Just trying to get a smile.

All h_ll broke loose today. Infected in every way I thought there was. (Pop ups,desktop missing and couldn't run anything.
I tried to run Spybot and got the warning half way through the scan to shut down and reboot. Keep getting machine is infected and you should run this program.
The machine locked up so I shut it down. Went into safe mode and ran AVG free and Spybot and again I got please shut down, this time I let finnish and it repaired everthing but the following:
Smitfraud-C
Virtumonde.dll
other things I wrote down Spyware.IEPass.thief and khfETmkK

Rebooted and found your help page.

Any help would be great.
Thanks in advance
vweye_1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32: VIRUS ALERT!, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\loadwzco.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Todd\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "C:\Program Files\loadwzco.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/EN/mdldetect/VaioInfo.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://tx95ra01.wkglobal.net/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6711 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

pskelly
Thank you for your help.
I'm sorry I did play with the computer yesterday alittle and I know I shouldn't have, very hard to sit still. Please do not kick me back. I will follow your and forums site from now on. I did make a new HiJackthis log yesterday after I played with the computer and have not touched it since.
Here is yesterdays log, (and then I will paste in the combofix log and the new HiJackthis log that you requested.)
Very Very sorry.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23, on 9/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Todd\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [844ca7b9] rundll32.exe "C:\WINDOWS\system32\umiryqsm.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/EN/mdldetect/VaioInfo.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://tx95ra01.wkglobal.net/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll gwpgul.dll axjvlo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--
End of file - 6441 bytes



combofix log
ComboFix 08-09-16.05 - Todd 2008-09-18 14:41:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638 [GMT -5:00]
Running from: C:\Documents and Settings\Todd\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Todd\Cookies\todd@specificclick[2].txt
C:\empa.exe
C:\Program Files\MicroAV
C:\Program Files\MicroAV\MicroAV.ooo
C:\Program Files\MicroAV\MicroAV0.dat
C:\Program Files\MicroAV\MicroAV1.dat
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\mqgldfvo.exe
C:\WINDOWS\system32\axjvlo.dll
C:\WINDOWS\system32\cbXPGYQk.dll
C:\WINDOWS\system32\ggljwuyp.dll
C:\WINDOWS\system32\gwpgul.dll
C:\WINDOWS\system32\kQYGPXbc.ini
C:\WINDOWS\system32\kQYGPXbc.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msqyrimu.ini
C:\WINDOWS\system32\ooqxlihv.dll
C:\WINDOWS\system32\optoebex.dll
C:\WINDOWS\system32\pyuwjlgg.ini
C:\WINDOWS\system32\umiryqsm.dll
C:\WINDOWS\vmgspntbaxb.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.

2008-09-16 16:45 . 2008-09-17 10:20 558 --a------ C:\WINDOWS\wininit.ini
2008-09-16 11:32 . 2008-09-18 07:49 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-08 16:14 . 2008-09-08 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipEC
2008-09-03 12:41 . 2008-09-03 12:41 <DIR> dr-h----- C:\MSOCache
2008-09-03 10:07 . 2008-09-03 10:07 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-03 10:07 . 2008-09-03 10:07 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-03 10:07 . 2008-09-03 10:07 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-01 18:16 . 2008-06-23 11:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-01 18:16 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-01 18:16 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-01 18:16 . 2008-06-23 11:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-01 18:16 . 2008-06-23 11:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-01 18:16 . 2008-06-23 11:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-01 18:16 . 2008-06-23 11:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-01 18:16 . 2008-06-23 11:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-01 18:16 . 2008-06-23 04:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-01 10:24 . 2008-09-01 10:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-01 10:09 . 2008-09-01 10:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-01 10:08 . 2008-09-17 14:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-01 10:08 . 2008-09-01 10:08 <DIR> d-------- C:\Program Files\AVG
2008-09-01 10:08 . 2008-09-01 10:08 <DIR> d-------- C:\Documents and Settings\Todd\Application Data\AVGTOOLBAR
2008-09-01 10:08 . 2008-09-02 09:56 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-01 09:40 . 2008-09-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-28 18:19 . 2008-04-13 19:12 712,704 --a------ C:\WINDOWS\system32\windowscodecs.dll
2008-08-28 18:19 . 2008-04-13 19:12 346,112 --a------ C:\WINDOWS\system32\windowscodecsext.dll
2008-08-28 18:19 . 2008-04-13 19:12 276,992 --a------ C:\WINDOWS\system32\wmphoto.dll
2008-08-28 18:19 . 2008-04-13 19:12 69,120 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-08-28 18:19 . 2008-04-13 19:12 53,248 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-08-28 18:19 . 2008-04-13 19:12 50,688 --a------ C:\WINDOWS\system32\tspkg.dll
2008-08-28 18:18 . 2008-04-13 19:12 412,160 --a------ C:\WINDOWS\system32\photometadatahandler.dll
2008-08-28 18:18 . 2008-04-13 19:12 291,328 --a------ C:\WINDOWS\system32\qagentrt.dll
2008-08-28 18:18 . 2008-04-13 19:12 290,304 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-08-28 18:18 . 2008-04-13 19:12 150,528 --a------ C:\WINDOWS\system32\qagent.dll
2008-08-28 18:18 . 2008-04-13 19:12 144,384 --a------ C:\WINDOWS\system32\onex.dll
2008-08-28 18:18 . 2008-04-13 19:12 76,800 --a------ C:\WINDOWS\system32\qutil.dll
2008-08-28 18:18 . 2008-04-13 19:12 62,464 --a------ C:\WINDOWS\system32\qcliprov.dll
2008-08-28 18:18 . 2008-04-13 19:12 61,952 --a------ C:\WINDOWS\system32\rasqec.dll
2008-08-28 18:18 . 2008-04-13 19:12 32,768 --a------ C:\WINDOWS\system32\setupn.exe
2008-08-28 18:18 . 2008-04-13 13:40 10,240 --a------ C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-28 18:17 . 2008-04-13 19:12 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll
2008-08-28 18:17 . 2008-04-13 19:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-28 18:17 . 2008-04-13 19:12 193,024 --a------ C:\WINDOWS\system32\napmontr.dll
2008-08-28 18:17 . 2008-04-13 19:12 176,640 --a------ C:\WINDOWS\system32\napstat.exe
2008-08-28 18:17 . 2008-04-13 19:12 155,136 --a------ C:\WINDOWS\system32\mssha.dll
2008-08-28 18:17 . 2008-04-13 12:27 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll
2008-08-28 18:17 . 2008-04-13 12:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-28 18:17 . 2008-04-13 13:14 76,800 --a------ C:\WINDOWS\system32\msshavmsg.dll
2008-08-28 18:17 . 2008-04-13 19:12 30,208 --a------ C:\WINDOWS\system32\napipsec.dll
2008-08-28 18:16 . 2008-04-13 19:11 397,312 --a------ C:\WINDOWS\system32\mmcex.dll
2008-08-28 18:16 . 2008-04-13 19:11 184,320 --a------ C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-28 18:16 . 2008-04-13 19:11 106,496 --a------ C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-28 18:16 . 2008-04-13 19:11 61,440 --a------ C:\WINDOWS\system32\kmsvc.dll
2008-08-28 18:16 . 2008-04-13 19:11 37,376 --a------ C:\WINDOWS\system32\l2gpstore.dll
2008-08-28 18:16 . 2008-04-13 19:12 33,792 --a------ C:\WINDOWS\system32\mmcperf.exe
2008-08-28 18:16 . 2008-04-13 19:09 6,144 --a------ C:\WINDOWS\system32\kbdpash.dll
2008-08-28 18:16 . 2008-04-13 19:09 6,144 --a------ C:\WINDOWS\system32\kbdnepr.dll
2008-08-28 18:16 . 2008-04-13 19:09 6,144 --a------ C:\WINDOWS\system32\kbdiultn.dll
2008-08-28 18:16 . 2008-04-13 19:09 6,144 --a------ C:\WINDOWS\system32\kbdbhc.dll
2008-08-28 18:15 . 2008-04-13 11:36 144,384 --a------ C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-28 18:15 . 2007-09-17 03:48 1,261 --a------ C:\WINDOWS\system32\pid.inf
2008-08-28 18:13 . 2008-04-13 19:11 136,192 --a------ C:\WINDOWS\system32\aaclient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 03:52 --------- d-----w C:\Documents and Settings\Todd\Application Data\Apple Computer
2008-09-10 16:03 --------- d-----w C:\Program Files\iTunes
2008-09-01 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-01 14:45 --------- d-----w C:\Documents and Settings\Todd\Application Data\Lavasoft
2008-09-01 14:29 --------- d-----w C:\Program Files\PCPitstop
2008-08-15 16:40 --------- d-----w C:\Documents and Settings\Todd\Application Data\AdobeUM
2008-08-14 03:13 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-12 20:30 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2008-08-08 12:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-08 12:31 --------- d-----w C:\Program Files\Sony
2008-08-07 05:00 --------- d-----w C:\Program Files\iPod
2008-08-04 18:36 --------- d-----w C:\Documents and Settings\Todd\Application Data\Image Zone Express
2008-08-01 12:42 --------- d-----w C:\Program Files\Apple Software Update
2008-07-29 22:04 --------- d-----w C:\Documents and Settings\Todd\Application Data\OfficeUpdate12
2008-07-29 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-21 17:52 524,288 ----a-w C:\WINDOWS\opuc.dll
2001-12-15 02:56 17,408 -csha-w C:\Program Files\Thumbs.db
2001-08-18 12:00 94,784 -csh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w C:\WINDOWS\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2008-04-14 00:12 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-11-29 1544099]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-02 1235736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll gwpgul.dll axjvlo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:10.200.34.101/255.255.255.255,10.200.34.102/255.255.255.255,10.204.34.100/255.255.255.255,10.204.34.101/255.255.255.255,10.204.34.102/255.255.255.255:Enabled:Symantec AntiVirus

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-02 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-02 231704]
R2 SonyFKC;FAN and Keyboard Control Service;C:\WINDOWS\system32\Drivers\SonyFKC.sys [2001-12-06 12032]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 54271]
S3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [ ]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINDOWS\system32\Drivers\SMBE.SYS [2001-09-21 593000]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{1D0B769D-D004-43FB-AC98-A40A2F62B580} - C:\WINDOWS\system32\cbXPGYQk.dll
BHO-{ab3e4b1c-6644-46ae-92ec-6319b725a768} - C:\WINDOWS\system32\axjvlo.dll
BHO-{ADFD5FD2-2DD2-4572-80DA-C74F1193FBA1} - C:\WINDOWS\system32\khfETmkK.dll
HKLM-Run-844ca7b9 - C:\WINDOWS\system32\umiryqsm.dll
ShellExecuteHooks-{ADFD5FD2-2DD2-4572-80DA-C74F1193FBA1} - C:\WINDOWS\system32\khfETmkK.dll
Notify-khfETmkK - khfETmkK.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://tx95ra01.wkglobal.net/dana-cached/setup/JuniperSetupSP1.cab
C:\WINDOWS\Downloaded Program Files\JuniperSetup.INF
C:\WINDOWS\Downloaded Program Files\string_zh_cn.properties
C:\WINDOWS\Downloaded Program Files\string_zh.properties
C:\WINDOWS\Downloaded Program Files\string_ko.properties
C:\WINDOWS\Downloaded Program Files\string_ja.properties
C:\WINDOWS\Downloaded Program Files\string_fr.properties
C:\WINDOWS\Downloaded Program Files\string_es.properties
C:\WINDOWS\Downloaded Program Files\string_de.properties
C:\WINDOWS\Downloaded Program Files\string_en.properties
C:\WINDOWS\Downloaded Program Files\JuniperSetup.ocx
.
.
------- File Associations -------
.
VBSFile=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 14:52:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-18 15:04:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-18 20:04:02

Pre-Run: 64,052,068,352 bytes free
Post-Run: 63,981,428,736 bytes free

238 --- E O F --- 2008-09-10 16:09:58


New HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17, on 9/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Todd\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/EN/mdldetect/VaioInfo.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://tx95ra01.wkglobal.net/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll gwpgul.dll axjvlo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--
End of file - 6523 bytes


I hope to hear from you. And again sorry for not following the forums advice, I hope I did not make things harder for you as I know your time very valuble.
Thanks
vweye_1

Please review the instructions, especially this one.

Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
HJT is not located safely, follow the directions to fix that.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. (in case it asks to reboot).

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply <<< refer to #5 for the HJT log instructions.

5) Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

pskelly
I hope I did this right as I thought I unchecked word wrap last time.

Malwarebytes' Anti-Malware 1.28
Database version: 1171
Windows 5.1.2600 Service Pack 3

9/18/2008 8:07:45 PM
mbam-log-2008-09-18 (20-07-45).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 95983
Time elapsed: 45 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\fqbewlna.bbpv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\mqgldfvo.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\axjvlo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXPGYQk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ggljwuyp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gwpgul.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ooqxlihv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\optoebex.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\umiryqsm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP1663\A0167329.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP1663\A0169319.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP1663\A0169368.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP1665\A0171500.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13, on 9/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/EN/mdldetect/VaioInfo.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://tx95ra01.wkglobal.net/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

--
End of file - 6541 bytes



Thank you very much,
let me know whats next? or what I could invest in.

pskelly
I just got the following from AVG
AVG Resident Shield Alert
17 entries they all look the same.
1)C:\System Volume Information\_restore{bunch of numbers}\RP1665\A0171503.dll
Trojan horse Generic 11.ZUQ

And then under details
Again the look the same but the first one.
1)Process Name: C\Windows\system32\svchost
2)Process Name: C\Program Files\Malwarebytes' Anti-Malware\mbam.exe


It's asking to remove or ignore.

Any thoughts ? oh and my clock on is messed up I think it's showing military time but if I hover over it does give me the date.


I just thought I would let you know?

Thanks for returning your information and the feedback.

1) You can ignore the items AVG is finding, they are infected System Restore files and we will clean them soon.

2) The clock should return to normal when we remove combofix, if it does not, let me know and I will give you instructions to change it manually.

The HJT log looks clean of malware so let's move on. This is the next bridge we must cross.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks...Phil

Good Morning
Here you go. The only other thing I have noticed
was when I went to the task manager I'm missing the top header and only
get the application list window. This was before we ran the Recovery.


vweye_1

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Good job installing Recover Console:bigthumb: some information for you.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

Let's continue and see if all issues don't clear up, if not, let me know before we finish.

Remove combfix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update and scan with MBAM to make sure we missed none of the junk, no need to post a clean scan result.

Update AVG and scan the sytem to make sure it is working right and scanning clean.

Let me know about any malware isssues at this point, before I close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

pskelly
All scans came up with no issues.:bigthumb:

Two things that I see:
1) I went to the task manager again, I'm missing the top header and only
get the application list window.

2) My home page is "http://www.msn.com/" and when I open it
this what I get "http://v11.www.msn.com/"

I have noticed that I have entries in AVG, Malwarebytes' virus vaults.
Should they be deleted.


I do have to run into town for while should be back in an hour.
Thank you so very much.
vweye_1

1) May require a reinstallion of Windows? or a repair of the OS?
http://www.google.com/search?hl=en&q=reinstall+windows&btnG=Google+Search&aq=f&oq=
http://www.google.com/search?hl=en&q=repair+windows+XP&btnG=Search
before you resort to those, you may find an answer here;
http://www.kellys-korner-xp.com/xp.htm >>> look here:
http://www.kellys-korner-xp.com/xp_tweaks.htm

2) How to set your Homepage in Internet Explorer 6/7
http://www.my-pc-help.com/Articles/Software/HowtosetyourHomepageinInternetExplorer67/tabid/103/Default.aspx

Look at the R1's in the last HJT log:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
Use HJT to remove those lines, then set the Home page to http://www.msn.com/ or what you wish.

Other good information for IE:
Making Microsoft Internet Explorer 7 Your Own: The Basics
http://www.microsoft.com/windows/ie/community/columns/ie7_basics.mspx
It's not always malware: How to fix the top 10 Internet Explorer issues
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx

3) I use AVG 8 and I usually allow anything it finds be placed in the vault, and I empty the vault after a week or so when I am sure nothing was removed that should not have been (mistakes can happen)
I also use MBAM with the same policy.

Thanks

pskelly

Thank you so very much for your help and information.:beerbeerb:

I did find this about the task manager which I didn't know.

This behavior may occur if Task Manager is running in Tiny Footprint mode. If you double-click the empty space in the border around the tabs, Task Manager switches to this mode.

I will work on the home page.

I travel alot and I always say thanks to the troops that I see in the airport.
I hope thats what you mean in your signature.

Thanks again.
vweye_1

Thanks for taking the time to give me that feedback, I did not know that about Task Manager myself, but I added that to the information I have and I am ready the next time I get that question.

Stay safe...Phil