b5.tmp.exe removal

[dburns]

I need help removing malious files in my computer. I have the file/txt documents you described in the instructions to read before posting.Please be patient with me I am a computer dummy for the most part. Your help is greatly appreciated.



DDS (Version 1.0) - NTFSx86
Run by David Burns at 21:20:45.28 on Tue 12/02/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.654 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\aol\1132229713\ee\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\DAVIDB~1\LOCALS~1\Temp\B5.tmp.exe
C:\Program Files\AOL 9.1a\waol.exe
C:\Program Files\AOL 9.1a\shellmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\David Burns\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uDefault_Page_URL = hxxp://www.dellnet.com
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = hxxp://localhost;
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
BHO: {500BCA15-57A7-4eaf-8143-8C619470B13D} - c:\windows\system32\msxml71.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - c:\program files\gamingsquared\gaming2\G2IE_v1042.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AOL Fast Start] "c:\program files\aol 9.1a\AOL.EXE" -b
uRun: [Cognac] c:\docume~1\davidb~1\locals~1\temp\B5.tmp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [HelpCenter] c:\program files\bellsouth\helpcenter\bin\sprtcmd.exe /P HelpCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-15 207656]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-15 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-15 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-15 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-15 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-15 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-15 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-15 34152]

=============== Created Last 30 ================

2008-12-02 20:53 250 a------- c:\windows\gmer.ini
2008-11-30 19:52 52,168 a------- C:\VETlog.dmp
2008-11-25 20:23 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-25 19:43 <DIR> --d----- c:\program files\NoAdware
2008-11-10 18:10 <DIR> --d----- c:\program files\Microsoft MapPoint
2008-11-10 18:10 <DIR> --d----- c:\program files\Microsoft Location Finder
2008-11-06 17:31 <DIR> --d----- c:\program files\Signal Communications

==================== Find3M ====================

2008-11-25 20:24 <DIR> --d----- c:\program files\Lavasoft
2008-11-20 17:21 105,476 a------- c:\windows\system32\msxml71.dll
2008-11-18 20:37 <DIR> --d----- c:\program files\QUICKENW
2008-11-18 17:09 <DIR> --d----- c:\program files\common files\Palo Alto Software
2008-11-14 19:28 <DIR> --d----- c:\program files\McAfee
2008-06-18 21:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-06-10 06:17 <DIR> --d----- c:\docume~1\davidb~1\applic~1\Symantec
2008-06-10 04:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-05-30 08:39 <DIR> --d----- c:\docume~1\davidb~1\applic~1\AOL
2008-05-03 21:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GamingSquared
2008-01-26 13:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Raize
2008-01-25 19:45 <DIR> --d----- c:\docume~1\davidb~1\applic~1\TaxCut
2008-01-25 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TaxCut
2007-12-15 08:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2007-05-16 16:05 <DIR> --d----- c:\docume~1\davidb~1\applic~1\MySpace
2007-02-02 15:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2006-11-13 20:42 <DIR> --d----- c:\docume~1\davidb~1\applic~1\ICAClient
2006-06-26 16:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MotiveSysIDs
2006-03-11 20:28 <DIR> --d----- c:\docume~1\davidb~1\applic~1\Intuit
2006-03-11 20:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2004-12-19 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2004-12-19 13:38 <DIR> --d----- c:\docume~1\davidb~1\applic~1\You've Got Pictures Screensaver
2004-08-31 20:26 <DIR> --d----- c:\docume~1\davidb~1\applic~1\Ulead Systems
2003-12-03 05:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2003-09-05 04:58 <DIR> --d----- c:\docume~1\davidb~1\applic~1\McAfee.com Personal Firewall
2003-06-08 12:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe

============= FINISH: 21:21:45.26 ===============

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[dburns]

Thanks tetonbob for the responce. I have followed the instructions to the best of my ability. attached is the combofix log you requested. Thank You in advance for your kind attention to this matter.


ComboFix 08-12-05.02 - David Burns 2008-12-05 20:10:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.645 [GMT -6:00]
Running from: c:\documents and settings\David Burns\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Barbara Burns\Application Data\ShoppingReport
c:\documents and settings\Barbara Burns\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Barbara Burns\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Barbara Burns\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Barbara Burns\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Barbara Burns\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Barbara Burns\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Barbara Burns\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
c:\program files\INSTALL.LOG
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 17:19 . 2008-12-05 17:19 118,276 --a------ c:\windows\SYSTEM32\msxml71.dll.upd
2008-12-02 20:53 . 2008-12-02 20:53 250 --a------ c:\windows\gmer.ini
2008-11-30 19:52 . 2008-12-05 19:55 52,168 --a------ C:\VETlog.dmp
2008-11-25 20:24 . 2008-11-25 20:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-25 20:23 . 2008-11-25 20:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-25 19:43 . 2008-11-25 20:09 <DIR> d-------- c:\program files\NoAdware
2008-11-10 18:10 . 2008-11-10 18:12 <DIR> d-------- c:\program files\Microsoft MapPoint
2008-11-10 18:10 . 2008-11-10 18:12 <DIR> d-------- c:\program files\Microsoft Location Finder
2008-11-06 17:31 . 2008-11-06 17:31 <DIR> d-------- c:\program files\Signal Communications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 02:24 --------- d-----w c:\program files\Lavasoft
2008-11-24 23:57 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-19 02:37 --------- d-----w c:\program files\QUICKENW
2008-11-18 23:09 --------- d-----w c:\program files\Common Files\Palo Alto Software
2008-11-15 01:28 --------- d-----w c:\program files\McAfee
2008-10-22 23:04 --------- d-----w c:\documents and settings\David Burns\Application Data\AdobeUM
2007-04-22 01:42 6,980,738 ----a-w c:\documents and settings\David Burns\HC4Installer.exe
2005-07-14 18:31 27,648 --sha-r c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 21:32 616,448 --sha-r c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 04:37 45,568 --sha-r c:\windows\SYSTEM32\cygz.dll
2005-02-28 19:16 240,128 --sha-r c:\windows\SYSTEM32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 17:26 635392 --a------ c:\program files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"U"="copy" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AOL Fast Start"="c:\program files\AOL 9.1a\AOL.EXE" [2008-03-06 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-19 98304]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"HelpCenter"="c:\program files\Bellsouth\HelpCenter\bin\sprtcmd.exe" [2006-10-30 192512]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-26 185896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-06-08 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= JPEGCODE.DLL
"VIDC.MJPG"= JPEGCODE.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 11:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--------- 2006-10-23 06:50 71216 c:\program files\Common Files\aol\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G2]
--a------ 2008-03-03 17:26 1215664 c:\program files\GamingSquared\Gaming2\G2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 22:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2007-10-08 15:50 41824 c:\program files\Common Files\aol\1132229713\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
--a------ 2003-10-23 05:36 45056 c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0c\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1132229713\\ee\\aolsoftware.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\1132229713\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26afe103-36db-11dd-827e-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2007-12-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = hxxp://localhost;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 20:14:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-05 20:16:38
ComboFix-quarantined-files.txt 2008-12-06 02:16:24

Pre-Run: 59,257,073,664 bytes free
Post-Run: 59,458,002,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

163 --- E O F --- 2008-05-17 04:10:03

[tetonbob]

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  c:\windows\SYSTEM32\msxml71.dll.upd
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

[dburns]

tetonbob the responce of the brouse is "file not found". Ilocked in my computer-c. for c:\windows\SYSTEM32\msxml71.dll.upd Do you have any suggestions? Thanks-Dave

[dburns]

pardon the spelling

[tetonbob]

Hi dburns -

File not found....or a 0 byte return? Were you using Firefox, or Internet Explorer?


Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c Vfind -ltf "%systemdrive%\msxml71.*" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

[tetonbob]

Still with me, dburns?

I generally unsubscribe from threads after 7 days of inactivity. If I don't receive a reply from you within 3 days of this post, this topic will be closed.

[dburns]

tetonbob Thanks for staying with me, I am using internet explorer. when I went to run and copy and paste the one line, the c prompt came up. eventually notepad log came up with nothing in it. What should I do now? I did not copy/paste in the virustotal site the same line as in your last reply.

[tetonbob]

I guess the file doesn't exist any longer then.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[dburns]

tetonbob it took me while to get this right. I hope this is of some assistance. and THANKS for yours.

[tetonbob]

Hi Dave -

Just right...

That item found is in a System Restore point, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[dburns]

Thank You so much will donate to this site. Thanks Again!

[tetonbob]

Glad to have helped, and thanks for thinking of supporting the forums.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.