[greyknight17]

Did you remove Combofix as mentioned in Post #43? If not, please do so now. Restart the computer and then download Combofix and run a new scan. Post the log here.

[Advertisements]

Yes. I removed the old combofix. I did Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. Then download a fresh copy again but before you save it, rename it to CFkevin777.exe instead and then save it to your desktop. Then I ran Combofix exactly as you instructed. I apologize for not being clear.

Step 1. rename it to CFkevin777.exe instead and then save it to your desktop. Double click on it and run the scan. Post the log here. log.txt is the log in my previous response for this step.

Step 2. Copy the text from the quotebox below into Notepad. Save this as CFScript.txt in the same location as the ComboFix.exe tool. Drag the CFScript.txt into ComboFix.exe. log2.txt is the log in my previous response to that step.

Are you able to review these logs?

thank you

Edited by kevin777, 08 August 2008 - 08:03 AM.

[kevin777]

Yes. I removed the old combofix. I did Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. Then download a fresh copy again but before you save it, rename it to CFkevin777.exe instead and then save it to your desktop. Then I ran Combofix exactly as you instructed. I apologize for not being clear.

Step 1. rename it to CFkevin777.exe instead and then save it to your desktop. Double click on it and run the scan. Post the log here. log.txt is the log in my previous response for this step.

Step 2. Copy the text from the quotebox below into Notepad. Save this as CFScript.txt in the same location as the ComboFix.exe tool. Drag the CFScript.txt into ComboFix.exe. log2.txt is the log in my previous response to that step.

Are you able to review these logs?

thank you

Edited by kevin777, 08 August 2008 - 08:03 AM.

[greyknight17]

Got the logs. Please try to run it once only and post the current log...No need to have more logs than needed.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

NoOrphans::
File::
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\DX8VBe.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{256A9C1F-F38D-4E22-BA27-D943236786EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96147EDE-CE4F-4172-A719-80F811DF98CB}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lznytwib]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cgldeduc]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[greyknight17]

Topic reopened per user's request.

kevin777: Please don't post the logs via PM. I'm pasting the log you gave me to this post:


ComboFix 08-08-04.09 - Kevin Mayer 2008-08-13 19:23:38.12 - NTFSx86

Running from: C:\Documents and Settings\Kevin Mayer\Desktop\CFkevin777.exe
Command switches used :: C:\Documents and Settings\Kevin Mayer\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\avwavp.dll
C:\WINDOWS\system32\drivers\cgldeduc.dat
C:\WINDOWS\system32\DX8VBe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\cgldeduc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_cgldeduc
-------\Service_cgldeduc


((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-07-27 20:09 . 2008-07-27 20:09 <DIR> d-------- C:\Program Files\Registrar Registry Manager
2008-07-27 20:09 . 2008-02-09 11:20 31,280 --a------ C:\WINDOWS\SYSTEM32\rrMon.sys
2008-07-27 20:06 . 2008-07-27 20:06 63,998,004 --a------ C:\registry072708.reg
2008-07-27 18:46 . 2008-07-27 18:46 2,631,824 --a------ C:\reglite.exe
2008-07-24 21:47 . 2008-07-24 21:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2008-07-20 21:32 . 2008-07-20 21:32 64,094,354 --a------ C:\registry072008.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 00:54 --------- d-----w C:\Program Files\CallWave
2008-08-14 00:54 --------- d-----w C:\Documents and Settings\Kevin Mayer\Application Data\OpenOffice.org2
2008-07-14 00:50 64,007,236 ----a-w C:\registry071308.reg
2008-07-05 15:45 63,995,208 ----a-w C:\registry070508.reg
2008-03-01 01:24 0 ----a-w C:\Documents and Settings\Kevin Mayer\INDEX.DAT
2007-08-29 16:28 11,390,509 ----a-w C:\Program Files\apache-ant-1.7.0-bin.zip
.

((((((((((((((((((((((((((((( snapshot@2008-08-05_20.59.57.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 06:51 306688]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-04-24 20:09 3334144]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 07:50 131072]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 07:50 53248]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-02 19:19 143360]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 15:26 212992]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-12 01:25 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 20:28 196608]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-05 14:41 950272]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"Bart Station"="C:\Program Files\PeoplePC\ISP6630\BIN\PPCOLink.exe" [2007-08-07 16:15 25944]

C:\Documents and Settings\Kevin Mayer\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-04-12 01:25:06 156784]
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2005-06-02 22:07:30 1590352]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-04-16 15:26:41 118784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 11:36:08 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

.
Contents of the 'Scheduled Tasks' folder

2007-11-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

2005-04-16 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE [2004-08-04 04:00]

2008-08-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DDR93871-Kevin Mayer).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-03-02 19:19]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 19:28:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\IMAPI.EXE
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\Program Files\PeoplePC\ISP6630\Browser\BartShel.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PeoplePC\ISP6630\Browser\PPShared.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-08-13 19:33:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 01:33:37
ComboFix2.txt 2008-08-06 03:53:31
ComboFix3.txt 2008-08-06 03:00:39
ComboFix4.txt 2008-07-09 04:13:20

Pre-Run: 66,654,076,928 bytes free
Post-Run: 66,647,576,576 bytes free

136

[greyknight17]

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

[kevin777]

WOW! That is amazing. I checked the registry and the directories again. They do look clean. That was a lot of work. How much time do you estimate you spent on this?

The computer is working well. I do not get any unwanted popup applications except for a PeoplePC automated dialer. That started after one of the steps where we had to remove peoplepc and then replace it with a newer version. As far as the other applications we tried(VundiFix, OTMOveIT, avenger, Smitfraud), can I remove them?

[greyknight17]

How much time spent? More than I had anticipated, but I'm glad we are finally finished here

Remove combofix by following the instructions in my last reply. That should get rid of most of those backup files. After that, whatever is remaining, you may remove them by simply deleting them (all those you mentioned).

If there's no further issues, I shall mark this topic as solved.

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.