Problems with Virtumonde and CmdService

[gmst08]

Last week, an unrequested download ran on my computer. I could not get rid of it. I turned to Spybot, which showed several issues. Earlier in the week, there were no issues. Now the system is slow and browser windows popp up every few minutes to advertisements.

Spybot sidebar instructions for Virtumonde directed me to this forum for assistance. I have completed "Before you post" steps and hope they provide sufficient information to help get rid of these problems. Can someone please help?

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:23 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Internet Explorer\niwo22011.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [niwo] C:\Program Files\Internet Explorer\niwo22011.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET\ntvdm.exe" -vt yazb
O4 - HKCU\..\Run: [Sue] "C:\Program Files\?ppPatch\l?ass.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125541547371
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173792747484
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.med.utah.edu/da...erSetupSP1.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Unknown owner - C:\oracle\ora92\bin\omtsreco.exe (file missing)
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 8245 bytes


Next are the f-secure scan results logs (I have Kaspersky results also if needed but they made this initial post too long):

f-secure on-line scan log --

Scanning Report
Saturday, August 18, 2007 21:44:36 - 10:39:48

Computer name: LAPTOP1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 45 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System

Trojan-Downloader.Win32.Agent.bls (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091721.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091736.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091772.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091877.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Delf.biu (virus)

* C:\DOCUMENTS AND SETTINGS\GREG\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\L03R7IVF\MSIESETTINGS[1].EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Small.buy (virus)

* C:\WINDOWS\SYSTEM32\TMPS2\MTIDOCS.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Small.eqn (virus)

* C:\WINDOWS\SYSTEM32\CHKFIG5\D0125.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091918.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091719.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091757.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091856.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091871.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.VB.awj (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091919.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091920.EXE (Renamed & Submitted)

Trojan-Proxy.Win32.VB.x (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091922.EXE (Renamed & Submitted)

Trojan.Win32.BHO.ab (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091901.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091902.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091903.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091904.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091905.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091906.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091907.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091908.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091909.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091924.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091720.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091759.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091780.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091797.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091819.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091838.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091858.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091873.EXE (Renamed & Submitted)

W32/NetMon.C (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091735.EXE (Submitted)

W32/Vundo.dam (virus)

* C:\WINDOWS\SYSTEM32\EFCDD.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091843.DLL (Submitted)
* C:\DOCUMENTS AND SETTINGS\GREG\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\VGADKYV0\CSS4[1] (Submitted)

Win32.TrojanDownloader.Agent (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 99022
* System: 5088
* Not scanned: 4

Actions:

* Disinfected: 2
* Renamed: 33
* Deleted: 0
* None: 10
* Submitted: 36

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{1C3C7B8F-5448-46DC-A62E-76DF33E5295A}.BIN

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-08-17
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Libra: 2.4.2, 2007-08-16
* F-Secure Orion: 1.2.37, 2007-08-16
* F-Secure Pegasus: 1.19.0, 2007-07-12

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics


I already tried the VundoFix.exe process and it could not remove several files. After a restart it did not seem to work either. Spybot had very similar results asking if it could run at the next restart.

Thank you in advance for your time and I appreciate the clear instructions and service this forum provides. I've read through some of the other posts and they seem very thourough and professional.

[Angelfire777]

Hi, welcome to Safer Networking!

*Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

Reboot.
_____

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

_____

Download combofix.exe

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
____

HJT Uninstall list

• Open HijackThis > Click "Misc Tools Section"
• Click "Open Uninstall Manager".
• Click "Save List".
• Save it to your Desktop.
• Copy the contents of the file to your next reply.

On your next reply, please include a

• Fresh HijackThis log.
• SDFix log
• combofix log
• HJT uninstall list

[gmst08]

Thank you for the assistance. I found none of the listed application in the programs list to be uninstalled. Here is the fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:35 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET\ntvdm.exe" -vt yazb
O4 - HKCU\..\Run: [Sue] "C:\Program Files\?ppPatch\l?ass.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125541547371
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173792747484
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.med.utah.edu/da...erSetupSP1.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Unknown owner - C:\oracle\ora92\bin\omtsreco.exe (file missing)
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 8009 bytes


Here is the SDFix Report:


SDFix: Version 1.99

Run by Greg on Mon 08/20/2007 at 05:50 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\TFTP1692 - Deleted
C:\WINDOWS\system32\TFTP2076 - Deleted
C:\WINDOWS\system32\TFTP2320 - Deleted
C:\WINDOWS\system32\TFTP2396 - Deleted
C:\WINDOWS\system32\TFTP2428 - Deleted
C:\WINDOWS\system32\TFTP2544 - Deleted
C:\WINDOWS\system32\TFTP2812 - Deleted
C:\WINDOWS\system32\TFTP2848 - Deleted
C:\WINDOWS\system32\TFTP2896 - Deleted
C:\WINDOWS\system32\TFTP3028 - Deleted
C:\WINDOWS\system32\TFTP3220 - Deleted
C:\WINDOWS\system32\TFTP3240 - Deleted
C:\WINDOWS\system32\TFTP3264 - Deleted
C:\WINDOWS\system32\TFTP3276 - Deleted
C:\WINDOWS\system32\TFTP3308 - Deleted
C:\WINDOWS\system32\TFTP3448 - Deleted
C:\WINDOWS\system32\TFTP3836 - Deleted
C:\WINDOWS\system32\TFTP4032 - Deleted
C:\WINDOWS\system32\TFTP4040 - Deleted
C:\WINDOWS\system32\TFTP736 - Deleted
C:\WINDOWS\TISKY002.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\SYSTEM32\\ftp.exe"="C:\\WINDOWS\\SYSTEM32\\ftp.exe:*:Enabled:File Transfer Program"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip
Registry Backups: - C:\SDFix\backups\backupreg.zip
Full Registry Backup: - C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

Files with Hidden Attributes:

C:\Documents and Settings\Greg\My Documents\Visual Studio Projects\gs.isysguy.com\gs.isysguy.suo
C:\WINDOWS\R3JlZw\asappsrv.dll
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091800.vbs

Finished

[gmst08]

Here is the Combo_Fix Report:

ComboFix 07-08-17.2 - "Greg" 2007-08-20 6:20:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.133 [GMT -6:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Internet Explorer\niwo22011.exe
C:\Program Files\Outlook Express\rybilozy.dll
C:\WINDOWS\SYSTEM32\lnppo.bak1
C:\WINDOWS\SYSTEM32\lnppo.ini
C:\WINDOWS\SYSTEM32\lnppo.tmp
C:\WINDOWS\system32\oppnl.dll
C:\WINDOWS\system32\twqwasyo.dll
C:\WINDOWS\tk58.exe


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-20 05:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-18 10:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-18 10:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-17 00:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 00:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-16 23:27 <DIR> d-------- C:\VundoFix Backups
2007-08-16 06:06 43,542 --a------ C:\WINDOWS\SYSTEM32\efccbyy.dll
2007-08-16 06:06 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-08-16 06:06 <DIR> d--hs---- C:\WINDOWS\R3JlZw
2007-08-16 06:05 43,542 --a------ C:\WINDOWS\SYSTEM32\urqpppq.dll
2007-08-16 06:05 13,824 --a------ C:\WINDOWS\plite731.exe
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\tmps2
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\syschks22
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\SS1
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\ICM2
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\dll2
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\chkfig5
2007-08-16 06:05 <DIR> d-------- C:\Temp
2007-08-15 07:05 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-28 12:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 21:44 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-16 06:17 --------- d-------- C:\DOCUME~1\Greg\APPLIC~1\.gaim
2007-07-19 00:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 17:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 08:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 08:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 08:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 08:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 08:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 08:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 08:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 08:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 08:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 08:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 08:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 08:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 08:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 08:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 08:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 08:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 08:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 08:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 08:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 08:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 02:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 02:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 02:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 01:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:27 363520 --------- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 00:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 07:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 04:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-02-19 04:28 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417CDCBA-0F9E-458D-9BDE-F6DF265CEEFB}]
C:\WINDOWS\system32\efcdd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}]
C:\WINDOWS\system32\rwuuxwjs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53FDC6FF-7D7F-458B-BFA3-6110F834745D}]
C:\WINDOWS\system32\vtuvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
2007-08-16 06:05 43542 --a------ C:\WINDOWS\system32\urqpppq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDD90BF7-00C1-4850-8D4F-F682372EAFA1}]
C:\WINDOWS\system32\mljgd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28]
"CARPService"="carpserv.exe" [2003-01-23 14:06 C:\WINDOWS\SYSTEM32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-03 16:00]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2002-12-17 19:16]
"bascstray"="BascsTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 13:20]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 17:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-11-20 16:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-07-15 09:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-22 20:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"plite731"="C:\WINDOWS\plite731.exe" [2007-08-16 06:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Ncao"="C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET\ntvdm.exe" []
"Sue"="C:\Program Files\?ppPatch\l?ass.exe" []

C:\Documents and Settings\Greg\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-19 14:48:26]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-07-24 22:14:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"= C:\WINDOWS\system32\urqpppq.dll [2007-08-16 06:05 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdd]
C:\WINDOWS\system32\efcdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-01-12 16:17 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpppq]
urqpppq.dll 2007-08-16 06:05 43542 C:\WINDOWS\SYSTEM32\urqpppq.dll

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 Intel_MIPMNMP;Intel Adapter Switching Driver;C:\WINDOWS\system32\DRIVERS\mipmnxp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 wportcls;wportcls;\??\C:\DOCUME~1\Greg\LOCALS~1\Temp\wportcls.sys


Contents of the 'Scheduled Tasks' folder
2007-08-20 10:44:37 C:\WINDOWS\Tasks\backup.job - C:\Tasks\backup\backup.bat
2007-08-20 06:01:01 C:\WINDOWS\Tasks\rotate.job - C:\Tasks\scrnsvr\rotate.bat

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 06:34:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 6:39:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 06:39
C:\ComboFix2.txt ... 2007-08-17 00:39

--- E O F ---


Unfortunately, the HJT Uninstall List could not be produced. HJT would close when I clicked the "Save List..." button. Is there another such list that can be produced?

[Angelfire777]

Hi,

Unfortunately, the HJT Uninstall List could not be produced. HJT would close when I clicked the "Save List..." button. Is there another such list that can be produced?

That's probably because of a certain infection you have on your machine.
______

Remove MS Java
The Microsoft Java Virtual Machine, or MS Java VM, is used to run Java applets that can be found on web sites. When you visit a web site that has a Java applet, the MS JVM will compile and execute that applet on your machine. Microsoft no longer supports the MS JVM and it has become obsolete. There have also been known security issues with unpatched versions of the MS JVM and you should remove it and install the safer SUN JVM as an alternative (instructions follow).

Instructions on how to remove MS Java can be found >here<
______

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

Close your browsers and all open windows except for HijackThis then click "Fix checked."

Combofix Deletions

• Open notepad."
• Copy and paste the text inside the code box below to notepad

Code:

http://http://forums.spybot.info/showthread.php?p=113055

File::
C:\VundoFix Backups
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\plite731.exe

Folder::
C:\WINDOWS\R3JlZw
C:\WINDOWS\SYSTEM32\tmps2
C:\WINDOWS\SYSTEM32\syschks22
C:\WINDOWS\SYSTEM32\SS1
C:\WINDOWS\SYSTEM32\ICM2
C:\WINDOWS\SYSTEM32\dll2
C:\WINDOWS\SYSTEM32\chkfig5
C:\Temp
C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417CDCBA-0F9E-458D-9BDE-F6DF265CEEFB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53FDC6FF-7D7F-458B-BFA3-6110F834745D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDD90BF7-00C1-4850-8D4F-F682372EAFA1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"=-
"Sue"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpppq]

Collect::
C:\WINDOWS\SYSTEM32\efccbyy.dll
C:\WINDOWS\SYSTEM32\urqpppq.dll

Filelook::
C:\DOCUME~1\Greg\LOCALS~1\Temp\wportcls.sys

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.
• Please post the contents of that log along with a fresh HijackThis log.
• Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.

_____

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type find.bat in the File name and save it to your desktop.

Code:

@echo off
cd\
dir /a:d "\program files\?ppPatch" > files.txt
notepad files.txt
exit

Locate Find.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
______

Please navigate to these files:

C:\Tasks\backup\backup.bat
C:\Tasks\scrnsvr\rotate.bat

Both of those are batch files but I cannot find any information regarding those. So, I want you to right click on each of those files then click "edit." A notepad will open for each of them and they will contain some text. Please post the contents of those files to your next reply.

CAUTION: DO NOT DOUBLE CLICK THOSE FILES, THEY MAY BE POTENTIALLY HARMFUL.
______

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
_______

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.

• Click Start > Control Panel
• Click Add/Remove Programs
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Then download Java Runtime Environment 6u2, and install it to your computer.
_______

After all these, see if you can get the hijackthis uinstall list now.


On your next reply, please include a

• Fresh HijackThis log.
• kaspersky scan log
• new combofix log
• contents of backup.bat and rotate.bat
• contents of files.txt
• HJT uninstall list

[gmst08]

Thank you for your help. I have removed the MS Java and installed the new SUN version. I also removed the R0-HKLM...about:blank entry in HJT. The other two O9 entries were not present perhaps because of the MS Java removal?

____________

The results of the comboFix script you provided are shown below:

ComboFix 07-08-17.2 - "Greg" 2007-08-21 7:38:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT -6:00]
Command switches used :: C:\Documents and Settings\Greg\Desktop\Cleaners\CFScript.txt
* Created a new restore point

FILE::
C:\VundoFix Backups
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\plite731.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\R3JlZw
C:\WINDOWS\R3JlZw\asappsrv.dll
C:\WINDOWS\SYSTEM32\chkfig5
C:\WINDOWS\SYSTEM32\chkfig5\D0125.0XE
C:\WINDOWS\SYSTEM32\dll2
C:\WINDOWS\SYSTEM32\dll2\concdll2.exe
C:\WINDOWS\SYSTEM32\efccbyy.dll
C:\WINDOWS\SYSTEM32\ICM2
C:\WINDOWS\SYSTEM32\ICM2\nb22011.exe
C:\WINDOWS\SYSTEM32\nmnnn.bak1
C:\WINDOWS\SYSTEM32\nmnnn.bak2
C:\WINDOWS\SYSTEM32\nmnnn.ini
C:\WINDOWS\system32\nnnmn.dll
C:\WINDOWS\SYSTEM32\SS1
C:\WINDOWS\SYSTEM32\syschks22
C:\WINDOWS\SYSTEM32\syschks22\hhadz002.exe
C:\WINDOWS\SYSTEM32\tmps2
C:\WINDOWS\SYSTEM32\tmps2\MTIDOCS.0XE
C:\WINDOWS\system32\uirpiiud.dll
C:\WINDOWS\SYSTEM32\urqpppq.dll
C:\WINDOWS\system32\xarvwjej.dll


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-20 05:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-18 10:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-18 10:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-17 00:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 00:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-16 23:27 <DIR> d-------- C:\VundoFix Backups
2007-08-15 07:05 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-28 12:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 20:43 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-16 06:17 --------- d-------- C:\DOCUME~1\Greg\APPLIC~1\.gaim
2007-07-19 00:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 17:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 08:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 08:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 08:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 08:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 08:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 08:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 08:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 08:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 08:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 08:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 08:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 08:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 08:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 08:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 08:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 08:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 08:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 08:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 08:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 08:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 02:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 02:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 02:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 01:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:27 363520 --------- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 00:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 07:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 04:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-02-19 04:28 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28]
"CARPService"="carpserv.exe" [2003-01-23 14:06 C:\WINDOWS\SYSTEM32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-03 16:00]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2002-12-17 19:16]
"bascstray"="BascsTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 13:20]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-11-20 16:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-07-15 09:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-22 20:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

C:\Documents and Settings\Greg\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-19 14:48:26]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-07-24 22:14:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-01-12 16:17 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 Intel_MIPMNMP;Intel Adapter Switching Driver;C:\WINDOWS\system32\DRIVERS\mipmnxp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 wportcls;wportcls;\??\C:\DOCUME~1\Greg\LOCALS~1\Temp\wportcls.sys


Contents of the 'Scheduled Tasks' folder
2007-08-21 10:44:27 C:\WINDOWS\Tasks\backup.job - C:\Tasks\backup\backup.bat
2007-08-21 06:01:01 C:\WINDOWS\Tasks\rotate.job - C:\Tasks\scrnsvr\rotate.bat

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 07:50:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 7:54:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 07:53
C:\ComboFix2.txt ... 2007-08-20 06:39
C:\ComboFix3.txt ... 2007-08-17 00:39

--- E O F ---


______________

Also, the find.bat results are as follows (I don't know if you expected something more but this is all that was shown):


Volume in drive C has no label.
Volume Serial Number is 7810-9037

Directory of C:\program files



______________

The backup.bat and rotate.bat batch files in c:\tasks are just some personal batch files I created for my own use. The contents are below:

backup.bat
::keep only four backups on-hand
::delete oldest backup
del archive\info3.tar.gz
::Rename old archives
rename archive\info2.tar.gz info3.tar.gz
rename archive\info1.tar.gz info2.tar.gz
rename archive\info0.tar.gz info1.tar.gz
::Create new archive
tar -cvf archive\info0.tar c:\info\*
::Compress new archive
gzip -9v archive\info0.tar
::FTP Archive to server
ftp -s:ftp.scr home.net
exit

rotate.bat
rename C:\Files\ScreenSaverSlides\current 0
rename C:\Files\ScreenSaverSlides\4 current
rename C:\Files\ScreenSaverSlides\3 4
rename C:\Files\ScreenSaverSlides\2 3
rename C:\Files\ScreenSaverSlides\1 2
rename C:\Files\ScreenSaverSlides\0 1