Iexplore.exe virus....please help!!!

zm741 · #22 22nd Sep 2008, 17:49

Double post

**evilfantasy** · #23 22nd Sep 2008, 17:59

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
C:\WINDOWS\msdownld.tmp
C:\WINDOWS\TEMP\x0pf4t4p.TMP

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

zm741 · #24 22nd Sep 2008, 18:21

ComboFix 08-09-20.05 - Zachary 2008-09-22 21:06:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.181 [GMT -4:00]
Running from: C:\Documents and Settings\Zachary \Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zachary \Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\msdownld.tmp
C:\WINDOWS\TEMP\x0pf4t4p.TMP
.

((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 21:01 . 2008-09-22 21:01 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\Move Networks
2008-09-21 22:41 . 2008-09-21 23:13 <DIR> d-------- C:\Documents and Settings\Zachary \DoctorWeb
2008-09-21 18:11 . 2008-09-21 18:11 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Verizon
2008-09-20 18:52 . 2008-09-20 18:52 <DIR> d-------- C:\Program Files\CCleaner
2008-09-20 18:48 . 2008-09-20 18:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-20 17:57 . 2008-09-20 17:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 17:57 . 2008-09-20 17:57 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\Malwarebytes
2008-09-20 17:57 . 2008-09-20 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 17:57 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-20 17:57 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 15:24 . 2008-09-20 15:24 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-09-20 00:05 . 2008-09-20 00:05 <DIR> d-------- C:\Program Files\AVG
2008-09-20 00:05 . 2008-09-20 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-19 22:46 . 2008-09-19 22:46 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-19 22:31 . 2008-09-19 22:31 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-09-19 22:31 . 2008-09-20 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-19 22:30 . 2008-09-19 22:30 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\DivX
2008-09-19 22:29 . 2008-09-19 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-19 22:27 . 2008-09-19 22:27 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-19 22:27 . 2008-09-19 22:27 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-09-19 22:27 . 2008-09-19 22:27 <DIR> d-------- C:\WINDOWS\bin
2008-09-19 22:27 . 2008-09-19 22:27 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-09-19 22:27 . 2008-09-19 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-09-19 22:26 . 2008-09-20 00:15 <DIR> d-------- C:\WINDOWS\wt
2008-09-19 22:26 . 2008-09-19 22:26 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\AdobeUM
2008-09-19 05:32 . 2008-09-19 22:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-19 05:32 . 2008-09-20 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 04:50 . 2008-09-19 22:29 <DIR> d-------- C:\Program Files\iPod(3)
2008-09-19 04:21 . 2008-09-19 04:21 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-09-19 03:35 . 2008-09-19 03:30 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-19 03:30 . 2008-09-19 22:31 <DIR> d-------- C:\Documents and Settings\Zachary \.housecall6.6
2008-09-19 01:24 . 2008-09-19 01:24 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\Webroot
2008-09-18 20:06 . 2008-07-23 12:50 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-09-18 20:06 . 2008-07-23 12:50 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-09-18 20:06 . 2008-07-23 12:50 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-09-18 20:05 . 2008-09-19 22:30 <DIR> d-------- C:\Program Files\DivX
2008-09-18 09:51 . 2008-09-19 22:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-18 01:40 . 2008-09-19 22:29 <DIR> d-------- C:\Program Files\iPod
2008-09-18 01:38 . 2008-09-19 22:29 <DIR> d-------- C:\Program Files\Bonjour
2008-09-18 01:34 . 2008-09-19 22:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-18 00:31 . 2008-09-18 00:31 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\acccore
2008-09-18 00:29 . 2008-09-18 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-09-18 00:27 . 2008-09-19 22:28 <DIR> d-------- C:\Program Files\AIM6
2008-09-18 00:27 . 2008-09-20 17:58 995 --ah----- C:\IPH.PH
2008-09-18 00:12 . 2008-09-18 00:12 <DIR> d--hs---- C:\Documents and Settings\Zachary \PrivacIE
2008-09-18 00:05 . 2008-09-19 22:28 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-09-17 22:35 . 2008-09-19 23:13 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\uTorrent
2008-09-17 22:15 . 2008-09-22 00:33 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\LimeWire
2008-09-17 21:33 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-09-17 21:33 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-17 21:21 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-17 21:21 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-09-17 21:21 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-17 20:50 . 2008-09-19 22:27 <DIR> d-------- C:\Documents and Settings\Zachary \Contacts
2008-09-17 20:19 . 2008-09-22 10:26 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-09-17 20:19 . 2008-09-17 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-09-17 19:43 . 2008-09-22 19:17 <DIR> d-------- C:\WINDOWS\DSL
2008-09-17 19:43 . 2008-09-17 19:43 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\Motive
2008-09-17 19:24 . 2008-09-17 19:24 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\Verizon
2008-09-17 19:24 . 2008-09-20 07:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2008-09-17 19:12 . 2008-09-20 15:24 <DIR> d-------- C:\Program Files\Verizon
2008-09-17 18:51 . 2008-09-17 18:51 61,224 --a------ C:\Documents and Settings\Zachary \GoToAssistDownloadHelper.exe
2008-09-16 18:18 . 2008-09-18 00:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-16 18:18 . 2008-09-16 18:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-16 16:58 . 2008-09-16 19:12 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2008-09-16 15:41 . 2008-09-16 16:46 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\Apple Computer
2008-09-16 15:25 . 2006-05-26 23:56 <DIR> d-------- C:\Documents and Settings\Zachary \WINDOWS
2008-09-16 15:25 . 2006-05-26 23:57 <DIR> d-------- C:\Documents and Settings\Zachary \Application Data\Intuit
2008-09-16 15:25 . 2008-09-21 22:41 <DIR> d-------- C:\Documents and Settings\Zachary
2008-09-16 13:36 . 2008-09-19 22:27 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-14 01:51 . 2008-02-24 19:59 1,872,666 --a------ C:\WINDOWS\system32\cygwin1.dll
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-22 04:50 --------- d-----w C:\Program Files\music_now
2008-09-20 22:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-20 22:35 --------- d-----w C:\Program Files\Viewpoint
2008-09-20 22:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-20 20:54 --------- d-----w C:\Program Files\Common Files\Scanner
2008-09-20 19:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-20 02:30 --------- d-----w C:\Program Files\LimeWire
2008-09-20 02:30 --------- d-----w C:\Program Files\iTunes
2008-09-20 02:29 --------- d-----w C:\Program Files\QuickTime
2008-09-20 02:28 --------- d-----w C:\Program Files\PeoplePC
2008-09-20 02:27 --------- d-----w C:\Program Files\MSN Messenger
2008-09-18 05:37 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-18 04:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-16 19:56 --------- d-----w C:\Program Files\aircrack-ng-0.9.3-win
2008-08-22 16:44 --------- d-----w C:\Documents and Settings\Phillip\Application Data\Sonic
2008-08-22 16:43 --------- d-----w C:\Documents and Settings\Phillip\Application Data\Leadertech
2008-08-19 02:22 --------- d-----w C:\Documents and Settings\Phillip\Application Data\SodaBush
2008-08-14 02:36 --------- d-----w C:\Program Files\Yahoo!
2008-08-14 02:35 --------- d-----w C:\Documents and Settings\Phillip\Application Data\Yahoo!
2008-08-14 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-14 02:23 --------- d-----w C:\Documents and Settings\Phillip\Application Data\LimeWire
2008-08-13 20:07 --------- d-----w C:\Program Files\CommViewWiFi
2008-08-12 03:16 --------- d-----w C:\Program Files\Makayama Interactive
2008-08-04 22:21 --------- d-----w C:\Documents and Settings\Phillip\Application Data\HPQ
2008-07-31 16:23 --------- d-----w C:\Documents and Settings\Phillip\Application Data\PlayFirst
2008-07-29 16:50 344 ----a-w C:\Documents and Settings\Phillip\Application Data\wklnhst.dat
2008-07-23 16:50 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-08-19 01:24 1,072 ----a-w C:\Documents and Settings\Compaq_Owner.ZACH\Application Data\wklnhst.dat
2007-01-09 19:36 5,971,432 ----a-w C:\Program Files\Firefox Setup 2.0.0.1.exe
2006-10-12 02:53 3,496,097 -c--a-w C:\Program Files\AVICodecPackPlus21.exe
2006-08-21 13:36 31,749,253 -c--a-w C:\Program Files\FinNPWin2k6.exe
.

------- Sigcheck -------

2008-04-13 20:12 111104 ed7262e52c31cf1625b65039102bc16c C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e 88561d2ddb53e183dc05c3e\wuauclt.exe
2008-07-18 22:10 53448 d316e28958873859b88d72cf47ad1ea5 C:\WINDOWS\system32\wuauclt.exe
2008-07-18 22:10 53448 d316e28958873859b88d72cf47ad1ea5 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Phillip^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Phillip\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 11:21 50472 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
--a------ 2007-01-25 17:34 8784 C:\Program Files\Common Files\AOL\1177132967\ee\services\safetyCore\ver210 _5_4_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 C:\Program Files\Common Files\AOL\1177132967\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-16 01:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-23 01:14 237568 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2005-07-06 16:16 2972672 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
--a------ 2007-01-25 17:34 153168 C:\Program Files\Common Files\AOL\1177132967\ee\sscRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 07:54 16010240 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\AOL\\1177132967\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"17298:TCP"= 17298:TCP:BitComet 17298 TCP
"17298:UDP"= 17298:UDP:BitComet 17298 UDP
"15158:TCP"= 15158:TCP:PORT_15158

R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys [2006-10-18 303616]
.
Contents of the 'Scheduled Tasks' folder
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 21:12:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
************************************************** ************************
.
Completion time: 2008-09-22 21:20:00 - machine was rebooted [Zachary ]
ComboFix-quarantined-files.txt 2008-09-23 01:19:56
ComboFix2.txt 2008-09-23 00:45:02

Pre-Run: 86,898,454,528 bytes free
Post-Run: 86,885,249,024 bytes free

249 --- E O F --- 2008-09-18 13:53:59

**evilfantasy** · #25 22nd Sep 2008, 18:27

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Run CCleaner.

----------

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply

zm741 · #26 24th Sep 2008, 11:50

I accidently closed the window without copying and pasting the log! I'm sorry! From what I can remember, It seemed that most of the infected files were in the spy bot search and destroy folder. I had 14 infected files...I am running the scan again. Sorry

zm741 · #27 24th Sep 2008, 11:53

Nevermind...I just read your instructions again...Here is it:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3461 (20080922)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=7bb2fd5da61c7a428b5e54c3e2a4dac9
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-23 03:43:19
# local_time=2008-09-22 11:43:19 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=563298
# found=14
# scan_time=7097
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch90.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch92.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent100.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent109.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent128.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent18.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent48.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb4.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb5.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\AVICodecPackPlus21.exe a variant of Win32/Adware.Webdir application (deleted) 00000000000000000000000000000000
C:\Program Files\AVICodecPackPlus21.exe »NSIS »VirtualDNS.dll a variant of Win32/Adware.Webdir application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

**evilfantasy** · #28 24th Sep 2008, 11:56

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa and unzip the file to your Desktop.
Open JavaRA.exe and choose Remove Older Versions
Once complete exit JavaRA and delete the program.
Run CCleaner.

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide

----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

How is everything now?

zm741 · #29 24th Sep 2008, 18:30

when i type in cleanmgr and press enter, all i get is the disk cleaner and a choice between cleaning C or D. I don't see any tabs. I'm running xp.

**evilfantasy** · #30 24th Sep 2008, 21:57

Do this instead.

Disable the System Restore Utility to prevent re-infection from an old one

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.