PDA

View Full Version : Virtumonde.dll, possibly others



NathanE
2008-04-27, 00:05
Thank you for helping me in advance. I currently have Symantec Antivirus Corporate Edition have always been updating my virus definitions and running regular scans. A week ago, my Auto-protect popped up and detected a few viruses and then froze. I had to do a manual shutdown and my computer has been terribly infected since then. Steps taken since:

1) Full scan using symantec, froze before completion. Reboot.
2) 2nd full scan, it caught numerous viruses but froze before completion. Reboot.
3) 3rd and 4th full scan, fully completed, saying no virus. (this was very strange, something may have infected my symantec)
4) My computer was still infected so I downloaded and ran spybot. Numerous things were spotted and I attempted to delete them (Win32.Small, Virtumonde, Virtumonde.dll)
5) Ran Kaspersky Online Scanner (log posted below)
6) Ran Spybot in safe mode, still found same viruses, deleted them and then rebooted normally (Upon startup a few system windows popped up saying certain system processes could not be found (unsure of the names exactly....dll, 3 windows like this.)
7) Downloaded ResetTeaTimer and ran it.
7) Ran HJT(log posted below). My autoprotect popped up and said it caught Trojan.Vundo.B while I am typing this post.

Please help, THANK YOU...(by the way, I disabled system restore thinking this would help but should not have done that)


LOGS:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 24, 2008 12:25:19 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/04/2008
Kaspersky Anti-Virus database records: 724127
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51636
Number of viruses found: 10
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:08:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.ASX Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.BMP Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.WMA Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- 4 and 5 star rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Have not heard recently.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Listen to late at night.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Listen to on Weekdays.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Listen to on Weekends.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- One Audio CD worth.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- One Data CD-R worth.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Fresh tracks -- yet to be played.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Fresh tracks -- yet to be rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Fresh tracks.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\High bitrate media in my library.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Low bitrate media in my library.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Music tracks I dislike.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Music tracks I have not rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Music tracks with content protection.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\01_Music_auto_rated_at_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\02_Music_added_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\03_Music_rated_at_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\04_Music_played_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\05_Pictures_taken_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\06_Pictures_rated_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\07_TV_recorded_in_the_last_week.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\08_Video_rated_at_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\09_Music_played_the_most.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\10_All_Music.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\11_All_Pictures.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\12_All_Video.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NSkwor\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Messenger\munkybud_92@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Messenger\munkybud_92@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Messenger\munkybud_92@hotmail.com\SharingMetadata\Working\database_489C_CFA5_9CCF_8BBE\dfsr.db Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Messenger\munkybud_92@hotmail.com\SharingMetadata\Working\database_489C_CFA5_9CCF_8BBE\fsr.log Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Messenger\munkybud_92@hotmail.com\SharingMetadata\Working\database_489C_CFA5_9CCF_8BBE\fsrtmp.log Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Messenger\munkybud_92@hotmail.com\SharingMetadata\Working\database_489C_CFA5_9CCF_8BBE\tmp.edb Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Windows Live Contacts\munkybud_92@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Temp\~DFB4CC.tmp Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Temp\~DFB5B8.tmp Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Temporary Internet Files\Content.IE5\T9IXGXW7\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qpb skipped
C:\Documents and Settings\NSkwor\ntuser.dat Object is locked skipped
C:\Documents and Settings\NSkwor\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NSkwor\Start Menu\Programs\Startup\DLHelperEXE.exe Infected: not-a-virus:AdWare.Win32.Thumper.a skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0045NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0948NAV~.TMP Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000050.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000066.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpi skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000067.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000068.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\efcATNdd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\WINDOWS\SYSTEM32\efcBUOEt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpf skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\hckvtnbm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpb skipped
C:\WINDOWS\SYSTEM32\jbikjeym.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpi skipped
C:\WINDOWS\SYSTEM32\khfEvSkK.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\WINDOWS\SYSTEM32\qnfvulqi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\WINDOWS\SYSTEM32\rnbevsdj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Altnet\mysearch.cab/mySetp.exe Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\WINDOWS\Temp\Altnet\mysearch.cab CAB: infected - 1 skipped
C:\WINDOWS\Temp\Altnet\pmexe.cab/Points Manager.exe Infected: not-a-virus:AdWare.Win32.Altnet.h skipped
C:\WINDOWS\Temp\Altnet\pmexe.cab CAB: infected - 1 skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

______________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:21 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {28D763C5-FFAE-4A52-B61F-855237CA26BB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {59C1FC1A-5395-42CB-A28A-056077066C12} - (no file)
O2 - BHO: (no name) - {64A240E6-777D-42D0-9FAD-B9F531BA9E61} - C:\WINDOWS\system32\khfEvSkK.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {84eaf250-18b8-646b-d714-7191deb8d7fa} - {af7d8bed-1917-417d-b646-8b81052fae48} - C:\WINDOWS\system32\gfoxjxka.dll (file missing)
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\efcATNdd.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [9ccf8b11] rundll32.exe "C:\WINDOWS\system32\gahkbcqf.dll",b
O4 - HKLM\..\Run: [BM9ffcb88d] Rundll32.exe "C:\WINDOWS\system32\bsxpbeiw.dll",s
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: U.S.Robotics WLAN Adapter Configuration Utility.lnk = C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog\BPGame.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145836444109
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O20 - Winlogon Notify: efcATNdd - efcATNdd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9582 bytes

pskelley
2008-04-27, 02:26
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. Please review the directions again and be sure "word wrap" is turned off!

1) If you are running TeaTimer, disable it until we are finished:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

NathanE
2008-04-27, 03:37
Thank you for your prompt response. I have read the instructions "Before you post" and understand that information. I only connect online to troubleshoot as you instructed. Steps taken:

1) Disabled TeaTimer in Spybot Advanced mode. Reboot.
2) Never used ComboFix before so I followed your link and downloaded ComboFix.exe to my desktop. I do have the Windows XP CD but did not install the "Recovery Console."
3) Ran ComboFix.exe successfully, computer rebooted and log was produced (below).
4) Still noticed upon reboot that the same RUNDLL windows popped up. Exact verbiage: "Error loading C:\WINDOWS\system32\bsxpbeiw.dll" "The specified module could not be found." (2 of these popped up, different ...dll)
5) Ran HJT (log below).


Thank you again for helping, let me know what my next step is...
________________________________

LOGS:

ComboFix 08-04-26.1 - NSkwor 2008-04-26 18:59:53.1 - NTFSx86
Running from: C:\Documents and Settings\NSkwor\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiSpywareMaster
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\btmcqfue.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\efcBUOEt.dll
C:\WINDOWS\SYSTEM32\eufqcmtb.ini
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\hckvtnbm.dll
C:\WINDOWS\system32\jbikjeym.dll
C:\WINDOWS\SYSTEM32\KkSvEfhk.ini
C:\WINDOWS\SYSTEM32\KkSvEfhk.ini2
C:\WINDOWS\system32\kpilaihn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-25 17:51 . 2008-04-26 15:01 1,540,704 --ahs---- C:\WINDOWS\SYSTEM32\fqcbkhag.ini
2008-04-24 18:16 . 2008-04-23 18:19 89,152 --a------ C:\WINDOWS\SYSTEM32\btmcqfue.dll_old
2008-04-24 14:41 . 2008-04-24 14:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 00:46 . 2003-10-02 14:51 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-24 00:46 . 2006-03-28 17:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-24 00:46 . 2008-01-21 23:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-24 00:46 . 2008-04-24 00:46 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-24 00:46 . 2008-04-26 18:59 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 22:40 . 2008-04-23 22:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-23 22:40 . 2008-04-23 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 07:36 . 2008-04-23 22:26 <DIR> d-------- C:\Program Files\Spybot
2008-04-22 18:21 . 2008-04-25 17:38 1,542,360 --ahs---- C:\WINDOWS\SYSTEM32\jdsvebnr.ini
2008-04-22 18:15 . 2008-04-26 15:01 109,738 --a------ C:\WINDOWS\BM9ffcb88d.xml
2008-04-22 18:04 . 2008-04-22 18:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd01
2008-04-22 18:04 . 2008-04-22 18:04 <DIR> d-------- C:\Temp\berDrv11
2008-04-22 18:04 . 2008-04-22 18:04 <DIR> d-------- C:\Temp
2008-04-12 21:16 . 2008-04-12 21:17 <DIR> d-------- C:\Program Files\NBC Direct
2008-04-12 21:15 . 2008-04-12 21:15 <DIR> d-------- C:\Program Files\OpenCASE
2008-04-12 21:15 . 2008-04-12 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ExtendMedia
2008-04-12 21:13 . 2008-04-12 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 23:09 . 2008-04-26 19:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 23:09 . 2008-04-03 23:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 23:07 . 2008-04-03 23:08 <DIR> d-------- C:\Program Files\iTunes
2008-04-03 23:07 . 2008-04-03 23:07 <DIR> d-------- C:\Program Files\iPod
2008-04-03 23:04 . 2008-04-03 23:05 <DIR> d-------- C:\Program Files\QuickTime
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 00:05 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-24 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 22:38 --------- d-----w C:\Documents and Settings\NSkwor\Application Data\WeatherBug
2008-03-03 01:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 23:46 --------- d-----w C:\Program Files\MSN Messenger
2008-02-29 23:45 --------- d-----w C:\Program Files\Windows Live
2008-02-29 23:44 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-29 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2005-08-22 18:42 4,096 ----a-w C:\Documents and Settings\NSkwor\log.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64A240E6-777D-42D0-9FAD-B9F531BA9E61}]
C:\WINDOWS\system32\khfEvSkK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af7d8bed-1917-417d-b646-8b81052fae48}]
C:\WINDOWS\system32\gfoxjxka.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 13:58 1339392]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 09:43 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"9ccf8b11"="C:\WINDOWS\system32\gahkbcqf.dll" [ ]
"BM9ffcb88d"="C:\WINDOWS\system32\bsxpbeiw.dll" [ ]

C:\Documents and Settings\NSkwor\Start Menu\Programs\Startup\
DLHelperEXE.exe [2004-02-20 16:34:33 196608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-10-02 14:50:08 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]
U.S.Robotics WLAN Adapter Configuration Utility.lnk - C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe [2003-10-20 13:36:03 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcATNdd]
efcATNdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-04-11 15:25 212992 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\SYSTEM32\\msiexec.exe"=

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-22 04:00]
S3 USRLN;U.S. Robotics 22Mbps Wireless Lan Adapter;C:\WINDOWS\system32\DRIVERS\usrwlan.sys [2003-02-25 14:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 03:15:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 20:15:07 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY3B74K76H7A.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY3B74K76H7A
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 19:07:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-26 19:20:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 00:19:58

Pre-Run: 39,647,875,072 bytes free
Post-Run: 39,909,695,488 bytes free

155 --- E O F --- 2008-04-10 02:10:44

_________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:23 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {64A240E6-777D-42D0-9FAD-B9F531BA9E61} - C:\WINDOWS\system32\khfEvSkK.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {84eaf250-18b8-646b-d714-7191deb8d7fa} - {af7d8bed-1917-417d-b646-8b81052fae48} - C:\WINDOWS\system32\gfoxjxka.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [9ccf8b11] rundll32.exe "C:\WINDOWS\system32\gahkbcqf.dll",b
O4 - HKLM\..\Run: [BM9ffcb88d] Rundll32.exe "C:\WINDOWS\system32\bsxpbeiw.dll",s
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: U.S.Robotics WLAN Adapter Configuration Utility.lnk = C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog\BPGame.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145836444109
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O20 - Winlogon Notify: efcATNdd - efcATNdd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9098 bytes

pskelley
2008-04-27, 12:23
Thanks for returning your information and the feedback, please read and follow the directions carefully.

I can't find anything good about this item: O4 - Startup: DLHelperEXE.exe
http://www.google.com/search?hl=en&q=DLHelperEXE.exe&btnG=Google+Search

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
This looks to be a VERY old version of Java, so old it does not even show the version. See this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Are you aware this service is running on the computer:
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
http://www.runscanner.net/files/exe/mediaagent/mediaagent.exe.aspx

(Instructions start here)

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\gahkbcqf.dll
C:\WINDOWS\system32\bsxpbeiw.dll
C:\WINDOWS\SYSTEM32\fqcbkhag.ini
C:\WINDOWS\SYSTEM32\btmcqfue.dll_old
C:\WINDOWS\SYSTEM32\jdsvebnr.ini
C:\WINDOWS\mrofinu572.exe.tmp

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {64A240E6-777D-42D0-9FAD-B9F531BA9E61} - C:\WINDOWS\system32\khfEvSkK.dll (file missing)
O2 - BHO: {84eaf250-18b8-646b-d714-7191deb8d7fa} - {af7d8bed-1917-417d-b646-8b81052fae48} - C:\WINDOWS\system32\gfoxjxka.dll (file missing)
O4 - HKLM\..\Run: [9ccf8b11] rundll32.exe "C:\WINDOWS\system32\gahkbcqf.dll",b
O4 - HKLM\..\Run: [BM9ffcb88d] Rundll32.exe "C:\WINDOWS\system32\bsxpbeiw.dll",s
O4 - Startup: DLHelperEXE.exe
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - C:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhel...7/dlhelper.cab
O20 - Winlogon Notify: efcATNdd - efcATNdd.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

Search for this file and delete it: DLHelperEXE.exe

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log, a new HJT log and tell me how the computer is running.

No need to detail what you did, instead tell me of anything you could not do.

Thanks...Phil

NathanE
2008-04-27, 20:09
Hello Phil,

I have performed all steps you instructed and my computer seems to be running MUCH better now. It still seems somewhat slow but it could also be my imagination since my computer hasn't been "normal" for a few weeks.

Everything went well and I didn't run into any problems (both new ComboFix and HJT logs posted below). One thing I would like to note is when I searched for DLHelperEXE.exe, it did not find an exact match but it did find "DLHELPEREXE.EXE-19C12FB7.pf" within the C:\WINDOWS\Prefetch directory and I ended up deleting that file. There also was another one found in the ...\HiJackThis\backup directory, which I assumed was normal, so I left that file alone. Also, I noticed there is another file that appeared on my desktop while I was doing all of the above steps called "desktop.ini" and I am not sure where it came from.

Otherwise, I do not know what "O23 - Service: OpenCASE Media Agent - ExtendMedia Inc." is and was not aware it was running on my computer.
As for right now, I will upgrade my Java and continue to check to see if I run into any other problems. Thank you so much for your help, and I look forward to getting further instructions from you.

THANKS!
Nathan

________________________________________________

ComboFix 08-04-26.1 - NSkwor 2008-04-27 11:00:26.2 - NTFSx86
Running from: C:\Documents and Settings\NSkwor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NSkwor\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\bsxpbeiw.dll
C:\WINDOWS\SYSTEM32\btmcqfue.dll_old
C:\WINDOWS\SYSTEM32\fqcbkhag.ini
C:\WINDOWS\system32\gahkbcqf.dll
C:\WINDOWS\SYSTEM32\jdsvebnr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\btmcqfue.dll_old
C:\WINDOWS\SYSTEM32\fqcbkhag.ini
C:\WINDOWS\SYSTEM32\jdsvebnr.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 21:28 . 2008-04-27 10:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 21:28 . 2008-04-26 21:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 14:41 . 2008-04-24 14:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 00:46 . 2003-10-02 14:51 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-24 00:46 . 2006-03-28 17:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-24 00:46 . 2008-01-21 23:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-24 00:46 . 2008-04-24 00:46 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-24 00:46 . 2008-04-26 18:59 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 22:40 . 2008-04-23 22:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-23 22:40 . 2008-04-23 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 07:36 . 2008-04-23 22:26 <DIR> d-------- C:\Program Files\Spybot
2008-04-22 18:15 . 2008-04-26 15:01 109,738 --a------ C:\WINDOWS\BM9ffcb88d.xml
2008-04-22 18:04 . 2008-04-22 18:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd01
2008-04-22 18:04 . 2008-04-22 18:04 <DIR> d-------- C:\Temp\berDrv11
2008-04-22 18:04 . 2008-04-22 18:04 <DIR> d-------- C:\Temp
2008-04-12 21:16 . 2008-04-12 21:17 <DIR> d-------- C:\Program Files\NBC Direct
2008-04-12 21:15 . 2008-04-12 21:15 <DIR> d-------- C:\Program Files\OpenCASE
2008-04-12 21:15 . 2008-04-12 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ExtendMedia
2008-04-12 21:13 . 2008-04-12 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-03 23:07 . 2008-04-03 23:08 <DIR> d-------- C:\Program Files\iTunes
2008-04-03 23:07 . 2008-04-03 23:07 <DIR> d-------- C:\Program Files\iPod
2008-04-03 23:04 . 2008-04-03 23:05 <DIR> d-------- C:\Program Files\QuickTime
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 15:58 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-27 15:51 --------- d-----w C:\Program Files\AWS
2008-04-24 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 01:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 23:46 --------- d-----w C:\Program Files\MSN Messenger
2008-02-29 23:45 --------- d-----w C:\Program Files\Windows Live
2008-02-29 23:44 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-29 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2005-08-22 18:42 4,096 ----a-w C:\Documents and Settings\NSkwor\log.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_19.19.08.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 00:06:38 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-27 15:44:37 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64A240E6-777D-42D0-9FAD-B9F531BA9E61}]
C:\WINDOWS\system32\khfEvSkK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af7d8bed-1917-417d-b646-8b81052fae48}]
C:\WINDOWS\system32\gfoxjxka.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 09:43 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"9ccf8b11"="C:\WINDOWS\system32\gahkbcqf.dll" [ ]
"BM9ffcb88d"="C:\WINDOWS\system32\bsxpbeiw.dll" [ ]

C:\Documents and Settings\NSkwor\Start Menu\Programs\Startup\
DLHelperEXE.exe [2004-02-20 16:34:33 196608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-10-02 14:50:08 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]
U.S.Robotics WLAN Adapter Configuration Utility.lnk - C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe [2003-10-20 13:36:03 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcATNdd]
efcATNdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-04-11 15:25 212992 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\SYSTEM32\\msiexec.exe"=

S2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2008-01-16 15:57]
S3 USRLN;U.S. Robotics 22Mbps Wireless Lan Adapter;C:\WINDOWS\system32\DRIVERS\usrwlan.sys [2003-02-25 14:59]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 03:15:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 20:15:07 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY3B74K76H7A.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY3B74K76H7A
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 11:04:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-27 11:10:43
ComboFix-quarantined-files.txt 2008-04-27 16:10:39
ComboFix2.txt 2008-04-27 00:20:08

Pre-Run: 39,920,226,304 bytes free
Post-Run: 39,917,174,784 bytes free

140 --- E O F --- 2008-04-10 02:10:44






______________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:49 AM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: U.S.Robotics WLAN Adapter Configuration Utility.lnk = C:\Program Files\USR WLAN\USR 22Mbps WLAN Adapter\USRWLAN.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog\BPGame.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145836444109
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6884 bytes

pskelley
2008-04-27, 20:54
Hello Nathan, thanks for returning your information and the feedback.

DLHelperEXE.exe <<< as I said, I could find no good reason for this item, I would delete any instance you find. ATF-Cleaner should have cleaned the Prefetch (hackers hide stuff there because most folks don't know it exists) but check to be sure it is gone. Remember, purging Prefetch will cause a few slow boots until Windows repopulates with needed information.
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

desktop.ini: http://www.google.com/search?hl=en&q=desktop.ini+file&btnG=Search
delete that file and allow it to set in the Recycle Bin for a few days, then dump the bin.

OpenCASE Media Agent: humm, this is your computer? If I remember I could not find enough information to say it is malware. Unless you say remove it, I would have to advise you to Disable the Service and see if that caises any issues.
Disable the Service
Click Start > Run and type services.msc
Scroll down to OpenCASE Media Agent and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
This way you can always enabled the service again if you find it was needed.
If/when you want the service off your computer, use these instructions.

Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type OpenCASE Media Agent and press OK.
OK any prompts, close HijackThis, and restart your computer.

We missed one of these, the junk can only cause you problems, use HJT to remove it:
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)

Besides that, the HJT log looks clean of malware, this is the next bridge we need to cross:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

NathanE
2008-04-27, 23:04
Thanks Phil,

I searched for DLHelperEXE.exe and deleted the only other instance that came up in the HiJackThis/backup directory. I moved desktop.ini to the recycle bin and will let it sit there, and I disabled OpenCASE Media Agent as well.

I installed the Recover Console as you instructed and have posted the "CF-RC.txt" log below.

Let me know my next steps, Thank you.


______________________________________________

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

pskelley
2008-04-27, 23:42
Sound good:bigthumb: I should have posted this information for you:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore
It appears you had no trouble figuring it out. The backups are always made when HJT removes something in the event of an error, so items can also be restored if need be. What a tool! Here is a tutorial of others uses:
http://www.bleepingcomputer.com/tutorials/tutorial42.html

Remove combofix and the C:\Qoobox\Quarantine\ folder and run a new Kaspersky Online Scan using these settings, and expect a few infected items because we still have System Restore files to clean.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

NathanE
2008-04-28, 06:07
Sorry for the delayed response. I had to free up some time to run the Kaspersky scan since it takes a little longer. I deleted ComboFix and Qoobox\Quarantine folder and ran the Kaspersky scan.

One thing that kind of bothered me was that I still had 2 viruses and had 29 infected objects, when my initial kaspersky scan showed 18 infected objects a couple days ago. Although it does look like some of the infections are within my Symantec Quarantine. Otherwise, I'm not really sure what it means. I have posted the Kaspersky Scan Log below.

Let me know what you think. Thanks again.

FYI, so far no problems with the running abilities of my computer.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 27, 2008 9:49:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 650730
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52725
Number of viruses found: 2
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 01:04:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0000.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0001.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0002.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0003.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CAC0004.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.ASX Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.BMP Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.WMA Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- 4 and 5 star rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Have not heard recently.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Listen to late at night.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Listen to on Weekdays.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- Listen to on Weekends.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- One Audio CD worth.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Favorites -- One Data CD-R worth.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Fresh tracks -- yet to be played.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Fresh tracks -- yet to be rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Fresh tracks.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\High bitrate media in my library.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Low bitrate media in my library.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Music tracks I dislike.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Music tracks I have not rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0A708DA5\Music tracks with content protection.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\01_Music_auto_rated_at_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\02_Music_added_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\03_Music_rated_at_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\04_Music_played_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\05_Pictures_taken_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\06_Pictures_rated_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\07_TV_recorded_in_the_last_week.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\08_Video_rated_at_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\09_Music_played_the_most.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\10_All_Music.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\11_All_Pictures.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\4757B71B\12_All_Video.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NSkwor\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\NSkwor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NSkwor\ntuser.dat Object is locked skipped
C:\Documents and Settings\NSkwor\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0629NAV~.TMP Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000050.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000066.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000067.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000068.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001207.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001208.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001209.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001210.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001212.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001213.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001214.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001246.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001261.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001289.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001293.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001295.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001296.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001297.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001302.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001394.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001395.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001396.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001397.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001398.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-04-28, 14:32
Thanks for returning your scan results. I am not 100% sure but from the time you posted the first KOS and this last one, your AV is showing it removed a trojan and System Restore shows many more infected files that the first scan. Since you were trying to turn it off, this may have caused that. Let's finish the cleanup like this.

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of that quarantine folder
http://www.symantec.com/business/support/index.jsp

Empty the Recycle Bin on the Desktop and restart the computer

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

NathanE
2008-04-28, 16:37
I deleted the items from the symantec quarantine and then turned off system restore and turned it back on after rebooting each time. Everything seems to be running smoothly.

I have a few questions before you go. When you instructed me to "remove" ComboFix all I did was delete the icon off of the desktop, I did not uninstall it or anything else. Was I supposed to do anything else besides deleting the icon from my desktop? Also, on my C drive there are folders named ComboFix and Qoobox (I only deleted the Qoobox\Quarantine folder earlier), what should I do with these folders? Can they be deleted?

Otherwise, I think I have had all of my remaining questions answered, and I appreciate all of your assistance. You single-handedly brought my computer back from the dead... :)

Thank you again, Phil!

pskelley
2008-04-28, 16:42
Right, if you remember we installed combofix to the Desktop, that was not a shortcut. If you right click and choose delete, that will do it.

Also, on my C drive there are folders named ComboFix and Qoobox Delete those also. Since combofix does not update, there is no valid reason to keep it.

Thanks