cannot permanently kill vundo

Status
Not open for further replies.
R

rawprawn

New member
I've tried erasing this trojan using spybot, vundofix, etc., but so far it refuses to die. I'm hoping you can help me get rid of this pest permanently.
From reading previous posts, the drill seems to begin with me submitting a HJT log report, so here goes.

My thanks in advance for any assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:58 PM, on 09/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\FireTrust\MailWasher Free\MailWasher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ocas.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0879f341-cc2c-4c65-8f9c-45f0b2e0ae01} - C:\WINDOWS\system32\rozodobu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [benidehasa] Rundll32.exe "C:\WINDOWS\system32\dezupiye.dll",s
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-19\..\Run: [benidehasa] Rundll32.exe "C:\WINDOWS\system32\dezupiye.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [benidehasa] Rundll32.exe "C:\WINDOWS\system32\dezupiye.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.aeroplan.com
O15 - Trusted Zone: *.aircanada.com
O15 - Trusted Zone: *.bell.ca
O15 - Trusted Zone: http://www.bike-manual.com
O15 - Trusted Zone: *.bmo.com
O15 - Trusted Zone: *.bmoinvestorline.com
O15 - Trusted Zone: *.cognos.com
O15 - Trusted Zone: http://www.cra-arc.gc.ca
O15 - Trusted Zone: http://*.cyclops
O15 - Trusted Zone: http://www.faststone.org
O15 - Trusted Zone: http://*.gbw-laptop
O15 - Trusted Zone: *.globeinvestor.com
O15 - Trusted Zone: *.harmonyremote.com
O15 - Trusted Zone: http://www-307.ibm.com
O15 - Trusted Zone: http://www.pc.ibm.com
O15 - Trusted Zone: *.ingdirect.ca
O15 - Trusted Zone: http://quicken.intuit.ca
O15 - Trusted Zone: http://support.intuit.ca
O15 - Trusted Zone: *.ishares.ca
O15 - Trusted Zone: *.logitech.com
O15 - Trusted Zone: *.marriott.com
O15 - Trusted Zone: http://www.nikon.ca
O15 - Trusted Zone: remote.ocas.ca
O15 - Trusted Zone: www.ocas.ca
O15 - Trusted Zone: http://www.ocas.ca
O15 - Trusted Zone: *.rogersphoto.ca
O15 - Trusted Zone: *.rom.on.ca
O15 - Trusted Zone: http://globefunddb.theglobeandmail.com
O15 - Trusted Zone: http://www.theglobeandmail.com
O15 - Trusted Zone: *.theglobeandmail.com
O15 - Trusted Zone: http://www2.trekbikes.com
O15 - Trusted Zone: *.tsx.com
O15 - Trusted Zone: *.viapreference.ca
O15 - Trusted Zone: *.viarail.ca
O15 - Trusted Zone: http://tvlistings5.zap2it.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144364291670
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.halcom.ca/AxisCamControl.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://rogersphoto.ca/en/ulcontrolxp.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cognos.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll c:\windows\system32\vufulowe.dll c:\windows\system32\milokira.dll c:\windows\system32\ziyojozi.dll C:\WINDOWS\system32\diheweru.dll C:\WINDOWS\system32\biwohojo.dll fsrfkm.dll c:\windows\system32\wawunego.dll c:\windows\system32\wofolanu.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wawunego.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wawunego.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Sun One Administration Server 5.2 (admin52-serv) - Sun Microsystems Inc - C:/Program Files/Sun/MPS/bin/https/bin/ns-httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cognos 8 - Cognos Incorporated - C:\Program Files\Cognos\c8\bin\cogbootstrapservice.exe
O23 - Service: Cognos PowerPlay Enterprise Server (cer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\ppserver.exe
O23 - Service: Cognos Upfront Administration Service (cer4) (Cognos UpfrontAdministration (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfrontAdministration.exe
O23 - Service: Cognos Upfront Data Store (cer4) (Cognos UpfrontDataStore (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\upfdbsrv.exe
O23 - Service: Cognos Upfront Dispatcher (cer4) (Cognos UpfrontDispatcher (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfDispatcherService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cognos IWR Service Manager (cer4) (IWSvcMancer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\iwsvcman.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sun ONE Directory Server 5.2 (config52) (slapd-config52) - Unknown owner - C:\Program Files\Sun\MPS/bin/slapd/server/ns-slapd.exe
O23 - Service: Sun ONE Directory Server 5.2 (data52) (slapd-data52) - Unknown owner - C:\Program Files\Sun\MPS/bin/slapd/server/ns-slapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 18262 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

DomainName = cognos.com <<< looks like a company or corporate computer?
http://www.cognos.com/

Please read this information:
http://forums.spybot.info/showpost.php?p=25712&postcount=5

Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.
Click to expand...
 
Vundo/Virtumonde infection

Many thanks for your reply.
As you requested I have read the "Before you post" threads, after which I downloaded and ran the Registry backup program.

Regarding your query about the company link, this is no longer the case (I used to do subcontract work for Cognos and therefore have their software products on my laptop, but stopped working for them 2 years ago). The laptop is now only for my own personal use.

I have been trying to get rid of vundo (and/or virtumonde - not sure if they are the same) for about a week now, mainly with Spybot. Each time Spybot apparently cleans things up, the trojan(?) is able to rebuild itself. If I connect my Ethernet cable and start my browser (Firefox), my McAfee AV displays a message every 3 minutes saying it has deleted trojan "vundo!grb". So I'm now very paranoid about starting the browser or even connecting to the network. Because my laptop is disconnected, I am communicating with you via my wife's PC, and using a USB drive to copy HJT logs etc.
Supplementary Question: not sure how pernicious this trojan is. Is there a danger that I could also corrupt my wife's PC this way? (I know - a bit late to be asking that now!)

Here is an up-to-date HJT log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:06 PM, on 11/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ocas.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0879f341-cc2c-4c65-8f9c-45f0b2e0ae01} - C:\WINDOWS\system32\rozodobu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {565418f9-a861-4d8a-66b4-875488fa0a68} - {86a0af88-4578-4b66-a8d4-168a9f814565} - C:\WINDOWS\system32\eufowd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [benidehasa] Rundll32.exe "C:\WINDOWS\system32\dezupiye.dll",s
O4 - HKLM\..\Run: [CPMbb8e1193] Rundll32.exe "c:\windows\system32\wisolike.dll",a
O4 - HKLM\..\Run: [b8bd220f] rundll32.exe "C:\WINDOWS\system32\tigahifa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\S-1-5-19\..\Run: [benidehasa] Rundll32.exe "C:\WINDOWS\system32\dezupiye.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [benidehasa] Rundll32.exe "C:\WINDOWS\system32\dezupiye.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.aeroplan.com
O15 - Trusted Zone: *.aircanada.com
O15 - Trusted Zone: *.bell.ca
O15 - Trusted Zone: http://www.bike-manual.com
O15 - Trusted Zone: *.bmo.com
O15 - Trusted Zone: *.bmoinvestorline.com
O15 - Trusted Zone: *.cognos.com
O15 - Trusted Zone: http://www.cra-arc.gc.ca
O15 - Trusted Zone: http://*.cyclops
O15 - Trusted Zone: http://www.faststone.org
O15 - Trusted Zone: http://*.gbw-laptop
O15 - Trusted Zone: *.globeinvestor.com
O15 - Trusted Zone: *.harmonyremote.com
O15 - Trusted Zone: http://www-307.ibm.com
O15 - Trusted Zone: http://www.pc.ibm.com
O15 - Trusted Zone: *.ingdirect.ca
O15 - Trusted Zone: http://quicken.intuit.ca
O15 - Trusted Zone: http://support.intuit.ca
O15 - Trusted Zone: *.ishares.ca
O15 - Trusted Zone: *.logitech.com
O15 - Trusted Zone: *.marriott.com
O15 - Trusted Zone: http://www.nikon.ca
O15 - Trusted Zone: remote.ocas.ca
O15 - Trusted Zone: www.ocas.ca
O15 - Trusted Zone: http://www.ocas.ca
O15 - Trusted Zone: *.rogersphoto.ca
O15 - Trusted Zone: *.rom.on.ca
O15 - Trusted Zone: http://globefunddb.theglobeandmail.com
O15 - Trusted Zone: http://www.theglobeandmail.com
O15 - Trusted Zone: *.theglobeandmail.com
O15 - Trusted Zone: http://www2.trekbikes.com
O15 - Trusted Zone: *.tsx.com
O15 - Trusted Zone: *.viapreference.ca
O15 - Trusted Zone: *.viarail.ca
O15 - Trusted Zone: http://tvlistings5.zap2it.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144364291670
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.halcom.ca/AxisCamControl.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://rogersphoto.ca/en/ulcontrolxp.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cognos.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll c:\windows\system32\vufulowe.dll c:\windows\system32\milokira.dll c:\windows\system32\ziyojozi.dll C:\WINDOWS\system32\diheweru.dll C:\WINDOWS\system32\biwohojo.dll fsrfkm.dll c:\windows\system32\wawunego.dll c:\windows\system32\wofolanu.dll eufowd.dll c:\windows\system32\figorana.dll c:\windows\system32\wisolike.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisolike.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisolike.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Sun One Administration Server 5.2 (admin52-serv) - Sun Microsystems Inc - C:/Program Files/Sun/MPS/bin/https/bin/ns-httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cognos 8 - Cognos Incorporated - C:\Program Files\Cognos\c8\bin\cogbootstrapservice.exe
O23 - Service: Cognos PowerPlay Enterprise Server (cer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\ppserver.exe
O23 - Service: Cognos Upfront Administration Service (cer4) (Cognos UpfrontAdministration (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfrontAdministration.exe
O23 - Service: Cognos Upfront Data Store (cer4) (Cognos UpfrontDataStore (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\upfdbsrv.exe
O23 - Service: Cognos Upfront Dispatcher (cer4) (Cognos UpfrontDispatcher (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfDispatcherService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cognos IWR Service Manager (cer4) (IWSvcMancer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\iwsvcman.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sun ONE Directory Server 5.2 (config52) (slapd-config52) - Unknown owner - C:\Program Files\Sun\MPS/bin/slapd/server/ns-slapd.exe
O23 - Service: Sun ONE Directory Server 5.2 (data52) (slapd-data52) - Unknown owner - C:\Program Files\Sun\MPS/bin/slapd/server/ns-slapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 18563 bytes
 
Is there a danger that I could also corrupt my wife's PC this way?
Click to expand...
If the computers are networked, and you transfer files from the infected computer to the uninfected one, you can infect it.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

A few questions before we start.

Look at the O15 - Trusted Zone: items in the HJT log. Did you place those in the TZ? and do they need to be there.

Should I remove stuff left from cognos.com

Please follow the directions carefully and always in the numbered order.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
vundo/virtumonde removal

Thanks for your quick reply.

The items in my Trusted Zone were all placed there by me. Reason: Before I started using Firefox, I had my IE Internet Zone security set fairly high (e.g., prompt before running any scripts). It became quite tedious to have numerous prompts on sites I used a lot, so I put them into my trusted zone for convenience. However, most (all?) of these don't really need to be there if it's a concern.

Similarly the stuff left from Cognos.com could also be taken out.

I downloaded Combofix as directed (to my wife's PC, then copied it to my offline laptop, via my USB key-drive). As expected, Combofix prompted me to install the MS Recovery Console, which requires a live internet connection. So I (nervously) reconnected and let it proceed... got a message that the files could not be downloaded, and I let Combofix proceed with the scan anyway.
NOTE: during the scan, at around "Stage" 35 or 40, my laptop spontaneously went into sleep mode. After I resumed it, the scan window reappeared, with Combofix picking up where it left off (not sure if this is expected or significant - only mentioned FWIW).

Below are the 2 reports requested, Combofix first, then the uninstall list.

ComboFix 09-03-10.03 - Gary 2009-03-11 15:06:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.336 [GMT -4:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
FW: COMODO Firewall Pro *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\bekozije.dll
c:\windows\system32\biwohojo.dll
c:\windows\system32\bowewore.dll
c:\windows\system32\Cache
c:\windows\system32\dezupiye.dll
c:\windows\system32\eufowd.dll
c:\windows\system32\fejuvn.dll
c:\windows\system32\fsrfkm.dll
c:\windows\system32\malesiba.dll
c:\windows\system32\monept.dll
c:\windows\system32\rozodobu.dll
c:\windows\system32\tigahifa.dll
c:\windows\system32\wisolike.dll
c:\windows\system32\yidopamo.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 12:48 . 2009-03-11 12:48 <DIR> d-------- c:\documents and settings\Gary\Application Data\Sammsoft
2009-03-11 12:47 . 2009-03-11 12:47 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-09 11:38 . 2009-03-09 11:38 2,713 ---hs---- c:\windows\system32\dozilibe.dll
2009-03-09 00:47 . 2009-03-09 00:47 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 13:42 . 2009-03-08 13:42 2,713 ---hs---- c:\windows\system32\fubepupo.dll
2009-03-08 13:42 . 2009-03-08 13:42 2,713 ---hs---- c:\windows\system32\duvanima.dll
2009-03-08 13:03 . 2009-03-08 13:03 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-08 13:03 . 2009-03-09 00:02 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-08 13:03 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-08 13:03 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-08 13:03 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-08 13:03 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-08 13:02 . 2009-03-08 13:05 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-08 13:02 . 2009-03-08 13:02 <DIR> d-------- c:\documents and settings\Gary\Application Data\PC Tools
2009-03-08 13:02 . 2009-03-08 13:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-04 11:22 . 2009-03-04 11:22 57,460 --ah----- c:\windows\system32\mlfcache.dat
2009-02-11 13:01 . 2009-02-11 13:01 <DIR> d-------- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 03:46 --------- d-----w c:\documents and settings\Gary\Application Data\MailWasherPro
2009-03-09 05:21 --------- d-----w c:\program files\Java
2009-03-06 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 05:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 05:38 --------- d-----w c:\program files\Cognos
2009-03-05 15:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-31 06:20 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-10-03 02:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
2008-08-19 01:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-04-01 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-08 40960]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-12 185896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 512000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-24 282624]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 139347]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-30 196608]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-08-02 1988144]
"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2007-11-22 1481984]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 c:\windows\KHALMNPR.Exe]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-03-05 c:\windows\system32\SKDAEMON.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-19 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
NkbMonitor.exe.lnk.disabled [2008-11-19 1659]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 10:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 21:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ObjectStore Server R6.0"=3 (0x3)
"ObjectStore Cache Manager R6.0"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TPKMAPMN"=c:\program files\ThinkPad\Utilities\TpKmapMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"benidehasa"=Rundll32.exe "c:\windows\system32\dezupiye.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Java141\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWIZARD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Cognos\\c8\\bin\\cogconfigw.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\WINDOWS\\system32\\ico.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-08-02 6912]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-08 130424]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2004-12-29 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2004-12-29 11520]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2007-11-22 79096]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2007-11-22 23672]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2004-12-29 4224]
R1 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMouse.SYS [2005-01-03 17251]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2004-12-29 4736]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-12-29 16384]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-08-02 13184]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-08-02 3968]
S3 admin52-serv;Sun One Administration Server 5.2;c:\program files\Sun\MPS\bin\https\bin\ns-httpd.exe [2005-01-23 36864]
S3 Cognos 8;Cognos 8;c:\program files\Cognos\c8\bin\cogbootstrapservice.exe [2006-09-23 172032]
S3 Cognos PowerPlay Enterprise Server (cer4);Cognos PowerPlay Enterprise Server (cer4);c:\program files\Cognos\cer4\bin\ppserver.exe [2005-01-23 1564672]
S3 Cognos UpfrontAdministration (cer4);Cognos Upfront Administration Service (cer4);c:\program files\Cognos\cer4\bin\UpfrontAdministration.exe [2005-01-23 360448]
S3 Cognos UpfrontDataStore (cer4);Cognos Upfront Data Store (cer4);c:\program files\Cognos\cer4\bin\upfdbsrv.exe [2005-01-23 266240]
S3 Cognos UpfrontDispatcher (cer4);Cognos Upfront Dispatcher (cer4);c:\program files\Cognos\cer4\bin\UpfDispatcherService.exe [2005-01-23 413696]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-01-30 18864]
S3 IWSvcMancer4;Cognos IWR Service Manager (cer4);c:\program files\Cognos\cer4\bin\iwsvcman.exe [2005-01-23 122930]
S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [2005-01-03 29329]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-08 348752]
S4 amserver_cer4;Cognos Access Manager Server (cer4);c:\program files\Cognos\cer4\bin\amserver.exe [2005-01-23 1163264]

--- Other Services/Drivers In Memory ---

*Deregistered* - NaiAvFilter101
.
Contents of the 'Scheduled Tasks' folder

2008-03-24 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]

2009-03-11 c:\windows\Tasks\User_Feed_Synchronization-{3F89C012-1A49-44AC-9F92-57EBC260DD31}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0879f341-cc2c-4c65-8f9c-45f0b2e0ae01} - c:\windows\system32\rozodobu.dll
BHO-{86a0af88-4578-4b66-a8d4-168a9f814565} - c:\windows\system32\eufowd.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ocas.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: aeroplan.com
Trusted Zone: aircanada.com
Trusted Zone: bell.ca
Trusted Zone: bike-manual.com\www
Trusted Zone: bmo.com
Trusted Zone: bmoinvestorline.com
Trusted Zone: cognos.com
Trusted Zone: cra-arc.gc.ca\www
Trusted Zone: cyclops
Trusted Zone: egs-seg.gc.ca\blrscr3
Trusted Zone: faststone.org\www
Trusted Zone: gbw-laptop
Trusted Zone: globeinvestor.com
Trusted Zone: google.com\picasa
Trusted Zone: google.com\picasaweb
Trusted Zone: harmonyremote.com
Trusted Zone: ibm.com\www-307
Trusted Zone: ibm.com\www.pc
Trusted Zone: ingdirect.ca
Trusted Zone: intuit.ca\quicken
Trusted Zone: intuit.ca\support
Trusted Zone: ishares.ca
Trusted Zone: localhost
Trusted Zone: logitech.com
Trusted Zone: marriott.com
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: nikon.ca\www
Trusted Zone: ocas.ca\remote
Trusted Zone: ocas.ca\reporting
Trusted Zone: ocas.ca\www
Trusted Zone: plimus.com\www
Trusted Zone: quicktaxonline.ca\2007
Trusted Zone: rogersphoto.ca
Trusted Zone: rom.on.ca
Trusted Zone: theglobeandmail.com
Trusted Zone: theglobeandmail.com\globefunddb
Trusted Zone: theglobeandmail.com\www
Trusted Zone: trekbikes.com\www2
Trusted Zone: tsx.com
Trusted Zone: viapreference.ca
Trusted Zone: viarail.ca
Trusted Zone: yahoo.com\*.mail
Trusted Zone: yahoo.com\ca.my
Trusted Zone: yahoo.com\express.rogers
Trusted Zone: yahoo.com\login
Trusted Zone: zap2it.com\tvlistings5
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} - hxxp://rogersphoto.ca/en/ulcontrolxp.cab
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\sk6n60lr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.globeinvestor.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 15:31:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\admin52-serv]
"ImagePath"="C:/Program Files/Sun/MPS/bin/https/bin/ns-httpd.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\admin52-serv]
"ImagePath"="C:/Program Files/Sun/MPS/bin/https/bin/ns-httpd.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\slapd-config52]
"ImagePath"="c:\program files\Sun\MPS/bin/slapd/server/ns-slapd.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\slapd-data52]
"ImagePath"="c:\program files\Sun\MPS/bin/slapd/server/ns-slapd.exe"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3343150439-3445473479-3427102659-1007\ *5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3343150439-3445473479-3427102659-1007\ *6*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(688)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Comodo\Firewall\cmdagent.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
.
**************************************************************************
.
Completion time: 2009-03-11 15:37:55 - machine was rebooted [Gary]
ComboFix-quarantined-files.txt 2009-03-11 19:37:45

Pre-Run: 49,676,345,344 bytes free
Post-Run: 49,580,892,160 bytes free

332 --- E O F --- 2009-03-01 21:30:05

=========================

Access IBM
Access IBM Message Center
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 7.1.0
Advanced Registry Optimizer
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
BELKIN F5U109 V1.25
CCleaner (remove only)
Cognos Series 7 Version 3
Cognos Windows Common Logon Server
COMODO Firewall Pro
Compatibility Pack for the 2007 Office system
Directory Server
F5U409 Driver Uninstall
FastStone Capture 6.0
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Windows Internet Explorer 7 (KB947864)
IBM 32-bit Runtime Environment for Java 2, v1.4.1
IBM RecordNow!
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkVantage Technologies Welcome Message
IBM TrackPoint Accessibility Features
IBM USB Enhanced Performance Keyboard
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
Java(TM) 6 Update 11
Lenovo Battery Program
Logitech SetPoint
MailWasher Free
MapSource
MapSource
MapSource - BlueChart Americas v7
McAfee VirusScan Enterprise
mCore
mDriver
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Small Business Edition 2003
Microsoft SQL Server 2000
Microsoft SQL Server 2000 Analysis Services
mMHouse
Mouse Suite
Mozilla Firefox (3.0.6)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
mWlsSafe
PC-Doctor 5 for Windows
Picasa 3
PictureProject
QuickTime
RealPlayer
Rescue and Recovery - Client Security Solution
ScanToWeb
Scroll Lock Indicator Utility
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Software Installer
Sonic DLA
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Spyware Doctor 6.0
System Update
the 123 of digital imaging Interactive Learning Suite
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Integrated 56K Modem
ThinkPad Power Management Driver
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
Wallpapers
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinZip
 
The items in my Trusted Zone were all placed there by me
Click to expand...
If you know them and want them in the TZ, it's fine by me. If you don't want them there, remove them with HJT or the reverse of the way you put them there.
http://www.bleepingcomputer.com/tutorials/tutorial42.html#O15Diag

You are right that the computer needs internet access to install Recovery Console. We will get it installed before we finish.

Below are the 2 reports requested, Combofix first, then the uninstall list.
Click to expand...
When finished, it shall produce a log for you. Please include the
C:\ComboFix.txt in your next reply along with a New Hijackthis log.
Click to expand...
I am missing a HJT log I can not proceed without?

This can be done as time permits, but it is important, and may be why you are infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 7.1.0 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Cognos Series 7 Version 3 <<< your call
Cognos Windows Common Logon Server <<< your call

IBM 32-bit Runtime Environment for Java 2, v1.4.1 <<< VERY old, I really don't know about this item, you may want to ask Java support?

Java(TM) 6 Update 11 <<< valid but an update is available
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Mozilla Firefox (3.0.6) <<< needs an update to (3.0.7)

Spybot - Search & Destroy 1.4 <<< uninstall this out of date version.
Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html
 
Last edited:
vundo/virtumonde removal

My apologies for the missing HJT log - I got sloppy.
I ran one and the log is below.
I should note that this was run just now, an hour or so after doing the combofix - nothing else was done on the infected laptop in the meantime. I assume this is ok but if you advise otherwise, I will re-do everything in sequence (combofix, HHT scan and uninstall list).

Thank you for pointing out the obsolete programs. Once I am safely back on the internet, I will update them. As for the very old Java runtime environment, I am pretty sure that is left over from some old Cognos web-based applications. I will get rid of it.

HJT log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:29 PM, on 11/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ocas.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.aeroplan.com
O15 - Trusted Zone: *.aircanada.com
O15 - Trusted Zone: *.bell.ca
O15 - Trusted Zone: http://www.bike-manual.com
O15 - Trusted Zone: *.bmo.com
O15 - Trusted Zone: *.bmoinvestorline.com
O15 - Trusted Zone: *.cognos.com
O15 - Trusted Zone: http://www.cra-arc.gc.ca
O15 - Trusted Zone: http://*.cyclops
O15 - Trusted Zone: http://www.faststone.org
O15 - Trusted Zone: http://*.gbw-laptop
O15 - Trusted Zone: *.globeinvestor.com
O15 - Trusted Zone: *.harmonyremote.com
O15 - Trusted Zone: http://www-307.ibm.com
O15 - Trusted Zone: http://www.pc.ibm.com
O15 - Trusted Zone: *.ingdirect.ca
O15 - Trusted Zone: http://quicken.intuit.ca
O15 - Trusted Zone: http://support.intuit.ca
O15 - Trusted Zone: *.ishares.ca
O15 - Trusted Zone: *.logitech.com
O15 - Trusted Zone: *.marriott.com
O15 - Trusted Zone: http://www.nikon.ca
O15 - Trusted Zone: remote.ocas.ca
O15 - Trusted Zone: www.ocas.ca
O15 - Trusted Zone: http://www.ocas.ca
O15 - Trusted Zone: *.rogersphoto.ca
O15 - Trusted Zone: *.rom.on.ca
O15 - Trusted Zone: http://globefunddb.theglobeandmail.com
O15 - Trusted Zone: http://www.theglobeandmail.com
O15 - Trusted Zone: *.theglobeandmail.com
O15 - Trusted Zone: http://www2.trekbikes.com
O15 - Trusted Zone: *.tsx.com
O15 - Trusted Zone: *.viapreference.ca
O15 - Trusted Zone: *.viarail.ca
O15 - Trusted Zone: http://tvlistings5.zap2it.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144364291670
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.halcom.ca/AxisCamControl.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://rogersphoto.ca/en/ulcontrolxp.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cognos.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Sun One Administration Server 5.2 (admin52-serv) - Sun Microsystems Inc - C:/Program Files/Sun/MPS/bin/https/bin/ns-httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cognos 8 - Cognos Incorporated - C:\Program Files\Cognos\c8\bin\cogbootstrapservice.exe
O23 - Service: Cognos PowerPlay Enterprise Server (cer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\ppserver.exe
O23 - Service: Cognos Upfront Administration Service (cer4) (Cognos UpfrontAdministration (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfrontAdministration.exe
O23 - Service: Cognos Upfront Data Store (cer4) (Cognos UpfrontDataStore (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\upfdbsrv.exe
O23 - Service: Cognos Upfront Dispatcher (cer4) (Cognos UpfrontDispatcher (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfDispatcherService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cognos IWR Service Manager (cer4) (IWSvcMancer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\iwsvcman.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sun ONE Directory Server 5.2 (config52) (slapd-config52) - Unknown owner - C:\Program Files\Sun\MPS/bin/slapd/server/ns-slapd.exe
O23 - Service: Sun ONE Directory Server 5.2 (data52) (slapd-data52) - Unknown owner - C:\Program Files\Sun\MPS/bin/slapd/server/ns-slapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 17240 bytes
 
Follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
c:\windows\system32\dozilibe.dll
c:\windows\system32\fubepupo.dll
c:\windows\system32\duvanima.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"benidehasa"=-

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

You may check and remove any O15 - Trusted Zone items you no longer need.
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
(obsolete program)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cognos.com

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

You have a lot of old services and may want to look at each one.
How to remove un-needed services:
http://vlaurie.com/computers2/Articles/services.htm
 
vundo/virtumonde removed!?

I have included the 3 requested logs below. Things are looking much better now; I have done a complete shutdown & restart twice since running these, and I am now connected back on my home network and the internet, with no apparent slowdowns, popups, etc.
Also I am sending this reply from my own laptop.

During the HJT scan (your step 3), I removed most of the Trusted Zones as well as the other items you mentioned.

Re your comment about old services, I think it looks worse than it is. I switched many of them to Manual start (not Auto start) quite a while back as they were only needed to run the Cognos applications. But I will look at the link you provided as part of a general cleanup I plan to do after we conclude this thread.

I will await your final comments of course before closing this issue, but I would be interested in your opinions on the following;

1) I thought my Spybot was up to date since I check for updates each time I run it. However, in your post yesterday at 17:10, you suggested getting rid of this "old version". Should I just uninstall it and download another copy? Also, should I be using the TeaTimer feature? When I first researched this a couple of years back, some reviewer suggested leaving TT out for some reason or other (?? vague on details... possibly slowed system down too much?).

2) Do the free antivirus programs (AVG or Avast for example) stack up well vs McAfee, Norton, etc.? Do you have a preference?

3) I will take a more detailed look at the sticky threads in this forum for other tips on tightening up my system. Like you, I have no wish to repeat this exercise.



Here are the logs... first the combofix report, then the MBAM log, followed by another HJT log which I ran last, after your step 5.;


ComboFix 09-03-10.03 - Gary 2009-03-12 0:39:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.374 [GMT -4:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
FW: COMODO Firewall Pro *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\dozilibe.dll
c:\windows\system32\duvanima.dll
c:\windows\system32\fubepupo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dozilibe.dll
c:\windows\system32\duvanima.dll
c:\windows\system32\fubepupo.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-11 12:48 . 2009-03-11 12:48 <DIR> d-------- c:\documents and settings\Gary\Application Data\Sammsoft
2009-03-11 12:47 . 2009-03-11 12:47 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-09 00:47 . 2009-03-09 00:47 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 13:03 . 2009-03-08 13:03 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-08 13:03 . 2009-03-09 00:02 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-08 13:03 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-08 13:03 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-08 13:03 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-08 13:03 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-08 13:02 . 2009-03-08 13:05 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-08 13:02 . 2009-03-08 13:02 <DIR> d-------- c:\documents and settings\Gary\Application Data\PC Tools
2009-03-08 13:02 . 2009-03-08 13:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-04 11:22 . 2009-03-04 11:22 57,460 --ah----- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 03:52 --------- d-----w c:\program files\Cognos
2009-03-11 22:26 --------- d-----w c:\program files\Java
2009-03-11 03:46 --------- d-----w c:\documents and settings\Gary\Application Data\MailWasherPro
2009-03-06 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 05:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-05 15:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-31 06:20 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-10-03 02:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
2008-08-19 01:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-11_15.36.24.83 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-11 19:17:27 219,307 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-12 04:48:24 219,293 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-12 04:44:27 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_720.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-04-01 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-08 40960]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-12 185896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 512000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-24 282624]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 139347]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-30 196608]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-08-02 1988144]
"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2007-11-22 1481984]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 c:\windows\KHALMNPR.Exe]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-03-05 c:\windows\system32\SKDAEMON.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-19 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
NkbMonitor.exe.lnk.disabled [2008-11-19 1659]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 10:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 21:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ObjectStore Server R6.0"=3 (0x3)
"ObjectStore Cache Manager R6.0"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TPKMAPMN"=c:\program files\ThinkPad\Utilities\TpKmapMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Java141\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWIZARD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\WINDOWS\\system32\\ico.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"=

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-08-02 6912]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-08 130424]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2004-12-29 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2004-12-29 11520]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2007-11-22 79096]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2007-11-22 23672]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2004-12-29 4224]
R1 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMouse.SYS [2005-01-03 17251]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2004-12-29 4736]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-12-29 16384]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-08-02 13184]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-08-02 3968]
S3 Cognos PowerPlay Enterprise Server (cer4);Cognos PowerPlay Enterprise Server (cer4);c:\program files\Cognos\cer4\bin\ppserver.exe [2005-01-23 1564672]
S3 Cognos UpfrontAdministration (cer4);Cognos Upfront Administration Service (cer4);c:\program files\Cognos\cer4\bin\UpfrontAdministration.exe [2005-01-23 360448]
S3 Cognos UpfrontDataStore (cer4);Cognos Upfront Data Store (cer4);c:\program files\Cognos\cer4\bin\upfdbsrv.exe [2005-01-23 266240]
S3 Cognos UpfrontDispatcher (cer4);Cognos Upfront Dispatcher (cer4);c:\program files\Cognos\cer4\bin\UpfDispatcherService.exe [2005-01-23 413696]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-01-30 18864]
S3 IWSvcMancer4;Cognos IWR Service Manager (cer4);c:\program files\Cognos\cer4\bin\iwsvcman.exe [2005-01-23 122930]
S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [2005-01-03 29329]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-08 348752]
S4 amserver_cer4;Cognos Access Manager Server (cer4);c:\program files\Cognos\cer4\bin\amserver.exe [2005-01-23 1163264]

--- Other Services/Drivers In Memory ---

*Deregistered* - NaiAvFilter101
.
Contents of the 'Scheduled Tasks' folder

2008-03-24 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]

2009-03-12 c:\windows\Tasks\User_Feed_Synchronization-{3F89C012-1A49-44AC-9F92-57EBC260DD31}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ocas.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: aeroplan.com
Trusted Zone: aircanada.com
Trusted Zone: bell.ca
Trusted Zone: bike-manual.com\www
Trusted Zone: bmo.com
Trusted Zone: bmoinvestorline.com
Trusted Zone: cognos.com
Trusted Zone: cra-arc.gc.ca\www
Trusted Zone: cyclops
Trusted Zone: egs-seg.gc.ca\blrscr3
Trusted Zone: faststone.org\www
Trusted Zone: gbw-laptop
Trusted Zone: globeinvestor.com
Trusted Zone: google.com\picasa
Trusted Zone: google.com\picasaweb
Trusted Zone: harmonyremote.com
Trusted Zone: ibm.com\www-307
Trusted Zone: ibm.com\www.pc
Trusted Zone: ingdirect.ca
Trusted Zone: intuit.ca\quicken
Trusted Zone: intuit.ca\support
Trusted Zone: ishares.ca
Trusted Zone: localhost
Trusted Zone: logitech.com
Trusted Zone: marriott.com
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: nikon.ca\www
Trusted Zone: ocas.ca\remote
Trusted Zone: ocas.ca\reporting
Trusted Zone: ocas.ca\www
Trusted Zone: plimus.com\www
Trusted Zone: quicktaxonline.ca\2007
Trusted Zone: rogersphoto.ca
Trusted Zone: rom.on.ca
Trusted Zone: theglobeandmail.com
Trusted Zone: theglobeandmail.com\globefunddb
Trusted Zone: theglobeandmail.com\www
Trusted Zone: trekbikes.com\www2
Trusted Zone: tsx.com
Trusted Zone: viapreference.ca
Trusted Zone: viarail.ca
Trusted Zone: yahoo.com\*.mail
Trusted Zone: yahoo.com\ca.my
Trusted Zone: yahoo.com\express.rogers
Trusted Zone: yahoo.com\login
Trusted Zone: zap2it.com\tvlistings5
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} - hxxp://rogersphoto.ca/en/ulcontrolxp.cab
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\sk6n60lr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.globeinvestor.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 00:50:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3343150439-3445473479-3427102659-1007\ *5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3343150439-3445473479-3427102659-1007\ *6*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(688)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Comodo\Firewall\cmdagent.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-12 0:55:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 04:55:24

Pre-Run: 51,033,620,480 bytes free
Post-Run: 51,085,234,176 bytes free

307 --- E O F --- 2009-03-01 21:30:05


Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

12/03/2009 1:55:06 AM
mbam-log-2009-03-12 (01-55-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 169938
Time elapsed: 41 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:17 AM, on 12/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ocas.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.bmo.com
O15 - Trusted Zone: *.bmoinvestorline.com
O15 - Trusted Zone: http://www.cra-arc.gc.ca
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144364291670
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.halcom.ca/AxisCamControl.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://rogersphoto.ca/en/ulcontrolxp.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cognos PowerPlay Enterprise Server (cer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\ppserver.exe
O23 - Service: Cognos Upfront Administration Service (cer4) (Cognos UpfrontAdministration (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfrontAdministration.exe
O23 - Service: Cognos Upfront Data Store (cer4) (Cognos UpfrontDataStore (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\upfdbsrv.exe
O23 - Service: Cognos Upfront Dispatcher (cer4) (Cognos UpfrontDispatcher (cer4)) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\UpfDispatcherService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cognos IWR Service Manager (cer4) (IWSvcMancer4) - Cognos Incorporated - C:\Program Files\Cognos\cer4\bin\iwsvcman.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 15020 bytes
 
Thanks for the feedback:bigthumb:

Looks like you are using a Wireless router, you might want to view this information:
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html


1)
Should I just uninstall it and download another copy?
Click to expand...
It looks to me like you have two versions installed.
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4 <<< from the uninstall list

You might be wise to remove everything (uninstall in Add Remove Programs) then use the link I provided to download the newest version.
Also, should I be using the TeaTimer feature?
Click to expand...
That's up to you, view the information I am posting to help you decide. I personally prefer SpywareGuard running with SpywareBlaster (which you will read about) I do run Spybot as a backup scanner and have for years.

2) I suggest and run only freeware programs, and really don't want to get into pros and cons or paid versions against free version. I will say I believe keeping up to date and running as suggested along with layered protection and good online surfing habits have more to do with it than how much you pay for the product. I will post information from experts, review what they have to say before you decide.


Let's see if we can wrap up like this...

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

(make this optional if you wish since the last scan was clean)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update McAfee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
 
Vundo/virtumonde removed

I have been going through the cleanup steps and reviewing the many excellent links provided in your last post from yesterday afternoon. I got a bit of a scare at one point, but I think it was a false alarm. Here is a summary of events.

As I was reading your links yesterday, McAfee started it's regular scheduled scan in the background and gave me the following "Virus Alert" in a popup...

Excerpt from McAfee Scan log...

3/12/2009 4:17:39 PM Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2\A0000225.dll Vundo.gen.aj

... end log excerpt.

I quickly disconnected and shut down. But on starting up, I saw that the bad file was apparently in one of the System Restore files - I had not yet flushed these files per your directions, so I did that and figured that was that.

Just to be sure, I then did another Spybot update & scan, followed by a MBAM update & scan. Both came out clean.
Finally, another McAfee update & full scan. The McAfee scan log then showed...

Scan log excerpt...

12/03/2009 8:20 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bekozije.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:20 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bekozije.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:20 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\biwohojo.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:20 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\biwohojo.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:20 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bowewore.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bowewore.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\dezupiye.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\dezupiye.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\eufowd.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\eufowd.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fejuvn.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fejuvn.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fsrfkm.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fsrfkm.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\malesiba.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\malesiba.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\monept.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\monept.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\rozodobu.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\rozodobu.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\tigahifa.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\tigahifa.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\wisolike.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:22 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\wisolike.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:22 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\yidopamo.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:22 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\yidopamo.dll.vir File was deleted as part of Cleaning it

... end of excerpt.

I've never seen the folder "Qoobox" before but my guess is it was created by one of the cleanup programs I ran (Combofix maybe?). Anyway, McAfee deleted the bad files, and even the Qoobox folder was gone when I booted up this morning, so all seems well. If you agree, then I guess our work is done, although I am continuing to implement several of your good tips while I'm still highly motivated.

And I have to finish by expressing my sincere thanks and appreciation for the work that you and your colleagues are doing in this forum. It is a rare and pleasant experience to find things like this going on; it reminds us of what the internet could and should be, but too often is not.

Somewhere else in the forum I saw a mention of ways to donate, which I will also be visiting.
 
C:\Qoobox\Quarantine <<< this is where combofix puts the bad stuff it removes. The reason why I posted closing instructions was to first remove combofix (and that stuff would have been removed with it) and second to clean the System Restore files as you understood. If the first two instructions were followed, that stuff should not have been there for MBAM or McAfee to find. To be sure, look on the C:\ drive and delete that folder and contents if it is still there.

C:\Qoobox <<< that one...all of combofix should have been remove with these instructions:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
Click to expand...

If there were not followed exactly, then delete any of combofix you see on the computer. Make sure the Recycle Bin on the Desktop is emptied also.
I'll keep the thread active for a couple of days in case another question comes up.

Thanks...Phil
 
Status
Not open for further replies.
Back
Top