[emeraldnzl]

Hello coldwars,

However the file: C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip is still in there. When I view the contents of the folder as a list it says the file is an application. And in it's name there is a long space in between the .zip and the .exe.

It was at the same time as this arrived that Vundo started to become a file infector.

We want to get rid of it to be sure your problem doesn't come back.

It's a pesky fellow though as you say our attempts so far have not succeeded. We won't be beaten though, there are other ways if necessary.

Meantime we will try Combofix again but in a slightly different format.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RenV::
----a-w				   100,189,297 2008-06-02 17:34:44 C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip												   .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[Advertisements]

The file, unfortunately, is still there.

ComboFix report:
ComboFix 08-07-20.4 - joal 2008-07-22 17:10:32.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1655 [GMT -4:00]
Running from: C:\Documents and Settings\joal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joal\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\joal\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 01:58 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-20 13:09 . 2008-07-20 13:09 <DIR> d-------- C:\_OTMoveIt
2008-07-19 14:20 . 2008-07-19 14:20 <DIR> d-------- C:\Deckard
2008-07-18 22:45 . 2008-07-19 13:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32 . 2008-07-18 20:32 3,568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57 . 2008-07-19 14:13 <DIR> d-------- C:\VundoFix Backups
2008-07-13 18:56 . 2008-07-16 00:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:55 . 2008-07-13 18:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24 . 2008-07-05 18:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 21:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-22 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-19 04:41 --------- d-----w C:\Program Files\Bonjour
2008-07-18 23:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-17 01:14 --------- d-----w C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 04:29 --------- d-----w C:\Program Files\Last.fm
2008-07-13 15:37 --------- d-----w C:\Program Files\Creative
2008-07-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-02 04:48 --------- d-----w C:\Program Files\ZillaTube
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 04:47 --------- d-----w C:\Documents and Settings\joal\Application Data\IceChat
2008-06-15 03:05 --------- d-----w C:\Program Files\QuickTime
2008-06-14 16:53 --------- d-----w C:\Program Files\Java
2008-06-14 16:52 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 16:47 --------- d-----w C:\Program Files\Viewpoint
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:22 --------- d-----w C:\Documents and Settings\joal\Application Data\U3
2008-06-12 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 03:26 --------- d-----w C:\Program Files\DivX
2008-06-07 04:39 --------- d-----w C:\Documents and Settings\joal\Application Data\DivX
2008-05-31 02:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 02:58 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 02:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 02:58 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 02:58 --------- d-----w C:\Program Files\Symantec
2008-05-22 22:22 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-11 02:00 70,072 ----a-w C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

<pre>
----a-w	   100,189,297 2008-06-02 17:34:44  C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip																													   .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-07-21_ 2.53.50.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-29 20:52:52 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-21 06:57:42 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-29 20:52:52 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-21 06:57:42 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 13:24:21 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IceChat7\\IceChat7.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 00:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 17:13:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-22 17:19:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-22 21:19:37
ComboFix2.txt 2008-07-22 05:50:58
ComboFix3.txt 2008-07-21 16:41:53
ComboFix4.txt 2008-07-21 06:54:14
ComboFix5.txt 2008-07-22 21:10:13

Pre-Run: 95,253,688,320 bytes free
Post-Run: 95,540,400,128 bytes free

157 --- E O F --- 2008-07-13 15:40:07




HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21:44, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\joal\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6557 bytes

[coldwars]

The file, unfortunately, is still there.

ComboFix report:
ComboFix 08-07-20.4 - joal 2008-07-22 17:10:32.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1655 [GMT -4:00]
Running from: C:\Documents and Settings\joal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joal\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\joal\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 01:58 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-20 13:09 . 2008-07-20 13:09 <DIR> d-------- C:\_OTMoveIt
2008-07-19 14:20 . 2008-07-19 14:20 <DIR> d-------- C:\Deckard
2008-07-18 22:45 . 2008-07-19 13:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32 . 2008-07-18 20:32 3,568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57 . 2008-07-19 14:13 <DIR> d-------- C:\VundoFix Backups
2008-07-13 18:56 . 2008-07-16 00:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:55 . 2008-07-13 18:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24 . 2008-07-05 18:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 21:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-22 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-19 04:41 --------- d-----w C:\Program Files\Bonjour
2008-07-18 23:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-17 01:14 --------- d-----w C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 04:29 --------- d-----w C:\Program Files\Last.fm
2008-07-13 15:37 --------- d-----w C:\Program Files\Creative
2008-07-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-02 04:48 --------- d-----w C:\Program Files\ZillaTube
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 04:47 --------- d-----w C:\Documents and Settings\joal\Application Data\IceChat
2008-06-15 03:05 --------- d-----w C:\Program Files\QuickTime
2008-06-14 16:53 --------- d-----w C:\Program Files\Java
2008-06-14 16:52 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 16:47 --------- d-----w C:\Program Files\Viewpoint
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:22 --------- d-----w C:\Documents and Settings\joal\Application Data\U3
2008-06-12 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 03:26 --------- d-----w C:\Program Files\DivX
2008-06-07 04:39 --------- d-----w C:\Documents and Settings\joal\Application Data\DivX
2008-05-31 02:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 02:58 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 02:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 02:58 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 02:58 --------- d-----w C:\Program Files\Symantec
2008-05-22 22:22 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-11 02:00 70,072 ----a-w C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

<pre>
----a-w	   100,189,297 2008-06-02 17:34:44  C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip																													   .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-07-21_ 2.53.50.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-29 20:52:52 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-21 06:57:42 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-29 20:52:52 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-21 06:57:42 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 13:24:21 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IceChat7\\IceChat7.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 00:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 17:13:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-22 17:19:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-22 21:19:37
ComboFix2.txt 2008-07-22 05:50:58
ComboFix3.txt 2008-07-21 16:41:53
ComboFix4.txt 2008-07-21 06:54:14
ComboFix5.txt 2008-07-22 21:10:13

Pre-Run: 95,253,688,320 bytes free
Post-Run: 95,540,400,128 bytes free

157 --- E O F --- 2008-07-13 15:40:07




HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21:44, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\joal\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6557 bytes

[emeraldnzl]

Before we move to other methods lets try this once more with ComboFix but again slightly differently.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

----a-w				   100,189,297 2008-06-02 17:34:44 C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip												   .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[coldwars]

The file is still there. However when I ran ComboFix it said something about vfind bad option and find matching filesnames in directory tree but then it continued to complete the stages. Then when it was preparing the log file it said "temp07The system cannot find the file specified." Then it went to the almost done..ComboFix log shall be located at C:\ComboFix.txt screen.

ComboFix Log:

ComboFix 08-07-20.4 - joal 2008-07-22 21:21:01.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1586 [GMT -4:00]
Running from: C:\Documents and Settings\joal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joal\Desktop\CFScript.txt
* Created a new restore point

FILE ::
----a-w 100,189,297 2008-06-02 17:34:44 C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip .exe
.

((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\joal\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 01:58 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-20 13:09 . 2008-07-20 13:09 <DIR> d-------- C:\_OTMoveIt
2008-07-19 14:20 . 2008-07-19 14:20 <DIR> d-------- C:\Deckard
2008-07-18 22:45 . 2008-07-19 13:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32 . 2008-07-18 20:32 3,568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57 . 2008-07-19 14:13 <DIR> d-------- C:\VundoFix Backups
2008-07-13 18:56 . 2008-07-16 00:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:55 . 2008-07-13 18:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24 . 2008-07-05 18:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-22 22:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 04:41 --------- d-----w C:\Program Files\Bonjour
2008-07-18 23:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-17 01:14 --------- d-----w C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 04:29 --------- d-----w C:\Program Files\Last.fm
2008-07-13 15:37 --------- d-----w C:\Program Files\Creative
2008-07-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-02 04:48 --------- d-----w C:\Program Files\ZillaTube
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 04:47 --------- d-----w C:\Documents and Settings\joal\Application Data\IceChat
2008-06-15 03:05 --------- d-----w C:\Program Files\QuickTime
2008-06-14 16:53 --------- d-----w C:\Program Files\Java
2008-06-14 16:52 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 16:47 --------- d-----w C:\Program Files\Viewpoint
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:22 --------- d-----w C:\Documents and Settings\joal\Application Data\U3
2008-06-12 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 03:26 --------- d-----w C:\Program Files\DivX
2008-06-07 04:39 --------- d-----w C:\Documents and Settings\joal\Application Data\DivX
2008-05-31 02:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 02:58 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 02:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 02:58 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 02:58 --------- d-----w C:\Program Files\Symantec
2008-05-22 22:22 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-11 02:00 70,072 ----a-w C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

<pre>
----a-w	   100,189,297 2008-06-02 17:34:44  C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip																													   .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-07-21_ 2.53.50.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-29 20:52:52 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-21 06:57:42 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-29 20:52:52 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-21 06:57:42 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 13:24:21 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IceChat7\\IceChat7.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 00:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 21:40:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-22 21:58:59
ComboFix-quarantined-files.txt 2008-07-23 01:57:27
ComboFix2.txt 2008-07-22 22:59:19
ComboFix3.txt 2008-07-22 21:19:41
ComboFix4.txt 2008-07-22 05:50:58
ComboFix5.txt 2008-07-23 01:20:43

Pre-Run: 95,447,855,104 bytes free
Post-Run: 95,479,263,232 bytes free

148 --- E O F --- 2008-07-13 15:40:07


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06:17, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\joal\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6695 bytes

[emeraldnzl]

Thanks coldwars, I will get back to you on this one.

May not be until tomorrow.

Regards
emeraldnzl

[coldwars]

Thanks again.

[emeraldnzl]

Hello coldwars,

Sorry about the delay there. I was consulting the moderators on this.

There are several options we can try.

The first is simple but it just might work.

Now

close all windows then boot into Safe Mode:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip .exe

After that Reboot and have a look to see whether it is gone.

Second option

If the foregoing doesn't work you could try moving everything but that file out of the Albums folder and remove the whole folder. Same proceedure as above.

Let me know how you get on.

[coldwars]

I removed the folder and then deleted it from the recycle bin. It's no longer there. However the clock settings still haven't changed and I can't turn on Auto-Protect on Norton 360. When I wemt to Windows Security Center it said the Firewall is on however when I went to manage the security settings for Windows Firewall it said it was off and I had to change it back.

[emeraldnzl]

Hello coldwars,

Well done that man.

The clock etc. will be dealt with in our clean up which I think is close now. In fact I think your machine is probably clean but just to make sure nothing has respawned while we were getting rid of that "maggoty" file we should make a last run with Kaspersky.

You know the drill

Kaspersky only works if you are using Internet Explorer.

Please do an online scan with Kaspersky WebScanner.

Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes)

• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  * Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  * Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  * Now click on the Save as Text button:
• Save the file to your desktop.

Copy and paste that information in your next post.

[coldwars]

Here's the Kaspersky Report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 24, 2008 19:01:24
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/07/2008
Kaspersky Anti-Virus database records: 1004367
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 63506
Number of viruses found: 8
Number of infected objects: 74
Number of suspicious objects: 0
Duration of the scan process: 00:50:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\joal\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080614-123232-993.dll Infected: Trojan.Win32.Monder.qf skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-338.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-446.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-524.dll Infected: Rootkit.Win32.Podnuha.zn skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-936.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-978.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080721-015408-814.dll Infected: Rootkit.Win32.Podnuha.zn skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix\IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe/SmitfraudFix/IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe/SmitfraudFix/IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe RAR: infected - 3 skipped
C:\Documents and Settings\joal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\joal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\joal\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\27GHQD8J\UserStatusChange[3].html Object is locked skipped
C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip/Lil Wayne - Tha Carter III Special Edition [2008] [RAP]/Lil Wayne - Tha Carter III.zip .exe/data0002 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip/Lil Wayne - Tha Carter III Special Edition [2008] [RAP]/Lil Wayne - Tha Carter III.zip .exe Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip ZIP: infected - 2 skipped
C:\Documents and Settings\joal\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\joal\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GFSHYRUV\index[4].htm Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GFSHYRUV\index[5].htm Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\arllpxyn.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bewnlmnx.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcBUkhf.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ekxkimkh.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fpktnwed.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\frygbdce.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iljpfz.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ipxiaygs.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jwkrrwka.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kcetywfo.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mixxpwji.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnlKaba.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ppfkprgh.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ukrfmurr.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uvturksg.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vrccofvv.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wcomqwqo.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ypsgqyfs.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP196\A0125811.exe Infected: Trojan.Win32.Obfuscated.muy skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126782.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126783.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126784.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126785.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200\A0127979.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200\A0127998.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200\A0127999.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe/SmitfraudFix/IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe/SmitfraudFix/IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe RAR: infected - 3 skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128111.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128112.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128113.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128114.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128115.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128116.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128117.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128118.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128119.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128120.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128121.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128122.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128123.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128124.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128125.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128126.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128127.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128128.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP210\change.log Object is locked skipped
C:\VundoFix Backups\fjyjgyvy.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\VundoFix Backups\pxjpsjvu.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\VundoFix Backups\rwdpslop.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\VundoFix Backups\svdurfms.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{87261782-2419-4746-BC64-56E41328D577}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\JET85DC.tmp Object is locked skipped
C:\WINDOWS\temp\JET861A.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\avkapveq.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\qhtrti.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\qoMeETLD.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\xptjkrur.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\xxyxxwWo.dll Infected: Trojan.Win32.Monderc.gen skipped

Scan process completed.

[emeraldnzl]

Hello again coldwars,

Well Kaspersky shows we still have a bit of a problem.

Another approach coming up.

• Download RenV.exe by sUBs to your desktop
• Double click on it to run it
• It will search your system drive looking for any modified .exe file and will produce a log for you.
• Please drag this log into RenV.exe and let it run. Post the log it produces

[coldwars]

I think the link is broken because it cannot be saved.

[emeraldnzl]

Hmm, maybe the site is down. In any event I will get back to you.

[emeraldnzl]

Hello coldwars,

Well seeing that link, as you say seems to be broken, lets try running ComboFix again but this time attach the file in your reply.

Do not paste it in the thread.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please upload here as an attachment.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[coldwars]

Here is the ComboFix log attached.

Attached Files

•  log.txt   12.81KB   218 downloads