Hi Folks. My wife's laptop has a nasty infection. It's disabled automatic updates for windows, and who knows what other horrible things it's doing to this poor machine. I would be tempted to just format and reinstall Windows but we bought this thing used from the company where my sister-in-law works, and we don't have the original install disc.

Here's my Hijackthis log, thanks in advance.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:32 AM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\EMSService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\User\Application Data\Microsoft\Windows\ogwcrc.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\User\Application Data\SpeedRunner\SpeedRunner.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202444865465
O20 - AppInit_DLLs: vrcjhi.dll gqjerc.dll wyuqhu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5058 bytes

hi,

your log is 4 or 5 days old. If you still need help simply reply to the post.

I do still need help, thanks.

hi,

ok lets start with MBAM. link and directions;

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

Thanks, here it is.






Malwarebytes' Anti-Malware 1.31
Database version: 1558
Windows 5.1.2600 Service Pack 2

12/27/2008 7:08:07 PM
mbam-log-2008-12-27 (19-08-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 80010
Time elapsed: 31 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 13
Registry Keys Infected: 35
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 61

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\muoegkqj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rqRJYoOh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awtsTNgf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vrcjhi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gqjerc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wyuqhu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ybgctyvm.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kpmfpdbg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ngewtb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cfhcspcn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jmmsbw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wpaettla.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sprpqm.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{540ce3a1-1bc3-490b-80b1-a9199ac4506a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{540ce3a1-1bc3-490b-80b1-a9199ac4506a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtstngf (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{df2e7f13-40e8-4ded-b8ef-871979662767} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{df2e7f13-40e8-4ded-b8ef-871979662767} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{79db7157-c141-407f-b78a-36753a9ef075} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b3402ac9-04a9-4f19-ac62-94f8e230452a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{32ed13f8-beb7-40d7-a59e-0b71ee41ca41} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df2e7f13-40e8-4ded-b8ef-871979662767} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{540ce3a1-1bc3-490b-80b1-a9199ac4506a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{bb112471-9094-471b-92b0-931a40c42b98} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{17bfcf1a-b579-48a7-9849-719ddd11d340} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{17bfcf1a-b579-48a7-9849-719ddd11d340} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GrandPack (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrjyooh -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrjyooh -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sprpqm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awtsTNgf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rqRJYoOh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hOoYJRqr.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hOoYJRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejiwjcme.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emcjwije.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fpearuqt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tquraepf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jjdfosed.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\desofdjj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\muoegkqj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jqkgeoum.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\okskdawk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kwadksko.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\upuychje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejhcyupu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vrcjhi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gqjerc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wyuqhu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ybgctyvm.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kpmfpdbg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ngewtb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cfhcspcn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jmmsbw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wpaettla.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\GrandPack\GrandPack2.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\kt43dbg3.default\Cache\CE37F0FDd01 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\8HUF852V\104[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\8HUF852V\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ILQVEX43\152[1].net (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ILQVEX43\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ILQVEX43\load[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\WDAZ89YR\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\WDAZ89YR\CAR6KVR1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack\qdrloader.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP125\A0025265.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026410.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026420.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026429.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026432.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026433.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026434.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026436.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026450.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026466.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP130\A0026481.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP130\A0026482.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP130\A0026483.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP130\A0026484.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP130\A0026485.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aambhtim.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aqrpkmgp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mgdqrejb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qlgkonoc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vwedag.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lipaqprp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv191229210867.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\caexdj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yanpdi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

hi,

ok good. we will get one more download to use. Its called Combofix. There is a guide to read before using it, looks like a lot of reading but really isnt.
once you read the guide, follow the prompts and post the combofix log.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running Combofix, I notice that automatic updates are back on. I know I'm probably not all done yet but that is promising!

Here's the log:





ComboFix 08-12-28.01 - User 2008-12-28 17:21:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.288 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\User\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GrandPack
c:\program files\GrandPack\Uninstall.exe
c:\windows\system32\drivers\fad.sys
c:\windows\Tasks\gggnwtpj.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-27 18:31 . 2008-12-27 18:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 18:31 . 2008-12-27 18:31 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-27 18:31 . 2008-12-27 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 18:31 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 18:31 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 19:16 . 2008-12-20 19:16 120 ---hs---- c:\windows\system32\hlderqau.ini
2008-12-18 22:30 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-18 21:53 . 2008-12-18 22:40 <DIR> d-------- c:\documents and settings\User\.housecall6.6
2008-12-17 22:43 . 2008-12-17 22:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-17 22:43 . 2008-12-18 02:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-17 22:41 . 2008-12-17 22:41 <DIR> d---s---- c:\documents and settings\User\UserData
2008-12-17 22:33 . 2008-12-17 22:33 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 19:13 . 2008-12-19 09:07 <DIR> d--hs---- c:\windows\VXNlcjY
2008-12-17 19:00 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-17 19:00 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-17 18:56 . 2008-12-17 18:57 <DIR> d-------- c:\documents and settings\User\Logitech
2008-12-17 18:53 . 2008-12-17 18:53 <DIR> d-------- c:\program files\Logitech
2008-12-17 18:53 . 2008-12-17 18:53 <DIR> d-------- c:\program files\Common Files\Remote Control USB Driver
2008-12-17 18:53 . 2008-12-17 18:56 <DIR> d-------- c:\program files\Common Files\Remote Control Software Common
2008-12-17 18:51 . 2008-12-17 18:51 <DIR> d-------- c:\documents and settings\User\Application Data\InstallShield
2008-12-13 18:31 . 2008-12-13 18:31 <DIR> d-------- c:\program files\Netflix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 02:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 05:38 --------- d-----w c:\documents and settings\User\Application Data\Move Networks
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"EmsService"="EmsServiceHelper.exe" [2007-08-24 c:\windows\system32\EMSServiceHelper.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\DRIVERS\CMGShCEF.sys [2007-08-24 192816]
R2 EMS;EMS;c:\windows\system32\EMSService.exe [2007-08-24 636208]
R3 GTICARD;GTICARD;c:\windows\system32\DRIVERS\gticard.sys [2003-10-23 76160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{008fb930-0ce3-11dd-8419-00904b1429e8}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98564cd2-34a2-11dd-8434-00904b1429e8}]
\Shell\access\command - d:\_encryption_data_do_not_delete_\autorun.exe
\Shell\AutoRun\command - d:\_encryption_data_do_not_delete_\autorun.exe /minimize

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6439be0-fe59-11dc-840a-00904b1429e8}]
\Shell\access\command - d:\_encryption_data_do_not_delete_\autorun.exe
\Shell\AutoRun\command - d:\_encryption_data_do_not_delete_\autorun.exe /minimize

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f86b3a48-ff8d-11dc-840d-00904b1429e8}]
\Shell\access\command - d:\_encryption_data_do_not_delete_\autorun.exe
\Shell\AutoRun\command - d:\_encryption_data_do_not_delete_\autorun.exe /minimize
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:57]

2008-12-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 14:45]
.
- - - - ORPHANS REMOVED - - - -

BHO-{BFCF791D-B04C-49DA-AD68-F7407535F261} - (no file)
HKLM-Run-bascstray - BascsTray.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {21B76DFE-BCE5-4734-81E7-6E37956A868A} = 68.87.76.178,68.87.78.130
TCP: {4DED25CD-911C-4288-B400-2EE34DDD61B1} = 68.87.76.178,68.87.78.130
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kt43dbg3.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\srff.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kt43dbg3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 17:24:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-28 17:28:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 01:27:25

Pre-Run: 25,161,105,408 bytes free
Post-Run: 25,088,659,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

155 --- E O F --- 2008-11-14 04:08:23

hi,

ok good. thanks for the info. we will use combofix to remove a folder:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



Folder::
c:\windows\VXNlcjY


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

also check MBAM for updates and rerun it also

c:\\Program Files\\uTorrent: there is plenty of malware one can download and install via p2p networks

Sorry I've gone a couple days without responding. My internet access at home is out right now so I can't continue until I get back on. Hopefully Comcast can get it straightened out soon.

hi GHamilton

ok no problem. Make sure they credit you for the outage!

You can run the combofix script when you are able.
you can also do this:

to help show all files:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

navigate to: C:\Documents and Settings\User\Application Data\Microsoft\Windows

look for and delete: ogwcrc.exe
inside the Windows folder (if found)

By now MBAM should have a update so check then rescan and post the new log from it and also a new hjt log.

Hi, I'm back. I was able to get a $17 credit for my outage.

I'll do the logs in separate posts, here's combofix first:

ComboFix 09-01-02.01 - User 2009-01-04 17:05:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.140 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\ComboFix.exe c:\documents and settings\User\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hlderqau.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-02 18:43 . 2009-01-02 18:43 <DIR> d-------- c:\program files\Bonjour
2009-01-02 18:42 . 2009-01-02 18:42 <DIR> d-------- c:\program files\iPod
2009-01-02 18:41 . 2009-01-02 18:42 <DIR> d-------- c:\program files\iTunes
2009-01-02 18:41 . 2009-01-02 18:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-02 18:39 . 2009-01-02 18:40 <DIR> d-------- c:\program files\QuickTime
2009-01-02 18:37 . 2009-01-02 18:42 <DIR> d-------- c:\windows\LastGood
2009-01-02 07:38 . 2009-01-02 07:38 <DIR> d-------- c:\program files\Comcast
2009-01-02 07:38 . 2009-01-02 07:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft
2009-01-02 07:38 . 2007-05-17 13:43 15,086 --a------ c:\windows\ComcastWebmail.ico
2009-01-02 07:35 . 2009-01-02 07:35 <DIR> d-------- c:\program files\support.com
2009-01-02 07:35 . 2009-01-02 07:38 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-01-02 07:35 . 2009-01-02 07:35 1,139 --a------ C:\net_save.dna
2008-12-29 07:20 . 2008-12-29 07:20 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-27 18:31 . 2008-12-27 18:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 18:31 . 2008-12-27 18:31 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-27 18:31 . 2008-12-27 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 18:31 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 18:31 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 22:30 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-18 21:53 . 2008-12-18 22:40 <DIR> d-------- c:\documents and settings\User\.housecall6.6
2008-12-17 22:43 . 2008-12-17 22:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-17 22:43 . 2008-12-18 02:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-17 22:41 . 2008-12-17 22:41 <DIR> d---s---- c:\documents and settings\User\UserData
2008-12-17 22:33 . 2008-12-17 22:33 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 19:13 . 2008-12-19 09:07 <DIR> d--hs---- c:\windows\VXNlcjY
2008-12-17 19:00 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-17 19:00 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-17 18:56 . 2008-12-17 18:57 <DIR> d-------- c:\documents and settings\User\Logitech
2008-12-17 18:53 . 2008-12-17 18:53 <DIR> d-------- c:\program files\Logitech
2008-12-17 18:53 . 2008-12-17 18:53 <DIR> d-------- c:\program files\Common Files\Remote Control USB Driver
2008-12-17 18:53 . 2008-12-17 18:56 <DIR> d-------- c:\program files\Common Files\Remote Control Software Common
2008-12-17 18:51 . 2008-12-17 18:51 <DIR> d-------- c:\documents and settings\User\Application Data\InstallShield
2008-12-13 18:31 . 2008-12-13 18:31 <DIR> d-------- c:\program files\Netflix
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 02:42 --------- d-----w c:\program files\Common Files\Apple
2009-01-03 02:30 --------- d-----w c:\program files\Apple Software Update
2008-12-18 02:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 05:38 --------- d-----w c:\documents and settings\User\Application Data\Move Networks
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_17.26.35.97 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
- 2006-05-05 09:41:45 453,120 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
- 2007-02-28 09:53:04 2,137,600 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:55:01 2,142,720 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2007-02-28 09:15:56 2,059,392 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:18:44 2,062,976 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2007-02-28 09:15:59 2,017,280 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:18:46 2,020,864 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2007-02-28 09:55:14 2,182,144 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 09:57:20 2,185,984 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-01-03 02:43:24 86,016 ----a-r c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe
+ 2009-01-03 02:42:52 102,400 ----a-r c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2009-01-03 02:30:13 27,136 ----a-r c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2006-09-19 18:44:04 15,664 ----a-w c:\windows\LastGood\system32\DRIVERS\GEARAspiWDM.sys
+ 2006-10-03 23:47:52 109,360 ----a-w c:\windows\LastGood\system32\GEARAspi.dll
- 2007-10-11 06:13:44 1,023,488 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2007-10-11 06:13:44 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:37:02 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2007-10-11 06:13:44 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:37:02 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2004-08-04 10:00:00 138,496 -c--a-w c:\windows\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 -c--a-w c:\windows\system32\dllcache\afd.sys
- 2007-10-11 06:13:44 1,023,488 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 -c--a-w c:\windows\system32\dllcache\browseui.dll
- 2007-10-11 06:13:44 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:37:02 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
- 2007-10-11 06:13:44 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:37:02 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2007-10-11 06:13:44 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2007-10-11 06:13:44 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2007-10-11 06:13:44 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:37:02 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2007-10-10 11:16:27 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 09:45:01 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2007-10-11 06:13:44 251,392 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:37:02 251,392 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2007-10-11 06:13:44 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:37:02 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2007-10-11 06:13:44 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 01:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 09:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
- 2007-10-30 10:16:33 3,058,688 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2007-10-11 06:13:45 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2007-10-11 06:13:45 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:37:02 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2007-10-11 06:13:45 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:37:02 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2007-06-26 06:08:16 1,104,896 -c--a-w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c--a-w c:\windows\system32\dllcache\msxml3.dll
- 2006-08-17 12:28:27 332,288 -c--a-w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c--a-w c:\windows\system32\dllcache\netapi32.dll
- 2007-02-28 09:53:04 2,137,600 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-08-14 09:55:01 2,142,720 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
- 2007-02-28 09:15:56 2,059,392 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-08-14 09:18:44 2,062,976 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 09:15:59 2,017,280 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-08-14 09:18:46 2,020,864 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:55:14 2,182,144 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-08-14 09:57:20 2,185,984 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
- 2007-10-11 06:13:45 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2007-10-11 06:13:45 1,494,528 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2007-10-11 06:13:45 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2006-08-14 10:34:41 332,928 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2006-08-21 14:52:08 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2007-10-11 06:13:45 615,424 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:37:04 615,936 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-09-06 07:30:42 241,704 -c----w c:\windows\system32\dllcache\wgaLogon.dll
+ 2008-09-06 07:29:58 917,032 -c----w c:\windows\system32\dllcache\WgaTray.exe
- 2007-03-08 13:47:48 1,843,584 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2007-10-11 06:13:45 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:37:03 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 02:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-04 10:00:00 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2006-09-19 18:44:04 15,664 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2008-04-17 21:12:54 15,464 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
- 2006-05-05 09:41:45 453,120 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
- 2006-08-14 10:34:41 332,928 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-04-17 21:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 21:12:54 15,464 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2008-11-07 22:23:30 32,000 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
- 2007-10-11 06:13:44 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2007-10-11 06:13:44 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2007-10-11 06:13:44 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-02-08 05:46:43 243,128 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-29 15:24:29 243,128 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2006-10-03 23:47:52 109,360 ----a-w c:\windows\system32\GEARAspi.dll
+ 2008-04-17 21:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll
- 2007-10-11 06:13:44 251,392 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2007-10-11 06:13:44 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\inseng.dll
- 2007-10-11 06:13:44 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2007-10-11 19:12:48 1,468,968 ------w c:\windows\system32\LegitCheckControl.dll
+ 2008-09-06 07:30:06 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll
- 2006-10-19 01:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-01-02 15:21:38 17,642,616 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2007-10-30 10:16:33 3,058,688 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2007-10-11 06:13:45 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2007-10-11 06:13:45 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\msrating.dll
- 2007-10-11 06:13:45 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\mstime.dll
- 2007-06-26 06:08:16 1,104,896 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2006-11-05 01:25:50 1,321,744 ----a-w c:\windows\system32\msxml6.dll
+ 2008-08-30 04:06:44 1,350,664 ----a-w c:\windows\system32\msxml6.dll
- 2006-08-17 12:28:27 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2007-02-28 09:15:56 2,059,392 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:18:44 2,062,976 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2007-02-28 09:55:14 2,182,144 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 09:57:20 2,185,984 ----a-w c:\windows\system32\ntoskrnl.exe
- 2007-10-11 06:13:45 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2007-10-11 06:13:45 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2007-10-11 06:13:45 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-04-14 00:12:36 7,680 ----a-w c:\windows\system32\spdwnwxp.exe
- 2006-08-21 14:52:08 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-07-14 11:09:18 62,976 ------w c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
- 2007-10-11 06:13:45 615,424 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\urlmon.dll
+ 2008-09-06 07:30:42 241,704 ------w c:\windows\system32\WgaLogon.dll
+ 2008-09-06 07:29:58 917,032 ------w c:\windows\system32\WgaTray.exe
- 2007-03-08 13:47:48 1,843,584 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2006-10-19 02:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 02:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2007-10-29 10:26:53 115,712 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-10-15 14:00:41 351,744 ----a-w c:\windows\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 198184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"EmsService"="EmsServiceHelper.exe" [2007-08-24 c:\windows\system32\EMSServiceHelper.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2007-08-24 192816]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
R4 EMS;EMS;c:\windows\system32\EmsService.exe [2007-08-24 636208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{008fb930-0ce3-11dd-8419-00904b1429e8}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98564cd2-34a2-11dd-8434-00904b1429e8}]
\Shell\access\command - d:\_encryption_data_do_not_delete_\autorun.exe
\Shell\AutoRun\command - d:\_encryption_data_do_not_delete_\autorun.exe /minimize

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6439be0-fe59-11dc-840a-00904b1429e8}]
\Shell\access\command - d:\_encryption_data_do_not_delete_\autorun.exe
\Shell\AutoRun\command - d:\_encryption_data_do_not_delete_\autorun.exe /minimize

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f86b3a48-ff8d-11dc-840d-00904b1429e8}]
\Shell\access\command - d:\_encryption_data_do_not_delete_\autorun.exe
\Shell\AutoRun\command - d:\_encryption_data_do_not_delete_\autorun.exe /minimize

*Newly Created Service* - BONJOUR_SERVICE
*Newly Created Service* - IPOD_SERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:57]

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-764733703-1060284298-1004.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {21B76DFE-BCE5-4734-81E7-6E37956A868A} = 68.87.76.178,68.87.78.130
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kt43dbg3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\srff.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kt43dbg3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 17:08:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-01-04 17:09:45
ComboFix-quarantined-files.txt 2009-01-05 01:09:21
ComboFix2.txt 2008-12-29 01:28:46

Pre-Run: 24,346,116,096 bytes free
Post-Run: 24,429,522,944 bytes free

338 --- E O F --- 2008-12-30 01:54:49

Malwarebytes:



Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 2

1/4/2009 5:43:45 PM
mbam-log-2009-01-04 (17-43-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83317
Time elapsed: 26 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{16813882-DC77-4472-A0E6-6843A6F35E4B}\RP129\A0026423.exe (Adware.Agent) -> Quarantined and deleted successfully.

And Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:51 PM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\EMSService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202444865465
O17 - HKLM\System\CCS\Services\Tcpip\..\{21B76DFE-BCE5-4734-81E7-6E37956A868A}: NameServer = 68.87.76.178,68.87.78.130
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6503 bytes

Hi

its been awhile. did you do this part about using combofix from earlier on page 1:




ok good. thanks for the info. we will use combofix to remove a folder:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



Folder::
c:\windows\VXNlcjY

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

also check MBAM for updates and rerun it also

c:\\Program Files\\uTorrent: there is plenty of malware one can download and install via p2p networks, most people dont need more sources.

Yes, I did all that and made sure to uninstall utorrent (didn't even realize she had it on here).

hi,

ok thanks for the info. You can remove combofix like this:
start>run and type in
combofix /u
click ok or enter
Note: there is a space after the x and before the /

Keep MBAM and always check for updates before scanning. The paid version offers auto updating and real time protection.

if all is good two things you can do, Java and system restore:

Java:

Vulnerabilities in versions of Sun Java may be responsible for some malware installs via your browser.

It is important to keep Sun Java up to date and also to remove older versions.

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

to check if you have the latest version of Java and to download the latest version:

http://www.java.com/en/download/help/testvm.xml?ff3

restore:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

if all is good, some tips for you:

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities. Always install Service Packs.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.You may be installing more than you think.

3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install a third party software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

Thanks again for all the help, I really appreciate it.