spyware. Ispynow

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

Avenger file log....I hope this helps!


*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Error: "C:\WINDOWS\SYSTEM32\" is a folder, not a file!
Deletion of file "C:\WINDOWS\SYSTEM32\" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Did you untick "Scan for rootkits"? please let me know if you did.

I believe I did, but I can do what you asked again, if that helps.

Hello.
I need you to create a dummy file on your C drive.
Press Start > open "My Computer", then open the C drive.
Right click anywhere on in the C drive window and open the "New" menu.
Make a new Text Document, and save it as test.txt.
Now we will have the avenger delete the dummy file, but it will also show if the tdssserv rootkit is present.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\test.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Don't tick the box below.
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply.

Okay, am I 100% sure I did everything right. Thanks again.
Here is the avenger text:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpqlt.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: file "C:/test.txt" not found!
Deletion of file "C:/test.txt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Thanks, that found it, now lets kill it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
TDSSserv.sys

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\windows\system32\drivers\TDSSpqlt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Don't tick the box below.
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply.

Here is the fresh avanger log file!

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpqlt.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" disabled successfully.
Driver "TDSSserv.sys" deleted successfully.
File "C:\windows\system32\drivers\TDSSpqlt.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hello.
The rootkit is gone, so you should be able to get combofix going now.

http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/spyware-ispynow-t4424.htm#22009

ComboFix 08-12-01.03 - Kim 2008-12-02 11:33:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.270 [GMT -8:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kim\nah_lman.exe
c:\documents and settings\Kim\nah_log.dat
c:\windows\system32\au3305arc.dll
c:\windows\system32\TDSShrxx.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxcp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfmm.dll

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETBIOS_HELPER_SERVICE
-------\Legacy_NETDDEC
-------\Legacy_TDSSSERV.SYS
-------\Service_Netbios Helper Service


((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-11-30 19:33 . 2008-11-30 19:33 d-------- c:\program files\alkjdkljdkljeklje789
2008-11-30 19:20 . 2008-12-01 16:06 d-------- c:\program files\akjsalkjdjd456
2008-11-30 19:19 . 2008-11-30 19:19 d-------- c:\program files\aksdjfl;kadsjlksjdfasdfdd123
2008-11-30 18:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-30 18:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-28 23:36 . 2004-07-29 20:20 d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-28 23:36 . 2004-07-29 20:17 d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-11-28 23:36 . 2004-07-29 20:19 d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-11-28 23:36 . 2008-11-28 23:59 d-------- c:\documents and settings\Administrator
2008-11-12 03:19 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-12 03:19 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 19:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 07:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 02:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 06:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 02:12 --------- d-----w c:\documents and settings\Kim\Application Data\PlayFirst
2008-10-13 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-10-12 03:27 --------- d-----w c:\documents and settings\Kim\Application Data\Apple Computer
2008-10-08 05:20 --------- d-----w c:\documents and settings\Kim\Application Data\uTorrent
2006-07-22 06:52 374 ----a-w c:\documents and settings\Kim\USAUser.Dat
2004-11-08 21:40 16,706,160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2004-11-20 04:23 31,720 --sh--w c:\windows\Config\rbalru.bak2
2004-12-04 07:14 2,257,633 --sha-w c:\windows\INF\niamteni.bak1
2004-12-04 07:16 2,257,633 --sh--w c:\windows\INF\niamteni.bak2
2004-11-23 16:45 440,565 --sh--w c:\windows\REPAIR\cvsmnib.bak2
2006-07-05 09:06 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 05:23 61440 c:\dell\BLDBUBG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 19:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 14:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
"CiSvc"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S0 gjynm;gjynm;c:\windows\system32\drivers\rhhy.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
.
Contents of the 'Scheduled Tasks' folder

2004-08-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\documents and settings\Kim\Desktop\jkakjlsdakljdsfkljsdfkljsfdnew\mbam.exe
MSConfigStartUp-IntelMeM - c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
MSConfigStartUp-mmtask - c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\r43fy9ju.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\r43fy9ju.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 11:37:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\wanmpsvc.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe
.
**************************************************************************
.
Completion time: 2008-12-02 11:41:12 - machine was rebooted [Kim]
ComboFix-quarantined-files.txt 2008-12-02 19:41:09

Pre-Run: 45,409,820,672 bytes free
Post-Run: 45,412,864,000 bytes free

177 --- E O F --- 2008-11-13 11:03:15

Hello.
Just two leftovers services to get rid of.

Now open a new notepad file.
Input this into the notepad file:

Driver::
gjynm
Viewpoint Manager Service

DirLook::
c:\program files\alkjdkljdkljeklje789
c:\program files\akjsalkjdjd456
c:\program files\aksdjfl;kadsjlksjdfasdfdd123

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Okay, I hope that did it!


ComboFix 08-12-01.03 - Kim 2008-12-02 13:26:45.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.270 [GMT -8:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-11-28 23:36 . 2004-07-29 20:20 d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-28 23:36 . 2004-07-29 20:17 d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-11-28 23:36 . 2004-07-29 20:19 d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-11-28 23:36 . 2008-11-28 23:59 d-------- c:\documents and settings\Administrator
2008-11-12 03:19 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-12 03:19 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 21:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-02 20:55 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 07:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 06:45 295,424 ----a-w c:\windows\SYSTEM32\termsrv.dll
2008-11-26 06:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-13 02:12 --------- d-----w c:\documents and settings\Kim\Application Data\PlayFirst
2008-10-13 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-10-12 03:27 --------- d-----w c:\documents and settings\Kim\Application Data\Apple Computer
2008-10-08 05:20 --------- d-----w c:\documents and settings\Kim\Application Data\uTorrent
2008-10-01 00:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2006-07-22 06:52 374 ----a-w c:\documents and settings\Kim\USAUser.Dat
2004-12-04 07:16 2,257,633 --sh--w c:\windows\INF\niamteni.bak2
2004-12-04 07:14 2,257,633 --sha-w c:\windows\INF\niamteni.bak1
2004-11-08 21:40 16,706,160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2004-11-20 04:23 31,720 --sh--w c:\windows\Config\rbalru.bak2
2004-12-04 07:14 2,257,633 --sha-w c:\windows\INF\niamteni.bak1
2004-12-04 07:16 2,257,633 --sh--w c:\windows\INF\niamteni.bak2
2004-11-23 16:45 440,565 --sh--w c:\windows\REPAIR\cvsmnib.bak2
2006-07-05 09:06 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 05:23 61440 c:\dell\BLDBUBG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 19:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 14:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
"CiSvc"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S0 gjynm;gjynm;c:\windows\system32\drivers\rhhy.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
.
Contents of the 'Scheduled Tasks' folder

2004-08-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\r43fy9ju.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\r43fy9ju.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 13:29:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-02 13:31:31
ComboFix-quarantined-files.txt 2008-12-02 21:30:24
ComboFix2.txt 2008-12-02 20:54:05
ComboFix3.txt 2008-12-02 20:35:57
ComboFix4.txt 2008-12-02 19:41:13

Pre-Run: 45,460,525,056 bytes free
Post-Run: 45,445,476,352 bytes free

156 --- E O F --- 2008-11-13 11:03:15

Hello.
No, sorry, that isn't it.
The log normally displays Command switches used:: if we used a special way of running combofix.
After you made the CFScript file, did you drag it and drop it on combofix, because it looks like you made the txt file, but then just double clicked it to run it.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.