Trying to remove cmdservice

**Techtodd** · 2008-12-02, 02:18

Hello,

I'm having a heck of a time trying to remove cmdservice.
Here is my HJT log. Is there anything else you need at this point?
TIA,
Techtodd

Logfile of HijackThis v1.99.1
Scan saved at 11:23:11 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Todd\My Documents\My Downloads\HijackThis\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1221613772359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1221614254984
O20 - AppInit_DLLs: acdobq.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O21 - SSODL: Disodime - {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - C:\WINDOWS\System32\sqligmon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

**Shaba** · 2008-12-04, 10:15

Hi Techtodd

Your HijackThis is outdated.

Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

**Techtodd** · 2008-12-05, 03:43

Hello,

Here is the updated HJT post. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:55 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Todd\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1221613772359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1221614254984
O20 - AppInit_DLLs: acdobq.dll
O21 - SSODL: Disodime - {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - C:\WINDOWS\System32\sqligmon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7027 bytes

**Shaba** · 2008-12-05, 11:45

Thank you

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Post:

- mbam log
- rsit logs (taken after mbam run)

**Techtodd** · 2008-12-06, 05:54

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.31
Database version: 1464
Windows 5.1.2600 Service Pack 2

12/5/2008 11:36:17 PM
mbam-log-2008-12-05 (23-36-17).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 90144
Time elapsed: 19 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Lauren\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Lauren\Application Data\gadcom\gadcom.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\R2lybHM\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\R2lybHM\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\acdobq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bpyqobja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gpaqsbvb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\naiexbhf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rsvcwlph.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\uctqay.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dPI19\dPI191065.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP81\A0011441.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP85\A0013683.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP85\A0013684.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013737.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013739.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013742.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013744.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013747.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013750.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013752.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013754.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\skelhhxnypijred.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lauren\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lauren\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.

NOTE:

When running RSIT I receive the following error.
Line -1:
Error: Subscript used with non-Array variable

I'll keep trying. It almost looks like you are having me run HJT. Is that correct?

**Shaba** · 2008-12-06, 11:34

Please run then this instead:

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Please copy/paste the contents of the following reports in your next reply:

DDS.txt
Attach.txt

**Techtodd** · 2008-12-06, 15:04

Hello,

DDS1

DDS (Version 1.0) - NTFSx86
Run by Todd at 9:00:30.71 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.156 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Todd\Desktop\Todd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Todd\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\VetRedir.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: acdobq.dll
SSODL: Disodime - {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - c:\windows\system32\sqligmon.dll

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\kmxstart.sys [2008-6-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\kmxagent.sys [2008-6-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\kmxfw.sys [2008-6-24 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\VET-FILT.sys [2008-11-19 26376]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\VET-REC.sys [2008-11-19 21128]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VETEFILE.sys [2008-11-19 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VETFDDNT.sys [2008-11-19 21512]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\VETMONNT.sys [2008-11-19 32264]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\ISafe.exe [2008-11-19 144960]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
R2 UmxAgent;HIPS Event Manager;"c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe" [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;"c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe" [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;"c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe" [2008-6-24 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\VetMsg.exe [2008-11-19 242952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-9-16 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\kmxcfg.sys [2008-6-24 88816]
R3 PPCtlPriv;PPCtlPriv;"c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe" [2007-8-16 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VETEBOOT.sys [2008-11-19 108368]

=============== Created Last 30 ================

2008-12-05 23:09 <DIR> --d----- c:\docume~1\todd\applic~1\Malwarebytes
2008-12-05 23:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-05 23:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-05 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-05 23:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 03:00 <DIR> --d----- c:\program files\MSXML 4.0
2008-11-30 23:07 <DIR> --d----- C:\Lop SD
2008-11-30 21:14 <DIR> --d----- C:\Combo-Fix
2008-11-30 21:13 <DIR> --d----- C:\cmdcons
2008-11-30 21:04 161,792 a------- c:\windows\SWREG.exe
2008-11-30 21:04 98,816 a------- c:\windows\sed.exe
2008-11-29 17:13 <DIR> --d----- c:\docume~1\todd\applic~1\Auslogics
2008-11-29 17:13 <DIR> --d----- c:\program files\Auslogics
2008-11-29 16:50 <DIR> --d----- c:\program files\CCleaner
2008-11-29 15:26 31,928 a------- c:\windows\system32\rrMon.sys
2008-11-29 15:26 <DIR> --d----- c:\program files\Registrar Registry Manager
2008-11-20 22:06 <DIR> --d----- c:\windows\LQfix
2008-11-20 21:59 176,128 a------- c:\windows\system32\irdxoccs.exe
2008-11-20 21:57 <DIR> --d----- c:\windows\system32\appmgmt
2008-11-19 22:02 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-19 21:40 <DIR> --d----- c:\docume~1\todd\applic~1\IUpd721
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2008-11-19 21:07 132,030 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2008-11-19 20:07 <DIR> --d----- c:\windows\CAVTemp
2008-11-19 19:47 880,560 a------- c:\windows\system32\drivers\vetefile.sys
2008-11-19 19:47 108,368 a------- c:\windows\system32\drivers\veteboot.sys
2008-11-19 19:45 32,264 a------- c:\windows\system32\drivers\vetmonnt.sys
2008-11-19 19:45 26,376 a------- c:\windows\system32\drivers\vet-filt.sys
2008-11-19 19:45 21,512 a------- c:\windows\system32\drivers\vetfddnt.sys
2008-11-19 19:45 21,128 a------- c:\windows\system32\drivers\vet-rec.sys
2008-11-19 19:45 99,592 a------- c:\windows\system32\isafeif.dll
2008-11-19 19:45 79,424 a------- c:\windows\system32\vetredir.dll
2008-11-19 19:45 75,016 a------- c:\windows\system32\isafprod.dll
2008-11-19 19:44 <DIR> --d----- c:\program files\common files\Scanner
2008-11-19 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2008-11-19 19:44 <DIR> --d----- c:\program files\CA
2008-11-19 19:16 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-19 19:16 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-19 19:16 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-19 19:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-19 19:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-19 18:59 153,522 a------- c:\windows\system32\g51.exe
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\vim
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\hdx
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\fip
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\d
2008-11-19 18:59 <DIR> --d----- c:\temp\FT62
2008-11-19 18:59 <DIR> --d----- C:\Temp
2008-11-12 03:10 <DIR> --dsh--- C:\found.000
2008-11-11 15:36 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-11-18 13:36 7,478 a------- c:\windows\system32\errutcpy.dll
2008-10-24 06:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 15:39 50,772 a---h--- c:\windows\system32\mlfcache.dat
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-16 20:59 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-16 19:51 187,392 a------- c:\windows\system32\mapupbot.dll
2008-09-15 22:01 558,142 a------- c:\windows\java\packages\EVB9RR3T.ZIP
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\CH7LVP3H.DAT
2008-09-15 22:01 155,995 a------- c:\windows\java\packages\7J1JVXZJ.ZIP
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\E5BZZ7JB.DAT
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\R3JZP7HZ.DAT
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\9BZRXNZ9.DAT
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\7Z7H3NVJ.DAT
2008-09-15 21:59 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys

============= FINISH: 9:01:16.62 ===============

DDS2

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/15/2008 11:03:07 PM
System Uptime: 12/1/2008 7:07:14 PM (110 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 63 GiB total, 45.023 GiB free.
D: is FIXED (NTFS) - 33 GiB total, 33.356 GiB free.
E: is FIXED (NTFS) - 33 GiB total, 12.016 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 18.841 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_01811028&REV_04\3&172E68DD&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_01811028&REV_04\3&172E68DD&0&10
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_01811028&REV_04\3&172E68DD&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_01811028&REV_04\3&172E68DD&0&11
Service:

==== System Restore Points ===================

RP1: 11/20/2008 9:53:29 PM - System Checkpoint
RP2: 11/20/2008 9:53:29 PM - Installed Broadcom 440x Driver Installer
RP3: 11/20/2008 9:53:29 PM - Installed Microsoft Office Professional Edition 2003
RP4: 11/20/2008 9:53:29 PM - Installed Dell System Software
RP5: 11/20/2008 9:53:30 PM - Installed Desktop System Software
RP6: 11/20/2008 9:53:30 PM - Installed Windows XP KB838989.
RP7: 11/20/2008 9:53:30 PM - Software Distribution Service 3.0
RP8: 11/20/2008 9:53:30 PM - Installed Windows XP KB842773.
RP9: 11/20/2008 9:53:31 PM - Installed Windows Installer KB893803v2.
RP10: 11/20/2008 9:53:31 PM - Installed Windows XP KB892130.
RP11: 11/20/2008 9:53:31 PM - Installed Windows XP KB898461.
RP12: 11/20/2008 9:53:31 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP13: 11/20/2008 9:53:31 PM - Software Distribution Service 3.0
RP14: 11/20/2008 9:53:31 PM - Installed Windows XP Service Pack 2.
RP15: 11/20/2008 9:53:33 PM - Installed iTunes
RP16: 11/20/2008 9:53:33 PM - Software Distribution Service 3.0
RP17: 11/20/2008 9:53:33 PM - System Checkpoint
RP18: 11/20/2008 9:53:33 PM - Software Distribution Service 3.0
RP19: 11/20/2008 9:53:33 PM - System Checkpoint
RP20: 11/20/2008 9:53:34 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP21: 11/20/2008 9:53:34 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP22: 11/20/2008 9:53:34 PM - Installed Dell Driver Reset Tool
RP23: 11/20/2008 9:53:34 PM - Installed Dell System Software
RP24: 11/20/2008 9:53:34 PM - Installed Desktop System Software
RP25: 11/20/2008 9:53:34 PM - System Checkpoint
RP26: 11/20/2008 9:53:34 PM - System Checkpoint
RP27: 11/20/2008 9:53:34 PM - System Checkpoint
RP28: 11/20/2008 9:53:34 PM - System Checkpoint
RP29: 11/20/2008 9:53:34 PM - System Checkpoint
RP30: 11/20/2008 9:53:34 PM - System Checkpoint
RP31: 11/20/2008 9:53:34 PM - System Checkpoint
RP32: 11/20/2008 9:53:34 PM - System Checkpoint
RP33: 11/20/2008 9:53:34 PM - System Checkpoint
RP34: 11/20/2008 9:53:34 PM - System Checkpoint
RP35: 11/20/2008 9:53:34 PM - System Checkpoint
RP36: 11/20/2008 9:53:35 PM - System Checkpoint
RP37: 11/20/2008 9:53:35 PM - System Checkpoint
RP38: 11/20/2008 9:53:35 PM - System Checkpoint
RP39: 11/20/2008 9:53:35 PM - System Checkpoint
RP40: 11/20/2008 9:53:35 PM - System Checkpoint
RP41: 11/20/2008 9:53:35 PM - System Checkpoint
RP42: 11/20/2008 9:53:35 PM - System Checkpoint
RP43: 11/20/2008 9:53:35 PM - System Checkpoint
RP44: 11/20/2008 9:53:35 PM - System Checkpoint
RP45: 11/20/2008 9:53:35 PM - System Checkpoint
RP46: 11/20/2008 9:53:35 PM - Software Distribution Service 3.0
RP47: 11/20/2008 9:53:35 PM - Removed Apple Mobile Device Support
RP48: 11/20/2008 9:53:36 PM - System Checkpoint
RP49: 11/20/2008 9:53:36 PM - System Checkpoint
RP50: 11/20/2008 9:53:36 PM - System Checkpoint
RP51: 11/20/2008 9:53:36 PM - System Checkpoint
RP52: 11/20/2008 9:53:36 PM - System Checkpoint
RP53: 11/20/2008 9:53:36 PM - System Checkpoint
RP54: 11/20/2008 9:53:36 PM - System Checkpoint
RP55: 11/20/2008 9:53:36 PM - Software Distribution Service 3.0
RP56: 11/20/2008 9:53:36 PM - System Checkpoint
RP57: 11/20/2008 9:53:37 PM - System Checkpoint
RP58: 11/20/2008 9:53:37 PM - System Checkpoint
RP59: 11/20/2008 9:53:37 PM - System Checkpoint
RP60: 11/20/2008 9:53:37 PM - System Checkpoint
RP61: 11/20/2008 9:53:37 PM - System Checkpoint
RP62: 11/20/2008 9:53:37 PM - System Checkpoint
RP63: 11/20/2008 9:53:37 PM - System Checkpoint
RP64: 11/20/2008 9:53:37 PM - System Checkpoint
RP65: 11/20/2008 9:53:37 PM - System Checkpoint
RP66: 11/20/2008 9:53:37 PM - System Checkpoint
RP67: 11/20/2008 9:53:37 PM - System Checkpoint
RP68: 11/20/2008 9:53:37 PM - System Checkpoint
RP69: 11/20/2008 9:53:37 PM - System Checkpoint
RP70: 11/20/2008 9:53:37 PM - System Checkpoint
RP71: 11/20/2008 9:53:38 PM - System Checkpoint
RP72: 11/20/2008 9:53:38 PM - System Checkpoint
RP73: 11/20/2008 9:53:38 PM - System Checkpoint
RP74: 11/20/2008 9:53:38 PM - Software Distribution Service 3.0
RP75: 11/20/2008 9:53:38 PM - System Checkpoint
RP76: 11/20/2008 9:53:38 PM - System Checkpoint
RP77: 11/20/2008 9:53:38 PM - System Checkpoint
RP78: 11/20/2008 9:53:38 PM - System Checkpoint
RP79: 11/20/2008 9:53:38 PM - System Checkpoint
RP80: 11/20/2008 9:53:38 PM - System Checkpoint
RP81: 11/20/2008 9:53:38 PM - Last known good configuration
RP82: 11/20/2008 9:53:38 PM - System Checkpoint
RP83: 11/20/2008 9:53:39 PM - Last known good configuration
RP84: 11/20/2008 9:53:46 PM - Last known good configuration
RP85: 11/29/2008 9:57:22 AM - System Checkpoint
RP86: 11/30/2008 12:53:24 PM - System Checkpoint
RP87: 11/30/2008 9:06:11 PM - ComboFix created restore point
RP88: 12/1/2008 3:00:17 AM - Software Distribution Service 3.0
RP89: 12/2/2008 3:11:29 AM - System Checkpoint
RP90: 12/3/2008 4:35:29 AM - System Checkpoint
RP91: 12/4/2008 5:35:29 AM - System Checkpoint
RP92: 12/5/2008 6:35:28 AM - System Checkpoint
RP93: 12/6/2008 8:11:30 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player ActiveX
AIM 6
AIM Search
AIM Toolbar 5.0
Apple Mobile Device Support
Apple Software Update
AusLogics Disk Defrag
B44Inst
Bonjour
Broadcom 440x Driver Installer
CA Anti-Spam
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
CA Personal Firewall
CCleaner (remove only)
Dell Driver Reset Tool
Dell ResourceCD
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Adapters and Drivers
iTunes
LQfix 2.1
Malwarebytes' Anti-Malware
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB954430)
QuickTime
Registrar Registry Manager 5.62
Safari
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB951072-v2)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB890859
Windows XP Service Pack 2

==== Event Viewer Messages ===================

11/29/2008 4:25:48 PM, error: NetBT [4321] - The name "HOME :1d" could not be registered on the Interface with IP address 192.168.1.4. The machine with the IP address 192.168.1.3 did not allow the name to be claimed by this machine.
11/30/2008 2:57:35 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TAS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1BE1B0AF-B6A8-4DEE-9BCE. The master browser is stopping or an election is being forced.
11/30/2008 9:14:47 PM, error: NetBT [4321] - The name "HOME :1d" could not be registered on the Interface with IP address 192.168.1.4. The machine with the IP address 192.168.1.5 did not allow the name to be claimed by this machine.

==== End Of File ===========================

**Shaba** · 2008-12-06, 15:29

I see that you have ran combofix.

Please post next contents of c:\ComboFix.txt if available.

**Techtodd** · 2008-12-06, 21:17

ComboFixLog

ComboFix 08-11-30.01 - Todd 2008-11-30 21:15:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT -5:00]
Running from: c:\documents and settings\Todd\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lauren\Application Data\gadcom
c:\documents and settings\Lauren\Application Data\gadcom\gadcom.exe
c:\documents and settings\Lauren\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Lauren\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\Lauren\Start Menu\Programs\Startup\DW_Start.lnk
c:\windows\R2lybHM\
c:\windows\R2lybHM\\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_
c:\windows\R2lybHM\\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_
c:\windows\system32\acdobq.dll
c:\windows\system32\aiiljjnu.dll
c:\windows\system32\bpyqobja.dll
c:\windows\system32\bvbsqapg.ini
c:\windows\system32\cqqrel.dll
c:\windows\system32\dPI19
c:\windows\system32\dPI19\dPI191065.exe
c:\windows\system32\gpaqsbvb.dll
c:\windows\system32\hplwcvsr.ini
c:\windows\system32\mlJDwXrR.dll
c:\windows\system32\naiexbhf.dll
c:\windows\system32\nsktmylq.ini
c:\windows\system32\pac.txt
c:\windows\system32\RrXwDJlm.ini
c:\windows\system32\RrXwDJlm.ini2
c:\windows\system32\rsvcwlph.dll
c:\windows\system32\srmgdxyf.ini
c:\windows\system32\uctqay.dll
c:\windows\system32\winpfz33.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Service_cmdService

((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-29 17:13 . 2008-11-29 17:13 <DIR> d-------- c:\program files\Auslogics
2008-11-29 17:13 . 2008-11-29 17:13 <DIR> d-------- c:\documents and settings\Todd\Application Data\Auslogics
2008-11-29 16:50 . 2008-11-29 16:50 <DIR> d-------- c:\program files\CCleaner
2008-11-29 15:26 . 2008-11-29 17:01 <DIR> d-------- c:\program files\Registrar Registry Manager
2008-11-29 15:26 . 2008-11-21 15:26 31,928 --a------ c:\windows\system32\rrMon.sys
2008-11-20 22:06 . 2008-11-29 17:02 <DIR> d-------- c:\windows\LQfix
2008-11-20 21:59 . 2008-11-20 21:59 176,128 --a------ c:\windows\system32\irdxoccs.exe
2008-11-19 22:02 . 2008-11-19 22:02 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-19 21:40 . 2008-11-19 21:40 <DIR> d-------- c:\documents and settings\Todd\Application Data\IUpd721
2008-11-19 21:07 . 2008-11-30 21:20 210,770 --a------ c:\windows\system32\drivers\kmxcfg.u2k0
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k7
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k6
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k5
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k4
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k3
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k2
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k1
2008-11-19 20:07 . 2008-11-30 20:54 <DIR> d-------- c:\windows\CAVTemp
2008-11-19 19:47 . 2008-11-19 19:47 880,560 --a------ c:\windows\system32\drivers\vetefile.sys
2008-11-19 19:47 . 2008-11-19 19:47 108,368 --a------ c:\windows\system32\drivers\veteboot.sys
2008-11-19 19:45 . 2007-08-20 13:37 99,592 --a------ c:\windows\system32\isafeif.dll
2008-11-19 19:45 . 2007-08-20 13:26 79,424 --a------ c:\windows\system32\vetredir.dll
2008-11-19 19:45 . 2007-08-20 13:37 75,016 --a------ c:\windows\system32\isafprod.dll
2008-11-19 19:45 . 2007-08-20 13:38 32,264 --a------ c:\windows\system32\drivers\vetmonnt.sys
2008-11-19 19:45 . 2007-08-20 13:38 26,376 --a------ c:\windows\system32\drivers\vet-filt.sys
2008-11-19 19:45 . 2007-08-20 13:38 21,512 --a------ c:\windows\system32\drivers\vetfddnt.sys
2008-11-19 19:45 . 2007-08-20 13:38 21,128 --a------ c:\windows\system32\drivers\vet-rec.sys
2008-11-19 19:44 . 2008-11-19 19:44 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-19 19:44 . 2008-11-19 19:44 <DIR> d-------- c:\program files\CA
2008-11-19 19:44 . 2008-11-19 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-19 19:12 . 2008-11-19 19:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-19 19:12 . 2008-11-19 19:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-19 19:08 . 2008-11-19 19:08 <DIR> d-------- c:\documents and settings\Lauren\Application Data\IUpd721
2008-11-19 19:02 . 2008-11-19 23:05 <DIR> d-------- c:\documents and settings\Lauren\Application Data\NI.GSCNS
2008-11-19 18:59 . 2008-11-19 21:01 <DIR> d-------- c:\windows\system32\vim
2008-11-19 18:59 . 2008-11-19 18:59 <DIR> d-------- c:\windows\system32\hdx
2008-11-19 18:59 . 2008-11-19 18:59 <DIR> d-------- c:\windows\system32\fip
2008-11-19 18:59 . 2008-11-19 21:00 <DIR> d-------- c:\windows\system32\d
2008-11-19 18:59 . 2008-11-19 18:59 <DIR> d-------- c:\temp\FT62
2008-11-19 18:59 . 2008-11-19 23:06 <DIR> d-------- C:\Temp
2008-11-19 18:59 . 2008-11-19 18:59 153,522 --a------ c:\windows\system32\g51.exe
2008-11-19 18:59 . 2008-11-19 18:59 64,859 --a------ c:\windows\system32\skelhhxnypijred.exe
2008-11-12 03:10 . 2008-11-12 03:10 <DIR> d--hs---- C:\found.000
2008-11-11 15:36 . 2008-09-04 11:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-03 08:38 . 2008-11-03 08:38 <DIR> d-------- c:\documents and settings\Todd\Application Data\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 19:17 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 19:29 --------- d-----w c:\documents and settings\Lauren\Application Data\Apple Computer
2008-10-16 01:25 --------- d-----w c:\program files\iTunes
2008-10-16 01:25 --------- d-----w c:\program files\iPod
2008-10-16 01:25 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 01:20 --------- d-----w c:\program files\Safari
2008-10-11 14:59 --------- d-----w c:\documents and settings\Danielle\Application Data\acccore
2008-10-10 12:31 --------- d-----w c:\documents and settings\Lauren\Application Data\Viewpoint
2008-09-16 03:01 558,142 ----a-w c:\windows\java\Packages\EVB9RR3T.ZIP
2008-09-16 03:01 155,995 ----a-w c:\windows\java\Packages\7J1JVXZJ.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-11-19 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-11-19 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-11-19 259312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Disodime"= {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - c:\windows\System32\sqligmon.dll [2002-09-03 864256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 13:30 79368 c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acdobq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\DRIVERS\kmxstart.sys [2008-06-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-24 115216]
R2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-24 66576]
R2 UmxAgent;HIPS Event Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;"c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2008-06-24 281104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-16 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-24 88816]
R3 PPCtlPriv;PPCtlPriv;"c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 189704]
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\CAAntiSpywareScan_Daily as Lauren at 7 45 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 21:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3AB526D9-6653-47CC-8372-52F9D385275D} - c:\windows\system32\mlJDwXrR.dll
BHO-{4679b228-d53e-4f01-a48a-efc2bacc3875} - c:\windows\system32\acdobq.dll
BHO-{872199c0-38ca-dc8f-f966-213dcedc7c2f} - (no file)
BHO-{F7DDD2AE-8B7F-3C7E-AC75-62EFC898E4AC} - (no file)
Notify-ddcBQiif - ddcBQiif.dll

.
------- Supplementary Scan -------
.
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 22:36:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(2772)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\wscntfy.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\windows\system32\rundll32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-11-30 22:39:17 - machine was rebooted [Todd]
ComboFix-quarantined-files.txt 2008-12-01 03:39:11

Pre-Run: 48,436,158,464 bytes free
Post-Run: 48,413,376,512 bytes free

223 --- E O F --- 2008-11-12 08:02:01

**Shaba** · 2008-12-07, 11:10

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\irdxoccs.exe
c:\windows\system32\g51.exe
c:\windows\system32\errutcpy.dll

Folder::
c:\windows\system32\vim
c:\windows\system32\hdx
c:\windows\system32\fip
c:\windows\system32\d
c:\temp\FT62

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Thread: Trying to remove cmdservice

Thread Tools

Display

Trying to remove cmdservice

New HJT post

cmsservice

cmdservice

cmdservice

Posting Permissions