Hi, Your instructions said: Rename the file "CFScript.txt" (including the quotes) but of course you cannot use quotes in a file name.
ComboFix 07-11-08.3 - makem 2007-11-17 1:30:52.2 - NTFSx86
Running from: F:\Documents and Settings\makem.HAL\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\makem.HAL\Desktop\CFScript.txt
* Created a new restore point
FILE
F:\WINDOWS\system32\aockpxva.dll
F:\WINDOWS\system32\ddcyv.dll
F:\WINDOWS\system32\etkmtkbl.dll
F:\WINDOWS\system32\kieqmjqa.dll
F:\WINDOWS\system32\kmdsregl.exe
F:\WINDOWS\system32\qbkhisue.dll
F:\WINDOWS\system32\qfqquhsw.dll
F:\WINDOWS\system32\quygnenq.dll
F:\WINDOWS\system32\xpgvbhly.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\WINDOWS\system32\etkmtkbl.dll
F:\WINDOWS\system32\kieqmjqa.dll
F:\WINDOWS\system32\kmdsregl.exe
F:\WINDOWS\system32\quygnenq.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.
2007-11-15 23:29 51,200 --a------ F:\WINDOWS\NirCmd.exe
2007-11-13 13:10 <DIR> d-------- F:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 01:35 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\MailWasherPro
2007-11-15 14:52 --------- d-----w F:\Program Files\Steam
2007-10-23 13:32 --------- d-----w F:\Program Files\FlashFXP.v3.3.5.1110.BETA5
2007-10-16 11:24 --------- d-----w F:\Program Files\FlashGet
2007-10-16 11:02 1,422 ----a-w F:\Documents and Settings\makem.HAL\clean.reg
2007-10-16 10:24 --------- d-----w F:\Program Files\Executive Software
2007-10-16 10:24 --------- d-----w F:\Program Files\Diskeeper Corporation
2007-10-16 10:24 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\Leadertech
2007-10-16 10:19 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-15 23:45 --------- d-----w F:\Program Files\Dealio
2007-10-15 23:42 --------- d-----w F:\Program Files\Common Files\SWF Studio
2007-10-15 23:33 512,096 ----a-w F:\WINDOWS\system32\drivers\amon.sys
2007-10-15 23:33 15,424 ----a-w F:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-15 22:57 --------- d-----w F:\Documents and Settings\All Users\Application Data\Avg7
2007-10-15 22:55 --------- d-----w F:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-05 20:45 --------- d-----w F:\Program Files\Microsoft Works
2007-10-04 22:10 --------- d-----w F:\Program Files\tz_mIRC
2007-10-04 22:10 --------- d-----w F:\Program Files\geordies_mIRC
2007-10-04 21:36 --------- d-----w F:\Program Files\GuildFTPd
2007-09-29 20:43 --------- d-----w F:\Program Files\Common Files\L&H
2007-09-27 09:07 --------- d-----w F:\Program Files\DigiGuide TV Guide
2007-09-27 09:00 --------- d-----w F:\Program Files\zone_mIRC
2007-09-25 21:19 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\Lavasoft
2007-09-24 16:53 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\FlashFXP
2007-09-23 10:53 --------- d-----w F:\Program Files\tbsg_mIRC
2007-09-23 10:51 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\mIRC
2007-09-23 10:49 --------- d-----w F:\Program Files\new_zone_mIRC
2007-09-21 18:01 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\ACD Systems
2007-09-21 14:07 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\.BitTornado
2006-03-11 17:55 457 ----a-w F:\Program Files\INSTALL.LOG
2001-11-23 12:08 712,704 ----a-w F:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((( snapshot@2007-11-15_23.38.16.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-16 02:03:17 593,920 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-11-17 01:29:26 593,920 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-10-16 02:03:17 12,288 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-17 01:29:26 12,288 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-16 02:03:17 86,016 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-11-17 01:29:26 86,016 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-10-16 02:03:17 135,168 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-17 01:29:25 135,168 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-16 02:03:17 11,264 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-17 01:29:26 11,264 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-16 02:03:17 27,136 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-17 01:29:26 27,136 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-16 02:03:17 4,096 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-17 01:29:26 4,096 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-16 02:03:18 794,624 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-17 01:29:27 794,624 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-16 02:03:17 249,856 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-11-17 01:29:26 249,856 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-10-16 02:03:17 61,440 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-11-17 01:29:25 61,440 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-10-16 02:03:18 23,040 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-17 01:29:27 23,040 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-16 02:03:17 286,720 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-17 01:29:25 286,720 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-10-16 02:03:16 409,600 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-17 01:29:25 409,600 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-12-19 21:52:18 8,453,632 -c----w F:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w F:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-27 21:19:40 18,089,592 ----a-w F:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w F:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w F:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w F:\WINDOWS\system32\shell32.dll
- 2005-10-12 23:12:25 14,048 ----a-w F:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w F:\WINDOWS\system32\spmsg.dll
- 2007-08-21 10:13:33 350,720 ----a-w F:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w F:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="-cmicnfg.cpl" []
"NeroFilterCheck"="-F:\WINDOWS\System32\NeroCheck.exe" []
"IMEKRMIG6.1"="-F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" []
"SoundMan"="-SOUNDMAN.EXE" []
"QuickTime Task"="-F:\Program Files\QuickTime\qttask.exe" []
"!AVG Anti-Spyware"="-F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"nod32kui"="F:\Program Files\Eset\nod32kui.exe" [2007-10-15 23:33]
"DiskeeperSystray"="F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38]
"ICQ Lite"="-F:\Program Files\ICQLite\ICQLite.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"msnmsgr"="-F:\Program Files\MSN Messenger\msnmsgr.exe" []
"MailWasher"="F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE" [2003-11-10 13:25]
F:\Documents and Settings\makem\Start Menu\Programs\Startup\
DigiGuide.lnk - F:\Program Files\DigiGuide TV Guide\Client.exe [2005-10-30 22:55:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"Norun"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableReistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Acronis Scheduler2 Service"="F:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
"SunJavaUpdateSched"=F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
R2 AsProbe;AsProbe;\??\F:\WINDOWS\System32\drivers\AsProbe.sys
R2 UxTuneUp;TuneUp Design Expansion;F:\WINDOWS\System32\svchost.exe -k netsvcs
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;F:\WINDOWS\system32\DRIVERS\AN983.sys
R3 HCW848NT;Hauppauge Win/TV;F:\WINDOWS\system32\DRIVERS\hcw848nt.sys
S3 AvFlt;Antivirus Filter Driver;F:\WINDOWS\system32\drivers\av5flt.sys
S3 HWACCESS;HWACCESS;\??\F:\WINDOWS\system32\HWACCESS.SYS
S3 LMImirr;LMImirr;F:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 mirrorv3;mirrorv3;F:\WINDOWS\system32\DRIVERS\rminiv3.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 16:15:00 F:\WINDOWS\Tasks\1-Click Maintenance.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2007-11-17 01:35:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MailWasher = F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-17 1:36:10 - machine was rebooted
F:\ComboFix2.txt ... 2007-11-15 23:41
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:38:57, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\logonui.exe
F:\WINDOWS\system32\rdpclip.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\iseeu.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] -"F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MailWasher] F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupda ... 0175246499O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 0177533779O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMe ... loader.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://fpdownload.macromedia.com/pub/s ... wflash.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://chat.msn.com/controls/msnchat45.cabO23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
--
End of file - 6525 bytes