:\documents and settings\Jordan\Application Data\Mozilla\Firefox\Profiles\hzd74thp.default\
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 08:51:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-10 8:53:28
ComboFix-quarantined-files.txt 2008-12-10 14:52:19
ComboFix2.txt 2008-11-15 19:25:42
ComboFix3.txt 2008-11-15 16:21:52

Pre-Run: 50,188,111,872 bytes free
Post-Run: 50,163,011,584 bytes free

230 --- E O F --- 2008-12-10 13:15:51

[Ried]

Hi JadeDragon,

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[Jade_Dragon]

Thank you very much for your help.

[Ried]

You're welcome.

Take care and surf safely.