spyware. Ispynow

Okay, I hope that did it!


ComboFix 08-12-01.03 - Kim 2008-12-02 13:26:45.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.270 [GMT -8:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-11-28 23:36 . 2004-07-29 20:20 d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-28 23:36 . 2004-07-29 20:17 d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-11-28 23:36 . 2004-07-29 20:19 d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-11-28 23:36 . 2008-11-28 23:59 d-------- c:\documents and settings\Administrator
2008-11-12 03:19 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-12 03:19 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 21:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-02 20:55 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 07:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 06:45 295,424 ----a-w c:\windows\SYSTEM32\termsrv.dll
2008-11-26 06:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-13 02:12 --------- d-----w c:\documents and settings\Kim\Application Data\PlayFirst
2008-10-13 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-10-12 03:27 --------- d-----w c:\documents and settings\Kim\Application Data\Apple Computer
2008-10-08 05:20 --------- d-----w c:\documents and settings\Kim\Application Data\uTorrent
2008-10-01 00:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2006-07-22 06:52 374 ----a-w c:\documents and settings\Kim\USAUser.Dat
2004-12-04 07:16 2,257,633 --sh--w c:\windows\INF\niamteni.bak2
2004-12-04 07:14 2,257,633 --sha-w c:\windows\INF\niamteni.bak1
2004-11-08 21:40 16,706,160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2004-11-20 04:23 31,720 --sh--w c:\windows\Config\rbalru.bak2
2004-12-04 07:14 2,257,633 --sha-w c:\windows\INF\niamteni.bak1
2004-12-04 07:16 2,257,633 --sh--w c:\windows\INF\niamteni.bak2
2004-11-23 16:45 440,565 --sh--w c:\windows\REPAIR\cvsmnib.bak2
2006-07-05 09:06 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 05:23 61440 c:\dell\BLDBUBG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 19:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 14:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
"CiSvc"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S0 gjynm;gjynm;c:\windows\system32\drivers\rhhy.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
.
Contents of the 'Scheduled Tasks' folder

2004-08-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\r43fy9ju.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\r43fy9ju.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 13:29:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-02 13:31:31
ComboFix-quarantined-files.txt 2008-12-02 21:30:24
ComboFix2.txt 2008-12-02 20:54:05
ComboFix3.txt 2008-12-02 20:35:57
ComboFix4.txt 2008-12-02 19:41:13

Pre-Run: 45,460,525,056 bytes free
Post-Run: 45,445,476,352 bytes free

156 --- E O F --- 2008-11-13 11:03:15

Hello.
No, sorry, that isn't it.
The log normally displays Command switches used:: if we used a special way of running combofix.
After you made the CFScript file, did you drag it and drop it on combofix, because it looks like you made the txt file, but then just double clicked it to run it.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.