PDA

View Full Version : Virtumonde


slk12
2008-07-10, 04:43
I posted a few weeks ago, and did a HighJackThis scan, and was told to uninstall Spybot and then to run combo fix. My machine was so bad that I couldn't get online, and so now my original thread is in the archive forum. I have now uninstalled Spybot, run combofix, and run another HJT scan.

Here is the result of the Combofix scan, followed by a new HJT scan. Please tell me if there is anything else that I need to do.

ComboFix 08-07-09.2 - Kris 2008-07-09 20:31:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.90 [GMT -4:00]
Running from: C:\Documents and Settings\Kris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWay
C:\WINDOWS\BMe3fdc030.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\accryxrc.dll
C:\WINDOWS\system32\acrghikh.dll
C:\WINDOWS\system32\adchnoas.dll
C:\WINDOWS\system32\aemunq.dll
C:\WINDOWS\system32\ahfojoma.dll
C:\WINDOWS\system32\aneptxrh.dll
C:\WINDOWS\system32\auwhttjf.dll
C:\WINDOWS\system32\awedhr.dll
C:\WINDOWS\system32\awporbft.ini
C:\WINDOWS\system32\becgtcfp.ini
C:\WINDOWS\system32\bedscrrr.ini
C:\WINDOWS\system32\bodgrysq.ini
C:\WINDOWS\system32\buhbsitd.dll
C:\WINDOWS\system32\bvhkikpl.dll
C:\WINDOWS\system32\bxkkthbi.ini
C:\WINDOWS\system32\cbbwfoom.ini
C:\WINDOWS\system32\ceygvdxm.dll
C:\WINDOWS\system32\cgiqoqnn.dll
C:\WINDOWS\system32\chenagws.ini
C:\WINDOWS\system32\cldnnbof.dll
C:\WINDOWS\system32\CMpVxyxx.ini
C:\WINDOWS\system32\CMpVxyxx.ini2
C:\WINDOWS\system32\cqqrwews.dll
C:\WINDOWS\system32\crxxelor.ini
C:\WINDOWS\system32\cykkvrun.dll
C:\WINDOWS\system32\dgitpkre.ini
C:\WINDOWS\system32\dqukmsye.dll
C:\WINDOWS\system32\dtthvgpp.dll
C:\WINDOWS\system32\EdfggMoq.ini
C:\WINDOWS\system32\EdfggMoq.ini2
C:\WINDOWS\system32\emwvyyul.dll
C:\WINDOWS\system32\eurvlh.dll
C:\WINDOWS\system32\ewvoyoib.dll
C:\WINDOWS\system32\extiqefk.dll
C:\WINDOWS\system32\faxwujvu.dll
C:\WINDOWS\system32\fayyiwuc.dll
C:\WINDOWS\system32\fcdjwvcd.dll
C:\WINDOWS\system32\fiinnpci.dll
C:\WINDOWS\system32\FLnXxGgh.ini
C:\WINDOWS\system32\FLnXxGgh.ini2
C:\WINDOWS\system32\fpnanlst.dll
C:\WINDOWS\system32\frmrvgpg.dll
C:\WINDOWS\system32\gldsbtfh.ini
C:\WINDOWS\system32\gndrnlck.dll
C:\WINDOWS\system32\godnaosa.ini
C:\WINDOWS\system32\gpgvrmrf.ini
C:\WINDOWS\system32\grtcxdrr.ini
C:\WINDOWS\system32\gwrfpgpi.dll
C:\WINDOWS\system32\HNoWwyxx.ini
C:\WINDOWS\system32\HNoWwyxx.ini2
C:\WINDOWS\system32\hqfldlnc.ini
C:\WINDOWS\system32\huphqlvv.ini
C:\WINDOWS\system32\ibxxmyng.dll
C:\WINDOWS\system32\ijnvkeuo.ini
C:\WINDOWS\system32\ikngydpb.dll
C:\WINDOWS\system32\ilqcwwkn.dll
C:\WINDOWS\system32\ipgpfrwg.ini
C:\WINDOWS\system32\ivqrrrku.ini
C:\WINDOWS\system32\ivykfipt.dll
C:\WINDOWS\system32\iwcbtjcv.ini
C:\WINDOWS\system32\ixxcrlvq.dll
C:\WINDOWS\system32\JPVwxyay.ini
C:\WINDOWS\system32\JPVwxyay.ini2
C:\WINDOWS\system32\jqsmtnlc.ini
C:\WINDOWS\system32\jzosjk.dll
C:\WINDOWS\system32\kccmdjsu.ini
C:\WINDOWS\system32\kghwrtfm.ini
C:\WINDOWS\system32\khfCuVll.dll
C:\WINDOWS\system32\kjvdxw.dll
C:\WINDOWS\system32\lblgvwhr.dll
C:\WINDOWS\system32\llVuCfhk.ini
C:\WINDOWS\system32\llVuCfhk.ini2
C:\WINDOWS\system32\lrsdtofd.dll
C:\WINDOWS\system32\lswjhkiy.ini
C:\WINDOWS\system32\lwowncpo.dll
C:\WINDOWS\system32\lymqfixj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mjxdfmqy.dll
C:\WINDOWS\system32\mlykrgka.dll
C:\WINDOWS\system32\mrityyqh.dll
C:\WINDOWS\system32\msyyfrsp.dll
C:\WINDOWS\system32\nsmghpls.dll
C:\WINDOWS\system32\nuseutwj.ini
C:\WINDOWS\system32\nVxbLRqr.ini
C:\WINDOWS\system32\nVxbLRqr.ini2
C:\WINDOWS\system32\nwckskqt.dll
C:\WINDOWS\system32\opbpbgfe.dll
C:\WINDOWS\system32\oqcpythc.dll
C:\WINDOWS\system32\OrXGOqru.ini
C:\WINDOWS\system32\OrXGOqru.ini2
C:\WINDOWS\system32\oyxmutee.ini
C:\WINDOWS\system32\pajhdgwd.dll
C:\WINDOWS\system32\pjejutsr.ini
C:\WINDOWS\system32\pngeylhq.dll
C:\WINDOWS\system32\pxjuauhn.dll
C:\WINDOWS\system32\PYbHNqss.ini
C:\WINDOWS\system32\PYbHNqss.ini2
C:\WINDOWS\system32\qAHjknpo.ini
C:\WINDOWS\system32\qAHjknpo.ini2
C:\WINDOWS\system32\qbryxmgo.dll
C:\WINDOWS\system32\qfkwvtiu.dll
C:\WINDOWS\system32\qjueshgf.dll
C:\WINDOWS\system32\qoMfgHaw.dll
C:\WINDOWS\system32\qssgisay.ini
C:\WINDOWS\system32\qsyrgdob.dll
C:\WINDOWS\system32\qwnomsxl.ini
C:\WINDOWS\system32\qwscqvas.dll
C:\WINDOWS\system32\rdlpvina.dll
C:\WINDOWS\system32\rfvmofrj.dll
C:\WINDOWS\system32\rhejuxuw.dll
C:\WINDOWS\system32\rhvbygwc.dll
C:\WINDOWS\system32\riewflef.ini
C:\WINDOWS\system32\rjspoqbm.ini
C:\WINDOWS\system32\rrfrwlwm.dll
C:\WINDOWS\system32\rxagvwqe.ini
C:\WINDOWS\system32\saonhcda.ini
C:\WINDOWS\system32\sjjylfxq.dll
C:\WINDOWS\system32\swganehc.dll
C:\WINDOWS\system32\tCKkSvut.ini
C:\WINDOWS\system32\tCKkSvut.ini2
C:\WINDOWS\system32\tckktlxd.ini
C:\WINDOWS\system32\tcmalroo.ini
C:\WINDOWS\system32\tdktafrp.dll
C:\WINDOWS\system32\trhixeyt.ini
C:\WINDOWS\system32\tvxznq.dll
C:\WINDOWS\system32\twttvree.dll
C:\WINDOWS\system32\uDcIlnpo.ini
C:\WINDOWS\system32\uDcIlnpo.ini2
C:\WINDOWS\system32\udyamvqm.ini
C:\WINDOWS\system32\uepqktwd.dll
C:\WINDOWS\system32\ugbcwqnu.ini
C:\WINDOWS\system32\uitvwkfq.ini
C:\WINDOWS\system32\ukrrrqvi.dll
C:\WINDOWS\system32\urbuedhn.ini
C:\WINDOWS\system32\urmdjjot.ini
C:\WINDOWS\system32\vFOYxGgh.ini
C:\WINDOWS\system32\vFOYxGgh.ini2
C:\WINDOWS\system32\viotfhtb.dll
C:\WINDOWS\system32\vthjvgdh.dll
C:\WINDOWS\system32\VycLnnnn.ini
C:\WINDOWS\system32\VycLnnnn.ini2
C:\WINDOWS\system32\wcehyyuo.dll
C:\WINDOWS\system32\wctbxt.dll
C:\WINDOWS\system32\wlxryrip.dll
C:\WINDOWS\system32\wrksfucf.dll
C:\WINDOWS\system32\wucmxkyw.dll
C:\WINDOWS\system32\xbtaxwyf.dll
C:\WINDOWS\system32\xFLoYcdd.ini
C:\WINDOWS\system32\xFLoYcdd.ini2
C:\WINDOWS\system32\xgkhkfhn.dll
C:\WINDOWS\system32\xijanuou.ini
C:\WINDOWS\system32\xoofolof.ini
C:\WINDOWS\system32\xvvfiytk.ini
C:\WINDOWS\system32\yajulbnn.ini
C:\WINDOWS\system32\yasigssq.dll
C:\WINDOWS\system32\ygyiekwb.dll
C:\WINDOWS\system32\yoctqafo.dll
C:\WINDOWS\system32\ypfyrtmt.dll
C:\WINDOWS\system32\yunjgmoe.dll
C:\WINDOWS\system32\YyxxHRqr.ini
C:\WINDOWS\system32\YyxxHRqr.ini2
C:\WINDOWS\system32\znwdfe.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-04 18:03 . 2008-07-09 20:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 18:03 . 2008-07-04 18:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 11:50 . 2008-06-20 11:50 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-20 11:33 . 2008-07-05 20:44 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\OpenOffice.org2
2008-06-20 10:58 . 2008-06-20 10:58 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-20 10:54 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 18:02 . 2008-06-19 23:09 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\OfficeUpdate12
2008-06-16 16:31 . 2008-06-17 15:16 345 --ahs---- C:\WINDOWS\system32\DLlUDJjl.ini
2008-06-14 14:15 . 2008-06-14 14:15 <DIR> d-------- C:\WINDOWS\3074EB891BCA4AEFAFF4EFB4634C1923.TMP
2008-06-14 12:32 . 2008-06-14 12:32 208 --a------ C:\WINDOWS\system32\vbimport.err
2008-06-14 12:27 . 2008-06-14 12:28 <DIR> d-------- C:\Program Files\Vexira Antivirus
2008-06-13 15:36 . 2008-06-13 15:36 256 --a------ C:\WINDOWS\_delis32.ini
2008-06-13 14:12 . 1999-12-12 21:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-06-13 14:12 . 1999-11-17 21:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-06-13 14:12 . 2003-03-05 12:19 15,840 --a------ C:\WINDOWS\system32\drivers\PfModNT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 23:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-04 21:36 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-06-24 22:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-20 15:46 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-06-20 14:53 --------- d-----w C:\Program Files\Java
2008-06-19 14:48 --------- d-----w C:\Program Files\Viewpoint
2008-06-19 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-19 14:32 --------- d-----w C:\Program Files\Google
2008-06-19 14:22 --------- d-----w C:\Program Files\LimeWire
2008-06-14 18:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-14 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 18:13 --------- d-----w C:\Program Files\Creative
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 21:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 21:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 21:19 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 21:19 --------- d-----w C:\Program Files\Symantec
2008-05-29 04:26 524,288 ----a-w C:\WINDOWS\opuc.dll
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
.

------- Sigcheck -------

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 03:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-08 21:34 77824]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-01-23 13:29 36864]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 17:24 54840]
"DellStatusMonitor"="C:\DRIVERS\PRINTER\540\StatMon.exe" [2004-11-23 13:33 364544]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 15:20 94208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"VBSysTray"="C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe" [2008-03-26 14:52 239000]
"AVLoginToDo"="C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe" [2008-04-24 12:20 50552]

C:\Documents and Settings\Kris\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 16:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=qjueshgf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
"Drag'n'Drop_Autolaunch"="C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"SM1BG"=C:\WINDOWS\SM1BG.EXE
"LXSUPMON"=C:\WINDOWS\system32\LXSUPMON.EXE RUN
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ZoomText 8.0\\Zt8.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Ai2sXP;Ai2sXP;C:\WINDOWS\system32\drivers\Ai2sXP.sys [2008-02-25 14:54]
R2 VACompManService;Vexira Antivirus Component Manager Service;C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe [2008-04-24 12:16]
R2 VBShld;VBShld;C:\WINDOWS\system32\Drivers\VBShld.Sys [2008-04-24 10:40]
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\Drivers\VBEngNT.Sys [2008-04-02 16:24]
R3 VBFilter;VBFilter;C:\WINDOWS\system32\Drivers\VBFilter.Sys [2008-04-24 10:39]
R3 VBRec;VBRec;C:\WINDOWS\system32\Drivers\VBRec.Sys [2008-04-24 10:38]

.
- - - - ORPHANS REMOVED - - - -

BHO-{213732B8-576E-4E8F-A9EB-614DC8260E0C} - C:\WINDOWS\system32\rqRHxxyY.dll
BHO-{31711A8C-FC23-4A69-8EE1-0B2BA07B3B42} - C:\WINDOWS\system32\tuvSkKCt.dll
BHO-{46E66099-8B12-4757-A91D-BB7760F7580A} - C:\WINDOWS\system32\hgGxXnLF.dll
BHO-{4EC4A9FE-6AD9-403B-9690-47BA956AE7A1} - C:\WINDOWS\system32\rqRLbxVn.dll
BHO-{73BACEDA-8360-46E1-8A65-4F33F06A69E5} - C:\WINDOWS\system32\opnkjHAq.dll
BHO-{78DEA175-20CA-42B6-B877-DFED19813C06} - C:\WINDOWS\system32\ddcYoLFx.dll
BHO-{90C102BB-3976-47AA-87DB-3676D9A03CE4} - C:\WINDOWS\system32\hgGxYOFv.dll
BHO-{A3A4D80F-818B-4D00-B920-BEF6D98F984A} - C:\WINDOWS\system32\yayxwVPJ.dll
BHO-{A5F722E5-6FDB-4944-88CE-3CC9E3232BD0} - C:\WINDOWS\system32\xxyxVpMC.dll
BHO-{C8505F99-3F06-465E-B022-29C076CF734A} - C:\WINDOWS\system32\urqOGXrO.dll
BHO-{CE226DDE-AB4E-42A5-8EF4-827505A99A09} - C:\WINDOWS\system32\xxywWoNH.dll
BHO-{D9C62929-EC28-42D8-899F-A3EFC2F18177} - C:\WINDOWS\system32\qoMggfdE.dll
BHO-{E58AF927-C323-4A21-8DF3-102F85179A88} - C:\WINDOWS\system32\nnnnLcyV.dll
BHO-{E5B936E4-469C-4B62-9B8D-2152CCBA3DA9} - C:\WINDOWS\system32\ssqNHbYP.dll
BHO-{F4189D4C-B3D2-4DED-ACE7-A17C377D6409} - C:\WINDOWS\system32\opnlIcDu.dll
HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
HKCU-Run-Creative Detector U - C:\Program Files\Creative\MediaSource5\CTDetctu.exe
HKCU-Run-MtdAcqu - C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
HKLM-Run-BMe3fdc030 - C:\WINDOWS\system32\xbtaxwyf.dll
HKLM-Run-e0cef3ac - C:\WINDOWS\system32\ukrrrqvi.dll
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 20:54:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\Crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-07-09 21:07:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 01:07:11

Pre-Run: 20,803,768,320 bytes free
Post-Run: 20,654,706,688 bytes free

354 --- E O F --- 2008-06-20 12:58:34


Here is the HighJackThis log--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:51 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\DRIVERS\PRINTER\540\StatMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cleveland.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellStatusMonitor] "C:\DRIVERS\PRINTER\540\StatMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Kris\Desktop\Erich\Job Search\New Folder\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156780487340
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} (SketchCtl.Pic1) - http://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O20 - AppInit_DLLs: qjueshgf.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe

--
End of file - 8236 bytes
pskelley
2008-07-13, 00:20
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Since that topic was closed, due to your not responding (I understand it might not have been your fault) If you still have malware issues, take the time to tell me about them then follow these directions:

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks
slk12
2008-07-15, 03:36
Thank you so much for your help. My original problem consisted of increasingly more pop ups which would eventually cause the entire system to freeze. I would run a virus scan and spybot scan which would find virtumonde and remove them, but each time I used internet explorer it began over again. It seemed to be related to google searches. I was eventually unable to work on line at all.

Here are the results of my latest HJT scan and my Malwarebytes log. It seems to have removed more problem files. Can you tell from the scans whether everything is clear yet?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:51 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\DRIVERS\PRINTER\540\StatMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ZoomText 9.1\Zt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Kris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cleveland.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellStatusMonitor] "C:\DRIVERS\PRINTER\540\StatMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Kris\Desktop\Erich\Job Search\New Folder\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156780487340
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} (SketchCtl.Pic1) - http://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O20 - AppInit_DLLs: qjueshgf.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe

--
End of file - 8319 bytes


Malwarebytes Scan--
Malwarebytes' Anti-Malware 1.20
Database version: 949
Windows 5.1.2600 Service Pack 2

8:24:57 PM 7/14/2008
mbam-log-7-14-2008 (20-24-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 102127
Time elapsed: 32 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 159

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\adchnoas.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\auwhttjf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\buhbsitd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cldnnbof.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ewvoyoib.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\faxwujvu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fayyiwuc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fiinnpci.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fpnanlst.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\frmrvgpg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gndrnlck.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kjvdxw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlykrgka.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\msyyfrsp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qfkwvtiu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qsyrgdob.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rdlpvina.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rhvbygwc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\swganehc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ukrrrqvi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wctbxt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wrksfucf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ygyiekwb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ypfyrtmt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yunjgmoe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1372\A0536956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1372\A0537077.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1378\A0539163.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1380\A0541162.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545395.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545399.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545401.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545405.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545412.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545414.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545415.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545417.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545418.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545419.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545420.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545429.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545434.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545436.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545445.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545448.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545450.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545453.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545456.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545461.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545465.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545467.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545472.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545474.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6150FA7-580E-4D1C-8CA3-E1D3983C5F49}\RP1385\A0545475.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acharmingfont.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\african.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\airconditioner.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\aliceinchains.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\allencon.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\balloons.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\beast.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\benegraphic.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\benjamin.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\bennyblanco.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\bibliotheque.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\biglou.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\birmingham.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\blake.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\bodoni-font.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\broken.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\calligula.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\callistroke.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cenobyte.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\charlemagne.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cheapfire.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\chocolatebox.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\chowfun.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\christmascard.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\dadhand.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\diablo.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\diamond.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\dimurphic.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Distant Galaxy.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Distantglx.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\dominican.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\dosequis.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\dragonmaster.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\eastwood.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\eccentrical.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\echelon.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ecliptic.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\edison.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\elfarnormal.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\elsewhere.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\embossedblack.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\endor.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\erasmus.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\euphorigenic.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\farewell.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\farley.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\fashionvictim.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\fontdiner.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\fonterror.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\foo.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\fortunaschwein.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\franconia.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\frank.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\freame.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\freebooter.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\fruitopia.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\fundamentalrush.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\funnyfarm.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\gaggers.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\gainsborough.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\grange.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\grantham.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\grasshopper.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\greatheights.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\greatlakes.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\grinched.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\heraldsquare.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\holiday.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\holidayindia.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\hominis.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ill-omen.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\indianajones.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\kenyancoffee.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\lewisham.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\liberty.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\lightfoot.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\littlelordfontleroy.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\LivingHell.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\mael.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\mickey.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\miltown.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\miserable.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\mobsters.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\moderna.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\nightwarrior.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ninbrokenfixed.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\nosferat.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\oakwood.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\oktoberfest.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\onceinawhile.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\onefortyseven.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\oreos.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\parryhotter.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\penshurst.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\pharmacy.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\priory.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\quigleywiggly.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\quillcapitals.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\rollercoaster.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\roosevelt.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\tspfonts.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Wondercomic.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\BMe3fdc030.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
pskelley
2008-07-15, 04:02
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hello Kris, appears you did not read the directions, as a result HJT is not in a safe location. Running on the Desktop with no folder, logs and backups can get deleted by accident. Either create a folder and move the stuff into it or read and follow the directions in the link above I have provided.

Can you tell from the scans whether everything is clear yet?
I am not seeing much but I see this: O20 - AppInit_DLLs: qjueshgf.dll
and that looks like a Vundo .dll
Most of what MBAM is finding is in the combofix quarantine: C:\QooBox\Quarantine\ and infected Systen Restore files:
C:\System Volume Information\_restore

The quarantine will be removed with combofix and we will clean System Restore a bit later, just do not use it. MBAM did find and quarantine a load of junk. The problem with Vundo, if you do not get it all, it morphs and starts to recreate itself. What I would like you to do is follow these directions.
Ver_08-07-12.6 7/14/2008 <<< newest version of combofix

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
slk12
2008-07-15, 18:34
Here is the latest combofix log. I will post the latest hijack this log following the combofix log.

ComboFix 08-07-14.2 - Kris 2008-07-15 11:07:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.134 [GMT -4:00]
Running from: C:\Documents and Settings\Kris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 10:49 . 2008-07-15 10:57 <DIR> d-------- C:\Program Files\Hijack This
2008-07-14 19:42 . 2008-07-14 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 19:42 . 2008-07-14 19:42 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\Malwarebytes
2008-07-14 19:42 . 2008-07-14 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-14 19:42 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-14 19:42 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-04 18:03 . 2008-07-15 10:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 18:03 . 2008-07-09 21:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 11:50 . 2008-06-20 11:50 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-20 11:33 . 2008-07-15 10:15 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\OpenOffice.org2
2008-06-20 10:58 . 2008-06-20 10:58 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-20 10:54 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 18:02 . 2008-06-19 23:09 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\OfficeUpdate12
2008-06-16 16:31 . 2008-06-17 15:16 345 --ahs---- C:\WINDOWS\system32\DLlUDJjl.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 14:14 --------- d-----w C:\Program Files\ZoomText 9.1
2008-07-13 23:36 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-07-09 23:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 22:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-23 13:39 86,016 ----a-w C:\WINDOWS\system32\Ai2XOR.dll
2008-06-23 13:39 122,880 ----a-w C:\WINDOWS\system32\Zosf.dll
2008-06-23 13:16 7,296 ----a-w C:\WINDOWS\system32\drivers\Ai2sXP.sys
2008-06-23 13:16 57,984 ----a-w C:\WINDOWS\system32\Ai2d91.dll
2008-06-23 13:16 15,360 ----a-w C:\WINDOWS\system32\Ai2Ldr.dll
2008-06-20 15:46 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-06-20 14:53 --------- d-----w C:\Program Files\Java
2008-06-19 14:48 --------- d-----w C:\Program Files\Viewpoint
2008-06-19 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-19 14:32 --------- d-----w C:\Program Files\Google
2008-06-19 14:22 --------- d-----w C:\Program Files\LimeWire
2008-06-15 23:55 815,104 ----a-w C:\WINDOWS\system32\mmc.exe
2008-06-14 18:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-14 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 16:28 --------- d-----w C:\Program Files\Vexira Antivirus
2008-06-13 18:13 --------- d-----w C:\Program Files\Creative
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-31 16:13 1,479,518 --sha-w C:\WINDOWS\system32\dgitpkre.tmp
2008-05-30 21:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 21:19 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-30 21:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 21:19 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 21:19 --------- d-----w C:\Program Files\Symantec
2008-05-29 04:26 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
.

------- Sigcheck -------

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 03:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-08 21:34 77824]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-01-23 13:29 36864]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 17:24 54840]
"DellStatusMonitor"="C:\DRIVERS\PRINTER\540\StatMon.exe" [2004-11-23 13:33 364544]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 15:20 94208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"VBSysTray"="C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe" [2008-03-26 14:52 239000]
"AVLoginToDo"="C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe" [2008-04-24 12:20 50552]

C:\Documents and Settings\Kris\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 16:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=qjueshgf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
"Drag'n'Drop_Autolaunch"="C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"SM1BG"=C:\WINDOWS\SM1BG.EXE
"LXSUPMON"=C:\WINDOWS\system32\LXSUPMON.EXE RUN
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ZoomText 8.0\\Zt8.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Ai2sXP;Ai2sXP;C:\WINDOWS\system32\drivers\Ai2sXP.sys [2008-06-23 09:16]
R2 VACompManService;Vexira Antivirus Component Manager Service;C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe [2008-04-24 12:16]
R2 VBShld;VBShld;C:\WINDOWS\system32\Drivers\VBShld.Sys [2008-04-24 10:40]
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\Drivers\VBEngNT.Sys [2008-04-02 16:24]
R3 VBFilter;VBFilter;C:\WINDOWS\system32\Drivers\VBFilter.Sys [2008-04-24 10:39]
R3 VBRec;VBRec;C:\WINDOWS\system32\Drivers\VBRec.Sys [2008-04-24 10:38]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 11:10:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-07-15 11:15:52
ComboFix-quarantined-files.txt 2008-07-15 15:14:58
ComboFix2.txt 2008-07-10 01:07:22

Pre-Run: 20,508,499,968 bytes free
Post-Run: 20,495,314,944 bytes free

156 --- E O F --- 2008-06-20 12:58:34


Here is the HJT log--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:31 AM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\DRIVERS\PRINTER\540\StatMon.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ZoomText 9.1\Zt.exe
C:\Program Files\ZoomText 9.1\ZER.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cleveland.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AH IE BHO - {10384d0e-2bc1-48b6-844b-ad0e9e6d2511} - C:\Program Files\ZoomText 9.1\AHOI\ah_ie_bho.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellStatusMonitor] "C:\DRIVERS\PRINTER\540\StatMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Kris\Desktop\Erich\Job Search\New Folder\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156780487340
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} (SketchCtl.Pic1) - http://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O20 - AppInit_DLLs: qjueshgf.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe

--
End of file - 8422 bytes
pskelley
2008-07-15, 19:28
Thanks, let try this:

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\DLlUDJjl.ini
C:\WINDOWS\system32\qjueshgf.dll

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O20 - AppInit_DLLs: qjueshgf.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

C:\Program Files\Java\jre1.6.0_04\ <<< update your Java program, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Restart and post the combofix log from CFScript and a new HJT log. Tell me how the computer is running now.

Thanks
slk12
2008-07-16, 00:07
Thank you, thank you, thank you!

I have followed every step of your instructions. The machine is running faster than it has run in months. Also, I am now able to run Windows updates. The automatic updates was not working for the past 2 months, and I was unable to manually install Windows updates. It is now installing them!

Please let me know if there are any further steps. I had previously disabled Norton Antivirus/Firewall and was using the Windows firewall and Vexira antivirus. I had also uninstalled Spybot to complete all of the steps in this malware removal. Should I reinstall Norton and Spybot now?

Here are the latest logs:

Combofix---
ComboFix 08-07-14.2 - Kris 2008-07-15 15:49:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -4:00]
Running from: C:\Documents and Settings\Kris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kris\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\DLlUDJjl.ini
C:\WINDOWS\system32\qjueshgf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\DLlUDJjl.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 10:49 . 2008-07-15 11:30 <DIR> d-------- C:\Program Files\Hijack This
2008-07-14 19:42 . 2008-07-14 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 19:42 . 2008-07-14 19:42 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\Malwarebytes
2008-07-14 19:42 . 2008-07-14 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-14 19:42 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-14 19:42 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-04 18:03 . 2008-07-15 10:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 18:03 . 2008-07-09 21:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 11:50 . 2008-06-20 11:50 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-20 11:33 . 2008-07-15 10:15 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\OpenOffice.org2
2008-06-20 10:58 . 2008-06-20 10:58 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-20 10:54 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 18:02 . 2008-06-19 23:09 <DIR> d-------- C:\Documents and Settings\Kris\Application Data\OfficeUpdate12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 14:14 --------- d-----w C:\Program Files\ZoomText 9.1
2008-07-13 23:36 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub
2008-07-09 23:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 22:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-23 13:39 86,016 ----a-w C:\WINDOWS\system32\Ai2XOR.dll
2008-06-23 13:39 122,880 ----a-w C:\WINDOWS\system32\Zosf.dll
2008-06-23 13:16 7,296 ----a-w C:\WINDOWS\system32\drivers\Ai2sXP.sys
2008-06-23 13:16 57,984 ----a-w C:\WINDOWS\system32\Ai2d91.dll
2008-06-23 13:16 15,360 ----a-w C:\WINDOWS\system32\Ai2Ldr.dll
2008-06-20 15:46 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-06-20 14:53 --------- d-----w C:\Program Files\Java
2008-06-19 14:48 --------- d-----w C:\Program Files\Viewpoint
2008-06-19 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-19 14:32 --------- d-----w C:\Program Files\Google
2008-06-19 14:22 --------- d-----w C:\Program Files\LimeWire
2008-06-15 23:55 815,104 ----a-w C:\WINDOWS\system32\mmc.exe
2008-06-14 18:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-14 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 16:28 --------- d-----w C:\Program Files\Vexira Antivirus
2008-06-13 18:13 --------- d-----w C:\Program Files\Creative
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-31 16:13 1,479,518 --sha-w C:\WINDOWS\system32\dgitpkre.tmp
2008-05-30 21:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 21:19 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-30 21:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 21:19 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 21:19 --------- d-----w C:\Program Files\Symantec
2008-05-29 04:26 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
.

------- Sigcheck -------

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 03:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-08 21:34 77824]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-01-23 13:29 36864]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 17:24 54840]
"DellStatusMonitor"="C:\DRIVERS\PRINTER\540\StatMon.exe" [2004-11-23 13:33 364544]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 15:20 94208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"VBSysTray"="C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe" [2008-03-26 14:52 239000]
"AVLoginToDo"="C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe" [2008-04-24 12:20 50552]

C:\Documents and Settings\Kris\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 16:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=qjueshgf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
"Drag'n'Drop_Autolaunch"="C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"SM1BG"=C:\WINDOWS\SM1BG.EXE
"LXSUPMON"=C:\WINDOWS\system32\LXSUPMON.EXE RUN
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ZoomText 8.0\\Zt8.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Ai2sXP;Ai2sXP;C:\WINDOWS\system32\drivers\Ai2sXP.sys [2008-06-23 09:16]
R2 VACompManService;Vexira Antivirus Component Manager Service;C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe [2008-04-24 12:16]
R2 VBShld;VBShld;C:\WINDOWS\system32\Drivers\VBShld.Sys [2008-04-24 10:40]
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\Drivers\VBEngNT.Sys [2008-04-02 16:24]
R3 VBFilter;VBFilter;C:\WINDOWS\system32\Drivers\VBFilter.Sys [2008-04-24 10:39]
R3 VBRec;VBRec;C:\WINDOWS\system32\Drivers\VBRec.Sys [2008-04-24 10:38]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 15:52:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-07-15 15:56:44
ComboFix-quarantined-files.txt 2008-07-15 19:55:39
ComboFix2.txt 2008-07-15 15:15:53
ComboFix3.txt 2008-07-10 01:07:22

Pre-Run: 20,773,814,272 bytes free
Post-Run: 20,761,948,160 bytes free

162 --- E O F --- 2008-06-20 12:58:34


HJT---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:56 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\DRIVERS\PRINTER\540\StatMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ZoomText 9.1\Zt.exe
C:\Program Files\ZoomText 9.1\ZER.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cleveland.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AH IE BHO - {10384d0e-2bc1-48b6-844b-ad0e9e6d2511} - C:\Program Files\ZoomText 9.1\AHOI\ah_ie_bho.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellStatusMonitor] "C:\DRIVERS\PRINTER\540\StatMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Kris\Desktop\Erich\Job Search\New Folder\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156780487340
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} (SketchCtl.Pic1) - http://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe

--
End of file - 8287 bytes

Thank you, again!
:):)
pskelley
2008-07-16, 00:22
Just keep in mind you want only one firewall and one antivirus running, it's up to you what they are.
You may make those changes when you wish. Spybot has release version 1.6if you are not aware:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html

This is the next item we need to complete:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Keep me posted as to how the computer is running as we finish up.

Thanks
slk12
2008-07-16, 06:17
I have been searching for my Windows XP CD and am unable to locate it. I'm not certain I understand how I can install the recovery console without the CD. Is there a link that I missed?
pskelley
2008-07-16, 15:16
Thanks for the question, if you do not have the Windows Operating System CD (OEM restore stuff will not work) then I strongly suggest you install Recovery Console.

1) From combofix: Microsoft Windows XP Professional HJT: Platform: Windows XP SP2

2) Click here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Click on the following link to go to Microsoft's Web site: http://support.microsoft.com/kb/310994

4) Scroll to: Step 1: Download the Setup disk program

5) Then down to your OS platform:
Windows XP Professional SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124&amp;displaylang=en

6) Download that file to your Desktop, then look at the picture in the tutorial, drag it to combofix and drop it on top. combofix will do the rest and produce a text file: C:\*CF-RC.txt* Post the contents so I can see them.

Thanks...Phil
slk12
2008-07-16, 20:09
Thank you, the instructions were very clear. Here is the log:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
pskelley
2008-07-16, 22:14
Thanks for the feedback and good job:bigthumb: getting RC installed, here is a little information:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654

Remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Give MBAM a run to make sure we got all of the malware. No need to post a clean scan, just let me know all is well and I will close your topic.

Thanks...Phil
slk12
2008-07-17, 03:56
I followed all of the steps. The MBam scan shows one infected file (rogue spyware detector). Should this be deleted?

Here is the log

Malwarebytes' Anti-Malware 1.20
Database version: 949
Windows 5.1.2600 Service Pack 3

8:47:41 PM 7/16/2008
mbam-log-7-16-2008 (20-47-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 103392
Time elapsed: 35 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> No action taken.
pskelley
2008-07-17, 15:08
Thanks for returning your MBAM log, these were the instruction for MBAM:
Be sure that everything is checked, and click Remove Selected
so yes, that item needs to be deleted, you can try to do that manually, navigate to the file, right click and click delete:
C:\Documents and Settings\Kris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
If you have problems, run MBAM again and have it delete the item.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
slk12
2008-07-17, 16:11
Thank you for all of your time and expertise. You are a life saver. :crowned: