WiredWX Hobby Weather ToolsLog in

 


at wit's end and need help

4 posters

descriptionSolvedRe: at wit's end and need help

more_horiz
still won't install... it shows up in the Task Manager but isn't doing anything.

next?

descriptionSolvedRe: at wit's end and need help

more_horiz
wait... you said that it should open 2 cmd windows... it pops one open and closes it and the one that stays open is showing c:docs and settings\owner\desktop

that doesn't sound right

descriptionSolvedRe: at wit's end and need help

more_horiz
I bet it blocks this website too.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
D:\autorun.inf


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionSolvedRe: at wit's end and need help

more_horiz
you got it... blocked! is there anywhere else the file can be downloaded from? maybe a site that won't be recognized and blocked?

descriptionSolvedRe: at wit's end and need help

more_horiz
Thank you.
I know what's going on now though.
Uploaded to here:

http://www.sendspace.com/file/ul6425

descriptionSolvedRe: at wit's end and need help

more_horiz
hmmm.... the page loaded, but it's stuck on
Download Link: Please wait... link is loading...

descriptionSolvedRe: at wit's end and need help

more_horiz
refreshed and it came up

wish me luck

descriptionSolvedRe: at wit's end and need help

more_horiz
Looks like you're onto something here! The first bit of success I've had in trying to deal with this. Here's the log file:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSrvdc.sys
Driver disabled successfully.

Rootkit scan completed.


Error: file "D:\autorun.inf" not found!
Deletion of file "D:\autorun.inf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

descriptionSolvedRe: at wit's end and need help

more_horiz
Hooray! Hooray!

The rookit has been disabled.


  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    at wit's end and need help - Page 2 Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    at wit's end and need help - Page 2 Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: at wit's end and need help

more_horiz
here's the report in parts.

ComboFix 08-12-12.05 - Owner 2008-12-13 15:18:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.507 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSqrdn.log
c:\windows\system32\TDSSweat.dat
c:\windows\system32\TDSSxehr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-13 15:13 . 2008-12-13 15:14 d-------- C:\32788R22FWJFW
2008-12-12 22:01 . 2008-04-13 18:11 1,689,088 ---h---t- c:\windows\system32\e207c46.dll
2008-12-12 22:01 . 2008-04-13 18:11 1,689,088 ---h---t- c:\windows\system32\7dea562.dll
2008-12-12 22:01 . 2008-04-13 18:12 82,432 ---h---t- c:\windows\system32\d0c960a.dll
2008-12-12 22:01 . 2008-04-13 18:12 82,432 ---h---t- c:\windows\system32\175dfb5d.dll
2008-12-12 20:35 . 2008-12-12 20:35 d-------- c:\documents and settings\Owner\Application Data\InterMute
2008-12-11 21:38 . 2008-12-11 21:40 d-------- c:\documents and settings\Owner\Application Data\Uniblue
2008-12-11 21:37 . 2008-12-11 21:37 d-------- c:\program files\Uniblue
2008-12-11 19:09 . 2008-12-11 19:09 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 19:09 . 2008-12-11 19:09 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-11 19:09 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 19:09 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 19:07 . 2006-06-30 23:30 d-------- c:\documents and settings\Administrator.REDDWARF\WINDOWS
2008-12-11 19:07 . 2007-11-09 22:13 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Symantec
2008-12-11 19:07 . 2007-11-20 16:50 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Spare Backup
2008-12-11 19:07 . 2007-11-09 22:11 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\SampleView
2008-12-11 19:07 . 2008-05-17 16:17 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Gtek
2008-12-11 19:07 . 2008-12-11 19:07 d-------- c:\documents and settings\Administrator.REDDWARF
2008-12-11 14:36 . 2007-07-03 11:53 24,576 --a------ c:\windows\system32\BAZLib.dll
2008-12-11 14:26 . 2008-12-11 14:26 d-------- c:\documents and settings\All Users\Application Data\Ascentive
2008-12-11 14:03 . 2008-12-11 19:50 d-------- c:\program files\Ascentive
2008-12-11 14:03 . 2008-05-16 10:41 208,896 --a------ c:\windows\system32\ConTest.dll
2008-12-11 14:03 . 2008-08-20 17:44 45,056 --a------ c:\windows\system32\CreateLog.dll
2008-12-11 14:03 . 2007-07-03 11:48 36,864 --a------ c:\windows\system32\ascbalon.dll
2008-12-11 14:03 . 2007-07-03 11:48 20,480 --a------ c:\windows\system32\SysRestore.dll
2008-12-05 20:22 . 2008-12-05 20:22 d-------- c:\program files\Symantec
2008-12-05 20:22 . 2008-12-05 20:22 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-05 20:22 . 2008-12-05 20:22 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-05 20:22 . 2008-12-05 20:22 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-05 20:22 . 2008-12-05 20:22 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-05 20:22 . 2008-12-05 20:22 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\windows\system32\drivers\NIS
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\program files\Windows Sidebar
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\program files\Norton Internet Security
2008-12-05 20:21 . 2008-12-05 20:22 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-05 20:16 . 2008-12-05 20:21 d-------- c:\program files\NortonInstaller
2008-12-05 20:16 . 2008-12-05 20:16 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-04 21:44 . 2008-12-04 22:00 d-------- c:\program files\Browser Hijack Recover
2008-12-04 21:44 . 2008-12-04 21:44 0 --a------ c:\windows\system32\8104297.jun
2008-12-04 21:05 . 2008-12-04 21:05 0 --a------ c:\windows\nsreg.dat
2008-12-03 14:39 . 2008-12-03 19:48 d-------- c:\program files\Windows Live Safety Center
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\program files\Webroot
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\documents and settings\Owner\Application Data\Webroot
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-12-01 20:22 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-12-01 16:02 . 2008-12-01 16:02 d-------- c:\program files\Windows Defender
2008-12-01 08:37 . 2008-12-01 08:37 d-------- c:\program files\Microsoft Silverlight
2008-12-01 07:27 . 2008-12-01 07:27 d-------- c:\program files\Safer Networking
2008-12-01 07:23 . 2008-12-01 07:23 d-------- c:\program files\interMute
2008-12-01 07:23 . 2008-12-12 20:35 2,154 --a------ c:\windows\system32\ssmute.ini
2008-12-01 06:58 . 2008-12-01 06:58 d-------- c:\documents and settings\Owner\Application Data\AdwareAlert
2008-11-16 20:59 . 2008-11-16 20:59 d-------- C:\NVIDIA
2008-11-16 20:59 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-11-16 20:48 . 2008-11-16 20:48 d-------- c:\program files\SystemRequirementsLab
2008-11-16 15:40 . 2008-10-24 05:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-16 15:39 . 2008-09-04 11:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll

descriptionSolvedRe: at wit's end and need help

more_horiz
and the rest:

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 19:39 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2008-12-12 03:43 --------- d-----w c:\program files\Slingo Quest Hawaii
2008-12-12 03:43 --------- d-----w c:\program files\eBay
2008-12-12 01:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 00:49 --------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2008-12-12 00:05 --------- d-----w c:\program files\mIRC
2008-12-10 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 02:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-06 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-01 14:12 --------- d-----w c:\program files\Google
2008-12-01 13:58 --------- d-----w c:\program files\Philips
2008-12-01 13:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-12 22:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 22:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 22:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-10 06:12 --------- d-----w c:\program files\ICQ6
2008-11-04 23:17 --------- d-----w c:\program files\WinAce
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-06-04 21:30 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-11-10 04:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2008-12-01 1187840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2008-12-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam_w32ded.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Outspark\\Blackshot\\System\\BlackShot.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1001000.021\SYMEFA.SYS [2008-12-05 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-05 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NIS\1001000.021\ccHPx86.sys [2008-12-05 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081210.002\IDSxpx86.sys [2008-12-13 274808]
R2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-05 99376]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2006-06-30 69692]
S3 XDva207;XDva207;\??\c:\windows\system32\XDva207.sys []
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\AdwareAlert Scheduled Scan.job
- c:\program files\AdwareAlert\AdwareAlert.exe []

2008-12-13 c:\windows\Tasks\AdwareAlert Scheduled Scan.job
- c:\program files\AdwareAlert []

2008-12-13 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 22:23]

2008-12-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-12-13 c:\windows\Tasks\Norton Internet Security - Owner - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\16.1.0.33\Navw32.exe [2008-12-05 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title =
uInternet Settings,ProxyOverride =

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\Downloaded Program Files\OberonGameHost.dll - O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8}
hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
c:\windows\Downloaded Program Files\OberonGameHost_dbg.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgi2uebm.default\
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 15:22:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2928)
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-12-13 15:28:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-13 21:27:53

Pre-Run: 119,436,730,368 bytes free
Post-Run: 119,561,261,056 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

229 --- E O F --- 2008-12-12 19:51:59

descriptionSolvedRe: at wit's end and need help

more_horiz
Hello.

Press Start > Control Panel > open "Add/remove programs"
Allow the list to load and uninstall these items by selecting each one and pressing the "Remove" button to the right.

SpySubtract


Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
ssfs0bbc
Viewpoint Manager Service

File::
c:\windows\system32\DRIVERS\ssfs0bbc.sys
c:\windows\Tasks\AdwareAlert Scheduled Scan.job
c:\windows\Tasks\AdwareAlert Scheduled Scan.job
c:\windows\system32\e207c46.dll
c:\windows\system32\7dea562.dll
c:\windows\system32\d0c960a.dll
c:\windows\system32\175dfb5d.dll

Folder::
c:\documents and settings\Owner\Application Data\InterMute
c:\program files\interMute

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
at wit's end and need help - Page 2 Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionSolvedRe: at wit's end and need help

more_horiz
log part 1:

ComboFix 08-12-12.05 - Owner 2008-12-13 18:05:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.489 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\InHere\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\InHere\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\175dfb5d.dll
c:\windows\system32\7dea562.dll
c:\windows\system32\d0c960a.dll
c:\windows\system32\DRIVERS\ssfs0bbc.sys
c:\windows\system32\e207c46.dll
c:\windows\Tasks\AdwareAlert Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\InterMute
c:\documents and settings\Owner\Application Data\InterMute\SpySubtract\tmp\3
c:\documents and settings\Owner\Application Data\InterMute\SpySubtract\tmp\3.ldb
c:\program files\interMute
c:\program files\interMute\SpySubtract\CWShredder.exe
c:\program files\interMute\SpySubtract\CWSInstall.exe
c:\program files\interMute\SpySubtract\en-us.dll
c:\program files\interMute\SpySubtract\Help\en-us.chm
c:\program files\interMute\SpySubtract\IMReport.exe
c:\program files\interMute\SpySubtract\Install.log
c:\program files\interMute\SpySubtract\readme.txt
c:\program files\interMute\SpySubtract\Sounds\Pinball\cl2.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\cl3.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\cl4.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\cld.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\sc1.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\sc11.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\sc2.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\sc3.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\sc4.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\sc5.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\sc6.wav
c:\program files\interMute\SpySubtract\Sounds\Pinball\scd.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\cl2.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\cl3.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\cl4.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\cld.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc1.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc10.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc11.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc12.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc3.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc4.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc6.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc7.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\sc8.wav
c:\program files\interMute\SpySubtract\Sounds\Tomcat\scd.wav
c:\program files\interMute\SpySubtract\SpUninst.exe
c:\program files\interMute\SpySubtract\SpySub.exe
c:\program files\interMute\SpySubtract\SpySubtract.log
c:\program files\interMute\SpySubtract\spyware.dat
c:\program files\interMute\SpySubtract\ssengine.dll
c:\program files\interMute\SpySubtract\sshook.dll
c:\program files\interMute\SpySubtract\Themes\Default\bg_common.bmp
c:\program files\interMute\SpySubtract\Themes\Default\bg_main.bmp
c:\program files\interMute\SpySubtract\Themes\Default\bg_messagedlg.bmp
c:\program files\interMute\SpySubtract\Themes\Default\btn_activate.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_add.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_allow.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_bigdelete.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_bighelp.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_bigupdates.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_buy.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_cancel.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_clean.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_cleanprivacy.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_clear.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_config.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_cws.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_dbupdate.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_deny.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_details.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_feedback.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_help.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_home.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_ok.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_options.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_remove.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_restore.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_save.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_scan.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_selecttoggle.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_start.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_stop.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_updates.ico
c:\program files\interMute\SpySubtract\Themes\Default\btn_viewlog.ico
c:\program files\interMute\SpySubtract\Themes\Default\copyright.bmp
c:\program files\interMute\SpySubtract\Themes\Default\DetailsTemplate.htm
c:\program files\interMute\SpySubtract\Themes\Default\icon_check_blank.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_check_finished.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_check_off.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_check_on.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_check_working.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_config_adv_scanners.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_config_cleaning.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_config_general.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_config_scanner.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_config_scanners.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_config_scheduling.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_config_sounds.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_bad.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_error.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_good.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_info.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_question.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_uncertain.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_verybad.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_msg_warning.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_cookie.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_folder.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_none.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_process.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_regykey.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_regyval.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_shortcutlink.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_suspect.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_scanner_winfile.bmp
c:\program files\interMute\SpySubtract\Themes\Default\icon_threat_3.bmp
c:\program files\interMute\SpySubtract\Themes\Default\ProductLogo.bmp
c:\program files\interMute\SpySubtract\Themes\Default\splash.bmp
c:\program files\interMute\SpySubtract\Themes\Default\SplashBASIC.bmp
c:\program files\interMute\SpySubtract\Themes\Default\SplashPRO.bmp
c:\program files\interMute\SpySubtract\Themes\Default\theme.ini
c:\program files\interMute\SpySubtract\usrwl.dat
c:\program files\interMute\SpySubtract\WebRegister.exe
c:\windows\system32\175dfb5d.dll
c:\windows\system32\7dea562.dll
c:\windows\system32\d0c960a.dll
c:\windows\system32\DRIVERS\ssfs0bbc.sys
c:\windows\system32\e207c46.dll
c:\windows\Tasks\AdwareAlert Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSFS0BBC
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_ssfs0bbc
-------\Service_Viewpoint Manager Service

descriptionSolvedRe: at wit's end and need help

more_horiz
and part 2:

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-13 18:04 . 2008-12-13 18:13 d-------- C:\ComboFix
2008-12-13 18:02 . 2008-12-13 18:02 d--hs---- C:\RECYCLER
2008-12-13 16:36 . 2008-12-13 16:36 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-13 15:16 . 2008-12-13 15:16 drahs---- C:\cmdcons
2008-12-13 15:14 . 2008-12-13 18:10 d-------- C:\Qoobox
2008-12-13 14:54 . 2008-12-13 14:55 d-------- C:\Avenger
2008-12-12 21:11 . 939,053,056 C:\hiberfil.sys
2008-12-11 21:38 . 2008-12-11 21:40 d-------- c:\documents and settings\Owner\Application Data\Uniblue
2008-12-11 21:37 . 2008-12-11 21:37 d-------- c:\program files\Uniblue
2008-12-11 19:09 . 2008-12-11 19:09 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 19:09 . 2008-12-11 19:09 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-11 19:09 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 19:09 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 19:07 . 2006-06-30 23:30 d-------- c:\documents and settings\Administrator.REDDWARF\WINDOWS
2008-12-11 19:07 . 2007-11-09 22:13 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Symantec
2008-12-11 19:07 . 2007-11-20 16:50 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Spare Backup
2008-12-11 19:07 . 2007-11-09 22:11 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\SampleView
2008-12-11 19:07 . 2008-05-17 16:17 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Gtek
2008-12-11 19:07 . 2008-12-11 19:07 d-------- c:\documents and settings\Administrator.REDDWARF
2008-12-11 14:36 . 2007-07-03 11:53 24,576 --a------ c:\windows\system32\BAZLib.dll
2008-12-11 14:26 . 2008-12-11 14:26 d-------- c:\documents and settings\All Users\Application Data\Ascentive
2008-12-11 14:03 . 2008-12-11 19:50 d-------- c:\program files\Ascentive
2008-12-11 14:03 . 2008-05-16 10:41 208,896 --a------ c:\windows\system32\ConTest.dll
2008-12-11 14:03 . 2008-08-20 17:44 45,056 --a------ c:\windows\system32\CreateLog.dll
2008-12-11 14:03 . 2007-07-03 11:48 36,864 --a------ c:\windows\system32\ascbalon.dll
2008-12-11 14:03 . 2007-07-03 11:48 20,480 --a------ c:\windows\system32\SysRestore.dll
2008-12-05 20:22 . 2008-12-05 20:22 d-------- c:\program files\Symantec
2008-12-05 20:22 . 2008-12-05 20:22 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-05 20:22 . 2008-12-05 20:22 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-05 20:22 . 2008-12-05 20:22 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-05 20:22 . 2008-12-05 20:22 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-05 20:22 . 2008-12-05 20:22 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\windows\system32\drivers\NIS
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\program files\Windows Sidebar
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\program files\Norton Internet Security
2008-12-05 20:21 . 2008-12-05 20:22 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-05 20:16 . 2008-12-05 20:21 d-------- c:\program files\NortonInstaller
2008-12-05 20:16 . 2008-12-05 20:16 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-04 21:44 . 2008-12-04 22:00 d-------- c:\program files\Browser Hijack Recover
2008-12-04 21:44 . 2008-12-04 21:44 0 --a------ c:\windows\system32\8104297.jun
2008-12-04 21:05 . 2008-12-04 21:05 0 --a------ c:\windows\nsreg.dat
2008-12-03 19:49 . 2008-12-11 19:52 d--h----- C:\Config.Msi
2008-12-03 14:39 . 2008-12-03 19:48 d-------- c:\program files\Windows Live Safety Center
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\program files\Webroot
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\documents and settings\Owner\Application Data\Webroot
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-12-01 20:22 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-12-01 16:02 . 2008-12-01 16:02 d-------- c:\program files\Windows Defender
2008-12-01 08:37 . 2008-12-01 08:37 d-------- c:\program files\Microsoft Silverlight
2008-12-01 07:27 . 2008-12-01 07:27 d-------- c:\program files\Safer Networking
2008-12-01 07:23 . 2008-12-12 20:35 2,154 --a------ c:\windows\system32\ssmute.ini
2008-12-01 06:58 . 2008-12-01 06:58 d-------- c:\documents and settings\Owner\Application Data\AdwareAlert
2008-11-16 20:59 . 2008-11-16 20:59 d-------- C:\NVIDIA
2008-11-16 20:59 . 2008-11-16 20:59 d-------- C:\NVIDIA
2008-11-16 20:59 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-11-16 20:48 . 2008-11-16 20:48 d-------- c:\program files\SystemRequirementsLab
2008-11-16 15:40 . 2008-10-24 05:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-16 15:39 . 2008-09-04 11:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 19:39 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2008-12-12 03:43 --------- d-----w c:\program files\Slingo Quest Hawaii
2008-12-12 03:43 --------- d-----w c:\program files\eBay
2008-12-12 01:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 00:49 --------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2008-12-12 00:05 --------- d-----w c:\program files\mIRC
2008-12-10 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 02:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-06 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-01 14:12 --------- d-----w c:\program files\Google
2008-12-01 13:58 --------- d-----w c:\program files\Philips
2008-12-01 13:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-12 22:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 22:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-10 06:12 --------- d-----w c:\program files\ICQ6
2008-11-04 23:17 --------- d-----w c:\program files\WinAce
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-02 16:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-06-04 21:30 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-11-10 04:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-13_15.27.24.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-14 00:12:01 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam_w32ded.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Outspark\\Blackshot\\System\\BlackShot.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1001000.021\SYMEFA.SYS [2008-12-05 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-05 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NIS\1001000.021\ccHPx86.sys [2008-12-05 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081210.002\IDSxpx86.sys [2008-12-13 274808]
R2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-05 99376]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2006-06-30 69692]
S3 XDva207;XDva207;\??\c:\windows\system32\XDva207.sys []
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-12-13 c:\windows\Tasks\Norton Internet Security - Owner - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\16.1.0.33\Navw32.exe [2008-12-05 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title =
uInternet Settings,ProxyOverride =

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\Downloaded Program Files\OberonGameHost.dll - O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8}
hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
c:\windows\Downloaded Program Files\OberonGameHost_dbg.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgi2uebm.default\
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 18:10:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-12-13 18:15:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 00:15:42
ComboFix2.txt 2008-12-13 21:28:04

Pre-Run: 119,532,777,472 bytes free
Post-Run: 119,496,990,720 bytes free

353 --- E O F --- 2008-12-12 19:51:59

descriptionSolvedRe: at wit's end and need help

more_horiz
as you can see by the log, I missed the part about removing SpySubtract first... seems that it was taken care of anyway.

descriptionSolvedRe: at wit's end and need help

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum