Aarrrgh. Infected again, probably virtumonde again ...

Status
Not open for further replies.
I

InfectedComputer

New member
Greetings,

Peku006 helped me clean up a virtumonde infection in late March/ early April. I am chagrined to say that, despite upgrading to SP2 and then SP3 and all patches, and setting the Spybot resident tools including the TeaTimer, doing regular updates and immunizations, my computer is again infected. I am assuming it's virtumonde again, because the same file -- zofaziba -- is in my system32 folder, along with a number of others. This time it is really bad, because there are 50-100 entries of devldr.exe in my process list and the CPU is 100% in use, so it's taken several hours just to get a HJT run and the log copied to CD and moved to the clean computer where I'm composing this message. (I tried booting to safe mode and had the same problem, many copies of devldr.exe in the process list and 100% CPU usage).

I did not do the registry backup yet because it was all I could do just to get the HJT. [I'll try it after I send this message.] I do have a bunch of system restore points and Fix-It Utilities Recovery Commander checkpoints. I also have a Ghost backup I ran right after the machine was pronounced clean back in early April (but unfortunately before I did all the upgrades from SP1 to SP3 and all the patches, etc.).

Here is the HJT log. After the log, I've provided some history of some malware troubles from the previous day that might or might not have anything to do with the current infection.

I will be most appreciative of any help you can provide.

Regards,

InfectedComputer

----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:27 AM, on 5/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {f9328a9a-e18c-478e-b89b-bc896a7c9b6e} - C:\WINDOWS\system32\mizalaza.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [2cee2ecf] rundll32.exe "C:\WINDOWS\system32\yovalono.dll",b
O4 - HKLM\..\Run: [CPM2fdd1d53] Rundll32.exe "c:\windows\system32\bofuwike.dll",a
O4 - HKLM\..\Run: [pijupakapa] Rundll32.exe "C:\WINDOWS\system32\rewagiki.dll",s
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ptidle] "C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKUS\S-1-5-20\..\Run: [pijupakapa] Rundll32.exe "C:\WINDOWS\system32\rewagiki.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O20 - AppInit_DLLs: c:\windows\system32\bofuwike.dll,C:\WINDOWS\system32\yukikono.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bofuwike.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bofuwike.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12416 bytes

-------------------------------------------------

Some history from the previous day. The day before this infection, the Tea-Timer warned me about:

5/12/2009 1:28:07 AM Denied (based on Spybot-S&D scan) value "system tool" (new data: "C:\WINDOWS\sysguard.exe") added in System Startup user entry!

I selected "deny".

The next morning when I logged in the McAfee On-Access Scan found:

5/13/2009 9:53:54 AM Deleted C:\WINDOWS\SYSTEM32\WBEM\proquota.exe Generic.dx!cf

and later it found:

5/13/2009 10:06:46 AM Deleted C:\Documents and Settings\dmakoc\Local Settings\Temp\~TMCE.tmp Generic.dx!cf

I also checked Spybot and found the following from the previous night in the resident section:

5/12/2009 1:28:43 AM Encountered and terminated Fraud.Sysguard in C:\WINDOWS\sysguard.exe!

I also found the following file in C:\Documents and Settings\dmakoc\Local Settings: install[1].exe

The file had these properties:

file version 5.1.2600.0
description Игра ''Сапер''
copyright © Корпорация Майкрософт. Все права защ
company Корпорация Майкрософт .

I updated Malwarebytes and Spybot and then I ran a Malwarebytes quick scan, which found Malware.trace (registry item – ... AvScan). Didn’t remove this but instead I ran Spybot, which found:

Company:
Product: WinSpywareProtect
Threat: Malware

Description: WinSpywareProtect is a rogue antispyware solution (in close relation to MalWarrior). It scans the system and reports several non existent threats. Further it displays popups every few minutes in order to lure the user into buying the product.

I had not seen any such pop-ups. I let Spyware fix this.

I scanned the file install[1].exe with Spybot and with Malwarebytes -- nothing found. So I deleted the file.

I ran a quick system scan with Malwarebytes and with the latest Windows Malicious Software Removal Tool. Nothing found.

Then McAfee On-Access found Generic.dx!cf in system volume information – A0012927.exe – and deleted it.
I ran Malwarebytes and then McAfee on the entire sys vol info folder -- nothing found.

So at that point I thought those issues were taken care of. I don't know if those had anything to do with the current infection.

--------------------------------------------------------
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, anything else will waste your time and mine.
TeaTimer is not disabled as instructed?

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)


2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
Problems completing instructions

Hi pskelley,

Thanks for your response. I've disabled the Windows firewall and have run ERUNT. McAfee On-Access is disabled (by the Malware). So those preliminaries are taken care of.

I've tried twice but I have not been able to disable the TeaTimer. The problem is that I can't logoff properly, much less restart properly so that the changes will take effect. When I logoff, I eventually the screen that (that is colored like the Windows welcome screen) that says "Windows XP", and the hourglass icon is running. I've let it run for 7 1/2 hours overnight and it never completes the log off -- the Windows XP screen remains with the hourglass running. So I eventually push the power button to do a hard shutdown, and when I start up the computer and log in again the TeaTimer comes up in the process list and when I open Spybot the TeaTimer is still marked as checked.

Regarding ComboFix -- even if there were another way to shut off the TeaTimer, I'm concerned that if I try the ComboFix it won't complete because it includes a restart ... Is there a tool that doesn't require a restart to make some progress, or will ComboFix do some good even if it's built in restart doesn't work?

Also, regarding ComboFix, a month and a half ago with the previous infection when peku006 asked me to run ComboFix it did not complete properly, so he had me proceed with Malwarebytes instead. I still have that tool on my computer if you want me to use that instead. [Also, FYI, I installed the recovery console a long time ago, but have never been able to use it because somehow I lost the password to the original Administrator account.]

The other problem is that it is taking forever to do anything because dozens of copies of devldr.exe are taking up 100% CPU. Some of the copies are loaded as system, some as local service, and some as network service. Logging in takes 15 to 20 minutes. Loading Spybot takes about 10 minutes. It took more than an hour this morning just to log on, turn off the Windows firewall, uncheck TeaTimer, and copy ComboFix to the desktop from a CD. So whatever tool you ask me to run next, it will likely take a very long time, so I hope whatever we use won't bomb!

Also, during the login process I keep getting multiple popups saying that devldr.exe could not be loaded. I've been clicking to close these each time they come up. During the most recent attempt to logoff, after the process got to the Windows XP screen with the endless hourglass, another of these popped up, so maybe it won't log off because it's still trying to start more copies of devldr.exe, I don't know.

So, I have 2 questions:

1. What do I do about the TeaTimer?
2. Do you want me to proceed with ComboFix anyway, or something else?

Also, a side question:

3. I still have Malwarebytes and HJT installed from before. Do I need to download again and re-install?

Regards,

InfectedComputer
 
1) To make sure TeaTimer does not interfere with fixes, uninstall Spybot S&D in Add Remove programs. That will take care of TeaTimer and you can re-install Spybot once the malware is removed.

2) Then folllow the directions I posted.

3) MBAM: We will use that program later and I will post instructions for it at that time.

HJT installed from before: the request is for an UNINSTALL LIST not a HJT log or HJT installation? Please read the directions carefully.

Thanks
 
Hi pskelley,

Regarding the TeaTimer -- I uninstalled Spybot. At the end of the uninstall process, it asked for a restart. When I did that, the computer wouldn't logoff/shutdown, the same as before. So eventually I powered off the computer and powered it back on. Then, when I logged in, the TeaTimer started up again. There are three files remaining in c:\Program Files\Spybot - Search & Destroy that didn't get deleted during the uninstall -- TeaTimer.exe, SDHelper.dll, and advcheck.dll . Should I delete these manually and then power down/ power up and proceed with ComboFix?

Regarding the instructions -- I understand from your instructions that after the TeaTimer is disabled I need to produce, in order, a ComboFix log, an HJT log, and an uninstall list using HJT, and post all 3 of them.

Regarding my question about uninstalling and reinstalling HJT and MBAM -- I probably didn't explain the question well enough. My question is a general one: usually an instruction from a helper says go to the following link, download tool "X", save it to the desktop, install it (and update it, depending on the tool), and run a scan with it. But the instruction doesn't say what to do if you already have the tool installed on your infected computer from a previous time. So my question is: if I already had a particular tool installed on my my computer before the infection happened (and had been keeping the tool updated), is it necessary to download and install a "fresh" copy of the tool? I know that the initial Malware infection can disable features of anti-spyware programs (e.g., the Malware disabled my McAfee On-Access scan), so it seems possible that the answer might be "yes", so I thought I would ask to be sure. [In my particular case, I already have HJT and MBAM from last time, so that's why I asked about those particular tools, and because your current instructions require HJT -- BTW, the HJT log in my initial post above is from my existing HJT.] I'm asking because I'm anxious to get it right, and also because I'm just curious about these things.

Regards,

InfectedComputer
 
So neither of us gets confused, and I am close to it now trying to figure out your posts, I will post one (1) instructions at a time from this point on.

Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

uninstall-man.jpg


Please post the uninstall list and nothing else.
 
uninstall list from HJT

OK, here's the uninstall list produced by HJT:

----------------------------------

5000 Series
Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.5
Advertisement Service
America Online
Anapod CopyGear (remove only)
Anapod Explorer (remove only)
AOL Coach Version 1.0(Build:20011028.1)
Apple Software Update
ArcSoft Media Card Companion
ArcSoft Software Suite
ATI Display Driver
Audacity 1.2.6
BellSouth® FastAccess® Connection Manager
BroadJump Client Foundation
BroadJump CorrectConnect Engine
CCleaner (remove only)
Cebuano Tutor 4.0
Check Point VPN-1 SecureClient NG_AI_R55
Compatibility Pack for the 2007 Office system
Conexant HSF V92 56K Data Fax PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
CSDiff
DeductionPro 2003
Dell Picture Studio - Image Expert 2000
Dell ResourceCD
Dell Solution Center
DellTouch
Detto IntelliMover
DiscWizard for Windows
DivX 5.0.3 Bundle
Dragon NaturallySpeaking 7.3
Easy CD Creator 5 Basic
ERUNT 1.1j
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
hp instant support
HP Memories Disc
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel Application Accelerator
iPod for Windows 2005-03-23
iPod for Windows 2005-09-06
iTunes
iTunes
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
LP Recorder
LP Ripper
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee QuickClean
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft Streets and Trips 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MiraScan V4.03
Modem Helper
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Muhlenberg College
MusicMatch Jukebox
My DSC
Nero Suite
Ninotech Path Copy 4.0
Norton Ghost
NVIDIA Windows 2000/XP Display Drivers
OCR Software by I.R.I.S 7.0
OLYMPUS CAMEDIA Master 4.1
Olympus Digital Wave Player
Olympus Voice Album
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
Photosmart 140,240,7200,7600,7700,7900 Series
Pinnacle Hollywood FX
PowerDesk 5.0
PrintMusic! 2001
PRO200WL
QuickLink Mobile Phonebook
QuickTime
RealPlayer
Recovery Commander
Registry First Aid
Remove MiraScan USB Driver
Retrospect 5.6
Samsung USB Driver (MCCI 4.24 WHQL)
ScanButton 3.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Shockwave
Shockwave Player
Sony VRD-VCX [Video Capture] DS Filters v1.9.3i
Sound Blaster Live! Value
Spelling Dictionaries For Adobe Reader Package
Spychecker
Studio 9
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut North Carolina 2008
TaxCut Premium + State + Efile 2008
Teach2000.7 XP
Ultra WinCleaner Utility Suite Version 8
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Storage Adapter FX (MXO)
VCOM Fix-It Utilities Professional 6
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC 3.3.7
WD Diagnostics
Windows Driver Package - Sony (VRDVC20) MEDIA 11/10/2004 5.1.18.01
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinFF 0.43
WinRAR archiver
Xvid 1.1.2 final uninstall
 
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Recap: Post the log from combofix and a new HJT log run AFTER combofix was run.
 
Hi,

I've put ComboFix.exe on the desktop, as instructed. I've disabled Windows Firewall and the McAfee On-Access scanner, and I've uninstalled Spybot S&D.

But, as I mentioned above, the Spybot uninstall did not remove the TeaTimer. The uninstall procedure asked me to restart the computer to complete the uninstall, but the computer hung up during the process of shutting down, so eventually I had to do a forced shutdown. The TeaTimer restarted when I logged in after I booted back to Windows. TeaTimer.exe did not get removed from the Spybot program folder.

Please confirm for me, do you want me to launch ComboFix now even though the TeaTimer is still running?

Or is there something else you want me to do to try to disable the TeaTimer before I run ComboFix?

Thanks

P.S., Here are the additional details on what happened during the Spybot uninstall, if you want them or need them:

The uninstall procedure ended with a pop-up Window that said a restart was required to complete the process, and asked "Do you want to restart now?". I clicked "yes", and my Windows session started the process of logging off but then it "hung", showing the hourglass "Windows busy" icon in place of the cursor icon. Since the infection began, the computer has done this every time I have tried to logoff, restart, or shutdown from within a Windows user account session. (The other night I waited 7 hours and it was still hung in the same place.) Each time, I've finally had to force the computer to shut down by pressing and holding the power button until the computer powers off.

So this time, when I powered up the computer and then logged in to my Windows account from the Windows welcome screen, the TeaTimer restarted (specifically, TeaTimer.exe appeared in the process list in Task Manager, and the "Spybot resident" icon appeared in the systray). I looked in the "c:\Program Files\Spybot S & D" folder to see if the uniinstall had deleted all the files. I found that there were still 3 files there -- TeaTimer.exe and a couple of DLL's.
 
Quick (I promise!) question before I launch ComboFix ...

Sorry, just one quick question before I launch ComboFix. When the computer got infected, I unplugged it from the internet. Based on the ComboFix guide, it seems that ComboFix only needs an internet connection if it needs to download and install the Recovery Console. I already have the Recovery Console installed. So is it OK to leave the computer unplugged from the internet while I run ComboFix?

Regards,

Infected computer.

P.S. FYI, I've been posting from a clean computer, to avoid or minimize the need to plug the infected computer back in to the internet while it's being cleaned.
 
ComboFix and HJT

Hi,

Below are the ComboFix and HJT logs.

Several brief items, and then the logs:

1. FYI, before I ran ComboFix I right-clicked the Spybot resident icon in the systray, and was able to get it to exit. After I did that, the TeaTimer.exe process was no longer appearing in the Task Manager.

2. Also FYI, Combofix rebooted my machine twice -- once after I clicked to exit close the Rootkit pop-up and once right before it produced the log file. The ComboFix guide made no mention of that possibility, and I wasn't sure if I was to go ahead and login at the Windows Welcome screen. After waiting a bit, I did login to the same account that I had launched ComboFix from. It would be good if the ComboFix people would update their guide to cover this.

3. ComboFix popped up a rootkit alert. Here's what it said:

Pop-up: Rootkit !! ComboFix has detected the presence of rootkit activfity and needs to reboot the machine. Kindly note down on paper, the name of each file. We may need it later.

C:\WINDOWS\system32\drivers\ovfsthyakjcbbolpuwfnpmiyaetuqfsqqppkek.sys
C:\WINDOWS\system32\ovfsthtdlhfptvaixbndwyturnevvbwkcpojnc.dll
C:\WINDOWS\system32\ovfsthytenpfquexndsqovugxfyaphsrbdvoel.dat
C:\WINDOWS\system32\ovfsthnkvucvojinybhmrlylpbojvoycnfowem.dll
C:\WINDOWS\system32\ovfsthykxbrfdmwfbifsxhtorfixqsvuofsjfw.dll
C:\WINDOWS\system32\ovfsthxcmmarjmucqcuqxsbhqxbadfexubbmrs.dat

-------------------------------

Here is the ComboFix log:

ComboFix 09-05-14.07 - dmakoc 05/16/2009 20:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.538 [GMT -4:00]
Running from: c:\documents and settings\dmakoc\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\dmakoc\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\bofuwike.dll
c:\windows\system32\bowagina.dll.tmp
c:\windows\system32\drivers\ovfsthyakjcbbolpuwfnpmiyaetuqfsqqppkek.sys
c:\windows\system32\fakugupu.exe
c:\windows\system32\fufuwatu.dll
c:\windows\system32\kivereza.dll.tmp
c:\windows\system32\luravufa.dll
c:\windows\system32\mizalaza.dll
c:\windows\system32\onolavoy.ini
c:\windows\system32\ovfsthnkvucvojinybhmrlylpbojvoycnfowem.dll
c:\windows\system32\ovfsthtdlhfptvaixbndwyturnevvbwkcpojnc.dll
c:\windows\system32\ovfsthxcmmarjmucqcuqxsbhqxbadfexubbmrs.dat
c:\windows\system32\ovfsthykxbrfdmwfbifsxhtorfixqsvuofsjfw.dll
c:\windows\system32\ovfsthytenpfquexndsqovugxfyaphsrbdvoel.dat
c:\windows\system32\prnet.tmp
c:\windows\system32\rewagiki.dll
c:\windows\system32\yovalono.dll
c:\windows\system32\yukikono.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthdtkdcbbxemaihnyiowvmhqlfqxsehwlm


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-14 04:11 . 2009-05-14 04:11 -------- d-----w c:\documents and settings\dmakoc\Application Data\ptidle
2009-04-28 14:21 . 2009-04-28 14:21 -------- d-----w c:\documents and settings\Matt2\Application Data\Malwarebytes
2009-04-26 02:20 . 2009-04-26 02:20 -------- d-----w c:\program files\Search Party
2009-04-20 17:48 . 2009-04-20 17:48 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-20 17:44 . 2009-04-20 17:46 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-20 17:44 . 2009-04-20 17:44 -------- d-----w c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 10:10 . 2009-02-16 19:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 22:43 . 2009-02-06 16:25 -------- d-----w c:\program files\ATTToolbar
2009-04-21 12:30 . 2002-11-09 17:53 98072 ----a-w c:\documents and settings\Alexander\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 04:45 . 2003-11-02 19:44 98072 ----a-w c:\documents and settings\Matt2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 14:02 . 2004-10-02 20:54 -------- d-----w c:\program files\EPSON
2009-04-15 10:03 . 2009-04-15 10:03 98072 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 00:37 . 2003-06-01 20:54 -------- d-----w c:\program files\Lavasoft
2009-04-15 00:35 . 2004-09-25 16:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-13 14:55 . 2009-04-13 14:55 51716 ----a-w c:\windows\system32\pdf995mon.dll
2009-04-13 14:55 . 2009-04-13 14:55 249856 ----a-w c:\windows\system32\pdfmona.dll
2009-04-13 14:55 . 2009-04-13 00:51 -------- d-----w c:\program files\PDF995
2009-04-13 00:54 . 2009-04-13 00:51 -------- d-----w c:\program files\TaxCut08
2009-04-10 21:58 . 2006-04-25 22:39 98072 ----a-w c:\documents and settings\Arthur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-08 17:00 . 2004-04-23 19:10 98072 ----a-w c:\documents and settings\dmakoc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 23:23 . 2009-04-03 00:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-04-03 00:08 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-03 00:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 00:15 . 2009-03-30 00:15 -------- d-----w c:\program files\Trend Micro
2009-03-29 23:46 . 2009-03-29 23:46 -------- d-----w c:\program files\ERUNT
2009-03-22 19:34 . 2009-03-22 19:34 129 ----a-w c:\documents and settings\dmakoc\Local Settings\Application Data\fusioncache.dat
2009-03-19 03:43 . 2009-03-19 03:43 2294837 ----a-w c:\documents and settings\Lilin\HCUpgrade3.1.exe
2009-03-06 14:22 . 2003-08-25 07:48 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 15:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ------w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinMem"="c:\program files\blcorp\UWCSuite\WinMem\WinMem.exe" [2003-12-02 376320]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ptidle"="c:\documents and settings\dmakoc\Application Data\ptidle\ptidle.exe" [2009-05-14 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-08-02 368720]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-07-15 1544192]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"MaxtorCombo"="c:\progra~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-16 40960]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" [2003-11-17 729088]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-10 406016]
"RCScheduleCheck"="c:\program files\VCOM\Recovery Commander\RCSCHED.EXE" [2003-10-21 151552]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-29 180269]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-05-02 323584]

c:\documents and settings\dmakoc\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= "c:\program files\VCOM\Recovery Commander\RCHOOK.DLL" [2003-07-08 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2003-12-01 19:34 24665 ----a-w c:\windows\SYSTEM32\ckpNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux1"= ctwdm32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ERUNT\\ERUNT.EXE"=

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1/1/1980 1:00 AM 28672]
R2 Scap;SecureClient Application Policy Module;c:\windows\SYSTEM32\DRIVERS\scap.sys [3/26/2004 2:01 PM 17296]
R2 VPN-1;VPN-1 Module;c:\windows\SYSTEM32\DRIVERS\vpn.sys [3/26/2004 2:01 PM 668336]
R3 FW1;SecuRemote Miniport;c:\windows\SYSTEM32\DRIVERS\fw.sys [3/26/2004 2:02 PM 2038128]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [4/19/2002 1:42 PM 6942]
R3 mxDisk;mxDisk;c:\progra~1\VCOM\Fix-It\mxDisk.sys [5/10/2005 8:26 PM 51656]
S2 VRDVC20;Sony VRD-VC20 [Video Capture];c:\windows\SYSTEM32\DRIVERS\VRDVC20X.SYS [2/25/2006 6:11 PM 31104]
S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [4/19/2002 1:26 PM 281856]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [1/4/2005 1:57 PM 155264]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\SYSTEM32\DRIVERS\OMVA.sys [3/26/2004 2:02 PM 14924]
S3 VVRUSB;VVRUSB Device;c:\windows\SYSTEM32\DRIVERS\VVRUSB.sys [9/14/2004 3:42 AM 38479]
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2009-05-02 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard79002003-08-20 18:57N38V220VXEV.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 18:57]

2009-05-16 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2005-05-02 21:23]

2002-05-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2003-08-25 00:12]

2002-05-19 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2003-08-25 00:12]

2002-05-19 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2003-08-25 00:12]

2009-05-16 c:\windows\Tasks\Scheduled Checkpoint.job
- c:\program files\VCOM\Recovery Commander\RCSCHED.EXE [2005-07-17 17:20]

2009-05-16 c:\windows\Tasks\WebReg officejet 6300 series.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2006-02-19 09:09]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f9328a9a-e18c-478e-b89b-bc896a7c9b6e} - c:\windows\system32\mizalaza.dll
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-prnet - c:\windows\system32\prnet.tmp
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bofuwike.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 20:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DellTouch = c:\windows\DELLMMKB.EXE?E?L?L?M?M?K?B?.?E?X?E???@???????????x??????????????????????????????????????w???w????7??w???w?????????"?????w?"???????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AdaptecDirectCD = "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
UpdReg = c:\windows\Updreg.exe?U?p?d?r?e?g?.?e?x?e???DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AHQInit = c:\program files\Creative\SBLive\Program\AHQInit.exe??B?L?i?v?e?\?P?r?o?g?r?a?m?\?A?H?Q?I?n?i?t?.?e?x?e???D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
BJCFD = c:\program files\BroadJump\Client Foundation\CFD.exe??C?l?i?e?n?t? ?F?o?u?n?d?a?t?i?o?n?\?C?F?D?.?e?x?e???S?h?a?r?e?d?\?W?k?U?F?i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray?n?\?t?g?c?m?d?.?e?x?e?"? ?/?s?e?r?v?e?r? ?/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
NvCplDaemon = RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
nwiz = nwiz.exe /install?/?i?n?s?t?a?l?l???pl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MaxtorCombo = "c:\progra~1\Dantz\RETROS~1\ComboButton.exe"??O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MXO Auto Loader = c:\windows\MXOaldr.exe??X?O?a?l?d?r?.?e?x?e???O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPDJ Taskbar Utility = c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe?i?v?e?r?s?\?w?3?2?x?8?6?\?3?\?h?p?z?t?s?b?0?9?.?e?x?e???rogram\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHUPD05 = c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe??D?C?A?B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HP Component Manager = "c:\program files\HP\hpcoretech\hpcmpmgr.exe"?c?o?r?e?t?e?c?h?\?h?p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHmon05 = c:\windows\System32\hphmon05.exe??3?2?\?h?p?h?m?o?n?0?5?.?e?x?e???p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
ShStatEXE = "c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE??\?V?i?r?u?s?S?c?a?n?\?S?H?S?T?A?T?.?E?X?E?"? ?/?S?T?A?N?D?A?L?O?N?E???\?h?p?h?u?p?d?0?5?.?e?x?e?????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
McAfeeUpdaterUI = "c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey?F?r?a?m?e?w?o?r?k?\?U?p?d?a?t?e?r?U?I?.?e?x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
DNS7reminder = "c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "c:\program files\ScanSoft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
PinnacleDriverCheck = c:\windows\System32\PSDrvCheck.exe -CheckReg??r?v?C?h?e?c?k?.?e?x?e? ?-?C?h?e?c?k?R?e?g???ft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,32,31,14,99,61,
31,74,86,c8,28,51,af,b0,29,a3,98,de,8c,45,98,c6,3d,6f,4f,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,be,db,f6,31,50,
8b,65,8a,71,3b,04,66,8b,46,0d,96,7b,86,1e,c8,f5,15,6a,6d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,aa,6f,0a,18,3d,
39,ee,8a,25,da,ec,7e,55,20,c9,26,33,da,6e,a7,a0,c1,ff,36,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,5d,e2,8c,1c,7c,
30,56,c1,3e,1e,9e,e0,57,5a,93,61,53,99,e5,4b,fd,dd,52,d0,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ce,cd,40,94,59,
2b,df,ba,cd,44,cd,b9,a6,33,6c,cd,e5,51,9c,d7,81,fd,51,06,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,74,1a,bd,2b,d8,
cb,8e,80,b0,18,ed,a7,3f,8d,37,a4,5b,c0,de,db,23,e0,b3,a6,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,5e,e7,f6,11,5f,
f4,84,c8,31,77,e1,ba,b1,f8,68,02,1a,66,6d,16,21,b5,05,ce,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,84,ed,f7,8b,f0,
35,8b,f2,83,6c,56,8b,a0,85,96,ab,e2,55,8a,87,1f,f7,9d,03,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d2,34,6e,b1,b0,
88,cc,c6,51,fa,6e,91,28,9e,14,cc,d6,08,5c,25,5d,99,f8,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,a7,8c,a9,c6,70,
a4,85,26,b1,cd,45,5a,a8,c4,f8,b9,e3,21,47,0c,b2,8f,4a,7c,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,db,48,e1,79,a9,
ae,52,31,e3,0e,66,d5,eb,bc,2f,6b,2e,9f,90,c5,08,6f,ca,5d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a8,6e,be,44,74,
ba,7c,c5,fa,ea,66,7f,d4,3b,6b,70,93,7a,fd,d1,66,cc,1b,4e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3868)
c:\progra~1\VCOM\Fix-It\WinHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\progra~1\VCOM\Fix-It\MXTASK.exe
c:\progra~1\Symantec\NORTON~1\GHOSTS~2.EXE
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\progra~1\VCOM\Fix-It\MXTASK.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Netropa\OSD.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-05-17 20:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 00:28

Pre-Run: 63,149,780,992 bytes free
Post-Run: 63,238,537,216 bytes free

316 --- E O F --- 2009-04-25 15:08



----------------------------------------

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:10 PM, on 5/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ptidle] "C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - S-1-5-18 Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10586 bytes
 
Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* .

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so Please post contents of that file & a new HJT log in your next replyimmediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
 
MBAM and HJT logs

Hi,

Below are the MBAM and HJT logs.

Couple of things:

1. Recall that when I uninstalled Spybot S&D, the TeaTimer was not removed. After the restart requested by MBAM, I ran the HJT. After that, I noticed the Spybot Resident icon was present in the systray. I checked the Task Manager and TeaTimer.exe was present in the process list. What I don’t know is whether the TeaTimer loaded during the two restarts initiated by ComboFix. So it's possible the TeaTimer was running when I ran MBAM.

2. I forgot to mention in my last post that the computer started running at normal speed after ComboFix – no more extra copies of devldr.exe in the process list! That is a relief!

3. Question: Is it safe at this point to connect to the internet and start posting from the infected computer?

Regards,

Infected Computer

----------------------------------------------

MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3

5/17/2009 1:27:42 PM
mbam-log-2009-05-17 (13-27-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 267653
Time elapsed: 51 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\dmakoc\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthnkvucvojinybhmrlylpbojvoycnfowem.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bowagina.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kivereza.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\luravufa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthykxbrfdmwfbifsxhtorfixqsvuofsjfw.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\prnet.tmp.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthyakjcbbolpuwfnpmiyaetuqfsqqppkek.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013950.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013952.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013953.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013975.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

-------------------------------------------------

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:32 PM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10380 bytes
 
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 7.0.5 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Viewpoint Media Player (Remove Only)
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm

You will have to be online to update the above programs. The first thing you must do is update McAfee to provide updated protections. Once this is done, please tell me how the computer is running.

Thanks
 
Reply and a couple of questions

Hi,

I’ve re-enabled McAfee On-Acess, updated McAfee, and re-enabled Windows Firewall.

The computer is running fine.

I will install the Secunia tool and follow-up on your suggestions for updating programs.

Two questions:

1. Is it time to reinstall Spybot S&D, update, and immunize?

2. I had 2 USB external hard drives and 1 flash drive plugged in when the infection started. I’ve had them unplugged since then. Is it time to plug them back in? Do I need to scan them with MBAM?

Regards,

Infected Computer
 
1) No, I will tell you when.

2) No, I will tell you when.

3) Complete the instructions for updating those programs and having PSI check to make sure you have no other out of date programs.
When you get to that point, post a new Uninstall list.
 
New HJT uninstall list

Hi,

OK, I finally worked through all the FSI stuff, the basic and the advanced. The only remaining issues are:

1. Insecure program – Microsoft data Access Components (MDAC) 2.x. The fix from Secunia didn’t install it gave a popup message saying that the fix was not needed because I have Windows SP3. But the program link is c:\I386\MSADOX.DLL and the FSI said that if the file is in a backup location (such as c:\I386) then it’s OK and can be added to the ignore list.

2. End-of-life program – Macromedia Flash Player 5.x (ActiveX Control) – c:\I386\SWFLASH.OCX .

3. End-of-life program – Shockwave – c:\I386\SwInit.exe

But #2 and #3 are in c:\I386 so I assume I can also safely add them to the ignore list?

4. End-of-life program – McAfee VirusScan Enterprise 7.x . Although McAfee still provides updated signatures for this program, it seems that FSI thinks I need to replace it. Do you have a recommendation for a new Anti-Malware program?

A couple more things:

-- Every time I do a restart, Security Center pops up a warning that my virus scanner is disabled. Then the VirusScan icon comes up in the systray and immediately switches to the disabled icon. I’ve re-enabled the On-Access scan manually each time, and opened the scan window to confirm that it was scanning.

-- FYI, there is still a malware file, hidden, named “zofaziba” in c:\windows\system32 . This file was present the last time the computer had an infection.

Below is the new HJT uninstall list.

Regards,

InfectedComputer

----------------------------------------------

HJT uninstall list:

5000 Series
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 9.1.1
America Online
Anapod CopyGear (remove only)
Anapod Explorer (remove only)
AOL Coach Version 1.0(Build:20011028.1)
Apple Mobile Device Support
Apple Software Update
ArcSoft Media Card Companion
ArcSoft Software Suite
ATI Display Driver
Audacity 1.2.6
BellSouth® FastAccess® Connection Manager
Bonjour
BroadJump Client Foundation
BroadJump CorrectConnect Engine
CCleaner (remove only)
Cebuano Tutor 4.0
Check Point VPN-1 SecureClient NG_AI_R55
Compatibility Pack for the 2007 Office system
Conexant HSF V92 56K Data Fax PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
CSDiff
DeductionPro 2003
Dell Picture Studio - Image Expert 2000
Dell ResourceCD
Dell Solution Center
DellTouch
Detto IntelliMover
DiscWizard for Windows
DivX 5.0.3 Bundle
Dragon NaturallySpeaking 7.3
Easy CD Creator 5 Basic
ERUNT 1.1j
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
hp instant support
HP Memories Disc
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel Application Accelerator
iPod for Windows 2005-03-23
iPod for Windows 2005-09-06
iTunes
iTunes
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LP Recorder
LP Ripper
Malwarebytes' Anti-Malware
McAfee QuickClean
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft Streets and Trips 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MiraScan V4.03
Modem Helper
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Muhlenberg College
MusicMatch Jukebox
My DSC
Nero Suite
Ninotech Path Copy 4.0
Norton Ghost
NVIDIA Windows 2000/XP Display Drivers
OCR Software by I.R.I.S 7.0
OLYMPUS CAMEDIA Master 4.1
Olympus Digital Wave Player
Olympus Voice Album
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
Photosmart 140,240,7200,7600,7700,7900 Series
Pinnacle Hollywood FX
PowerDesk 5.0
PrintMusic! 2001
PRO200WL
QuickLink Mobile Phonebook
QuickTime
RealPlayer
Recovery Commander
Registry First Aid
Remove MiraScan USB Driver
Retrospect 5.6
Samsung USB Driver (MCCI 4.24 WHQL)
ScanButton 3.0
Secunia PSI
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sony VRD-VCX [Video Capture] DS Filters v1.9.3i
Sound Blaster Live! Value
Spelling Dictionaries Support For Adobe Reader 9
Spychecker
Studio 9
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut North Carolina 2008
TaxCut Premium + State + Efile 2008
Teach2000.7 XP
Ultra WinCleaner Utility Suite Version 8
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Storage Adapter FX (MXO)
VCOM Fix-It Utilities Professional 6
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC 3.3.7
WD Diagnostics
Windows Driver Package - Sony (VRDVC20) MEDIA 11/10/2004 5.1.18.01
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinFF 0.43
WinRAR archiver
Xvid 1.1.2 final uninstall
 
1) "Microsoft data Access Components (MDAC)"
That should update via Windows Updates, it might not be available as a Critical Updates. When you have a little time, try this.
Open Internet Explorer > Tools > Windows Updates > Choose Custom.
Once the computer has been scanned, look to the left for items available for Windows XP. You can choose what to install from non-critical stuff from there.
If you have additional questions about this subject, ask them here:
http://support.microsoft.com/

2) c:\I386 <<< these are very important backups, be very carefully working here.

c:\I386\SWFLASH.OCX <<< delete the file in red only

3) c:\I386\SwInit.exe <<< delete the file in red only.

4) You would have to take that up with McAfee. I can suggest freeware antivirus programs and will post the link, but first I will ask you to do this;
Start > Control Panel > Security Center > tell me if all three items are Green and Go.

Every time I do a restart, Security Center pops up a warning that my virus scanner is disabled. Then the VirusScan icon comes up in the systray and immediately switches to the disabled icon. I’ve re-enabled the On-Access scan manually each time, and opened the scan window to confirm that it was scanning.
Click to expand...
May be the old program? You would have to discuss that with McAfee:
http://www.mcafee.com/us/support/
This means Windows Security Center sees it as out of date and that is why I just asked that be checked.
there is still a malware file, hidden, named “zofaziba” in c:\windows\system32
Click to expand...
c:\windows\system32\zofaziba <<< delete that file in red and then empty the recycle bin.

Uninstall list <<< as far as I can see, it looks good. Secunia PSI has a better eye then I do though.

Links to available programs:
http://users.telenet.be/bluepatchy/miekiemoes/Links.html

As soon as the above issues are resolved, let's proced with wrapping up like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

Update the antivirus (whatever one you decide to run) and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx

http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
 
Status
Not open for further replies.
Back
Top