Help Please..

**ou8it** · 05-20-2008, 05:00 PM

My Link is now active, I had to clear the cache in my ftp and purge it on site. I just wanted you to see that I can post on other sites.

I just posted and now it appears that its not the pc why I can't post, as I just tried to post logs on a different pc in my house.

**jholland1964** · 05-20-2008, 06:59 PM

JH, I ran Combo fix script you sent and it did not reboot automatically. In fact the desktop icons went away and did not return. I had to reboot myself. I did give it ample time to do so. Also I am still getting the imt.damit.dll error on startup.

Above is from your post on your link. Do not be concerned about the desktop disappearing, this is normal with combofix and if you will check I noted that in the instructions. Same goes for computer not rebooting at the end, this also happens sometimes.
Please bear with me while I work on the logs. I WILL get back ASAP.

**jholland1964** · 05-20-2008, 10:31 PM

Well combofix removed some of what we wanted out of there, but not all of it.

First of all let's get rid of some of these things manually;
You will have to navigate to these folders manually and remove the items noted in RED. Don't remove the entire folder, just those single entries I note in RED;

C:\Documents and Settings\All Users\Application Data\WildTangent
C:\Documents and Settings\All Users\Application Data\kgvsrrma
C:\Documents and Settings\All Users\Application Data\uzkiodzh
C:\Documents and Settings\All Users\Application Data\odavibsv

I also noted that you did install Spy Hunter, sorry cauzomb, this isn't a program I can recommend. It USED to be listed on the Spyware Warrior Rogue/Suspect-Anti-spyware list and while it is no longer listed on THAT list it is still a program that they do not recommend for the reasons quoted below, and I have to say I agree;

Note on Enigma SpyHunter: Enigma's SpyHunter anti-spyware application was listed on this page primarily because of the company's history of employing aggressive, deceptive advertising. The company was also known for exploiting the name "spybot" in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004.

Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the "spybot" domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).

While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users' PCs (1), we can no longer classify this application as "rogue/suspect." Nonetheless, SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize (1). Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection.

All that taken into consideration I would recommend that you now UNINSTALL that program via Add/Remove. I am sorry I didn't mention this sooner as SpyHunter isn't free - if it were to actually detect something, users then have to pay $30 for removal. Tests of the product indicate its spyware detection is extremely limited, capable of detecting only a tiny percent of spyware.
Once you have done all of the above then next let's clean up the HJT log and then we will try again to get rid of the remaining entries in the registry after that
.
Run HJT again and place checkmarks in the following entries if they still remain;
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll (file missing)
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll (file missing)

O4 - HKLM\..\Run: [ece3c94e] rundll32.exe "C:\WINDOWS\system32\imtdamet.dll",b

O4 - HKCU\..\Run: [sqrjigmy] C:\WINDOWS\system32\alabqbkn.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O20 - Winlogon Notify: ddcBSIbb - ddcBSIbb.dll (file missing)

Once you have placed the checkmarks then click the Fix Checked button.
Exit HJT.
Reboot the computer.
Then run combofix again the following my original instructions, and also run HJT again. Post back here with both new logs.
Judy

**ou8it** · 05-21-2008, 01:21 PM

Here are the logs:
The imt.damit.dll error was fixed after reboot.

Combo Fix:

ComboFix 08-05-19.4 - Robert 2008-05-21 14:15:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.38 [GMT -4:00]
Running from: C:\Documents and Settings\Robert\Desktop\ComboFix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-19 06:05 . 2008-05-19 19:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-19 05:48 . 2008-05-19 06:05 <DIR> d-------- C:\Program Files\Internet Spy Hunter
2008-05-18 18:15 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-18 18:14 . 2008-05-18 18:14 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-18 16:13 . 2008-05-18 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-18 06:54 . 2008-05-18 06:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 06:54 . 2008-05-18 06:54 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Malwarebytes
2008-05-18 06:54 . 2008-05-18 06:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-18 06:54 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 06:54 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 19:18 . 2008-05-21 14:09 <DIR> d-------- C:\Hi Jack This
2008-05-17 19:18 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\HijackThis.exe
2008-05-14 17:44 . 2008-05-14 17:44 <DIR> d-------- C:\ie-spyad_zo
2008-05-14 17:38 . 2008-05-14 17:39 <DIR> d-------- C:\Program Files\Dell Games
2008-05-14 17:30 . 2008-05-14 22:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-14 17:30 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-05-13 21:02 . 2008-05-13 21:05 202 --a------ C:\WINDOWS\wininit.ini
2008-05-13 19:55 . 2008-05-13 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 19:55 . 2008-05-13 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 19:49 . 2008-05-13 19:49 <DIR> d-------- C:\Program Files\CCleaner
2008-05-13 19:23 . 2008-05-13 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-13 19:22 . 2008-05-13 19:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-13 19:22 . 2008-05-13 19:22 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\SUPERAntiSpyware.com
2008-05-13 17:43 . 2008-05-13 19:19 <DIR> d-------- C:\Documents and Settings\Robert\.housecall6.6
2008-05-13 17:05 . 2007-12-27 21:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-05-13 17:05 . 2008-05-13 17:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-13 17:05 . 2008-05-21 06:19 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-04 12:29 . 2008-05-04 12:29 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-19 00:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-18 22:15 --------- d-----w C:\Program Files\Java
2008-05-18 16:53 --------- d-----w C:\Program Files\Dl_cats
2008-05-15 21:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-15 21:29 --------- d-----w C:\Documents and Settings\Robert\Application Data\AdobeUM
2008-05-15 02:06 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-05-14 19:56 --------- d-----w C:\Program Files\Trend Micro
2008-05-14 09:39 --------- d-----w C:\Program Files\FinePixViewer
2008-05-13 23:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 23:32 --------- d-----w C:\Program Files\McAfee
2008-04-01 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
.

((((((((((((((((((((((((((((( snapshot_2008-05-20_ 6.09.29.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-20 23:09:58 19,590 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\game_unpacker .dat
- 2008-05-19 20:40:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 18:12:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 18:12:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_258.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42 1404928]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X 86\3\DLCCtime.dll" [2005-06-07 08:38 69632]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 12:44 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\run]
"tE19RMf3nt"= C:\Documents and Settings\All Users\Application Data\odavibsv\idenurst.exe

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
--a------ 2007-05-23 11:41 1798656 C:\Program Files\Advanced Registry Optimizer\aro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafw]
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfasem]
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfupgrade]
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2006-02-09 18:34 106496 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCCCATS]
--a------ 2005-06-07 08:38 69632 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtim e.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
--a------ 2005-07-22 09:03 425984 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-01-27 03:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 19:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1170429915\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 22:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-04 18:21 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 21:20 8192 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-09-08 21:20 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-27 22:08 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-11-29 23:04 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-13 12:43 1510640 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 05:10:57 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-05-01 05:00:25 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 14:19:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-05-21 14:23:58
ComboFix-quarantined-files.txt 2008-05-21 18:23:48
ComboFix2.txt 2008-05-20 10:09:55
ComboFix3.txt 2008-05-19 19:41:32

Pre-Run: 63,535,562,752 bytes free
Post-Run: 63,548,280,832 bytes free

191 --- E O F --- 2008-05-16 07:02:20

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 2:25:40 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CF18075.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe
C:\Hi Jack This\hi jack analizer.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Thanks again for all the help Judy,
Frank

**jholland1964** · 05-21-2008, 01:42 PM

Did you uninstall that Spy Hunter program?

**ou8it** · 05-21-2008, 02:20 PM

Yes I uninstalled it right after I found out it you needed to buy it. It did pick up zlob infection about 12 counts.

**jholland1964** · 05-21-2008, 04:15 PM

See it may have found them....but you would have had to buy it to use it. What programs found and removed them...the FREE MalwareBytes’ Anti-Malware program, which found and fixed a total of 31 infected files, the FREE combofix found and fixed 35 infected files. This is what we really try to stess here that there are numerous FREE programs that do a superior job to the paid ones.
Your logs look good to me. You need to set a new and now clean System Restore point. Right click My Computer, choose Properties, When that opens click the System Restore tab. Put a checkmark in Turn off System Restore. You will get a warning you are turning it off, very normal, say ok if you have to. It will turn off. Wait a minute and then go back in the same way and remove the checkmark. System Restore will come back on.
Keep your anti-virus and SpywareBlaster amd your anti-spyware programs up to date. Scan weekly at least with the anti-spy and anti-virus programs and you should be good.
Judy

**cauzomb** · 05-21-2008, 06:08 PM

Sorry about the spyhunter program, I didn't know that the spyhunter "free" program was just a scanner, that needed a purchased license to do work, or about it's history. It was the only thing I found that mentioned being able to remove the zlob variants... EDIT, perhaps it might be usefull as a scanner to find the zlob issues, make note of their location/file names, then dump the scanner?

**jholland1964** · 05-21-2008, 08:03 PM

No, it isn't recommended for anything. It is one of those programs that will often times pop up with a "malware on the computer" warnings then "click here to remove". Also doesn't find every instance either, as noted in this thread.
There are several programs which remove zlob and vundo, MalwareBytes being one of the best at this time.

**cauzomb** · 05-22-2008, 03:51 AM

Originally Posted by jholland1964

No, it isn't recommended for anything. It is one of those programs that will often times pop up with a "malware on the computer" warnings then "click here to remove". Also doesn't find every instance either, as noted in this thread.
There are several programs which remove zlob and vundo, MalwareBytes being one of the best at this time.

OK. sorry again

I'll check out the malwarebytes proggy for future stuff.

Thread: Help Please..

Thread Tools

Display

Hybrid View

Here are the logs after the above changes

Thread Information

Users Browsing this Thread

Posting Permissions