need help with virtumonde also

Status
Not open for further replies.
K

kinet

New member
I've also been battling a virtumonde infection on my computer, for the last few weeks
I've have used spybot , spysweeper , and ccleaner on this PC before I knew I needed real Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:10 PM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9995AE07-48B8-4055-9981-0CAC4F89D0A1} - (no file)
O2 - BHO: (no name) - {B64AEA0F-177E-4827-940D-723C61934FE6} - C:\WINDOWS\system32\ssqOHywT.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CC891230-E171-4BAE-9034-830AC1768C81} - (no file)
O2 - BHO: (no name) - {ee59867e-ab0b-42fd-93d5-63c69e708c44} - C:\WINDOWS\system32\regohibi.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
O4 - HKLM\..\Run: [DellTouch] "C:\WINDOWS\DELLMMKB.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PD6000StatusMonitor] "C:\WINDOWS\System32\PD6000SM.EXE"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\Updreg.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lepetunola] Rundll32.exe "C:\WINDOWS\system32\dibubize.dll",s
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [lepetunola] Rundll32.exe "C:\WINDOWS\system32\dibubize.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lepetunola] Rundll32.exe "C:\WINDOWS\system32\dibubize.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?83404bc94c3d497c98da30d88b501c2b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?83404bc94c3d497c98da30d88b501c2b
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://(changed personal info maybe)/iNotes6W.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1668c3099c1c03bcbd17/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1226630815640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209692064718
O20 - AppInit_DLLs: xzgwls.dll suerqd.dll kjjtqv.dll ituoyg.dll totnvi.dll dvmhbe.dll wxomyn.dll,C:\WINDOWS\system32\vunorizi.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

--
End of file - 7700 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

1) DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks...Phil
 
new logs

ComboFix 08-12-15.04 - Uname 2008-12-15 22:36:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.46 [GMT -5:00]
Running from: c:\documents and settings\Uname\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Uname\Application Data\Gool
c:\documents and settings\Uname\Application Data\inst.exe
c:\documents and settings\Uname\My Documents\YSTEM3~1
c:\documents and settings\Uname\My Documents\YSTEM3~1\?ystem32\
c:\documents and settings\Uname\My Documents\YSTEM3~1\mmc.exe
c:\windows\system\msvbvm60.dll
c:\windows\system32\aqgdqi.dll
c:\windows\system32\dvavxeig.dll
c:\windows\system32\dvmhbe.dll
c:\windows\system32\dvubpkpe.dll
c:\windows\system32\eldccekg.dll
c:\windows\system32\fofapube.dll
c:\windows\system32\ftpupd.exe
c:\windows\system32\hisatega.dll
c:\windows\system32\hjkvclvf.dll
c:\windows\system32\hrylvdcr.dll
c:\windows\system32\hwnpshdj.dll
c:\windows\system32\iaaxjjoh.dll
c:\windows\system32\iaxwplqt.dll
c:\windows\system32\ifteae.dll
c:\windows\system32\ituoyg.dll
c:\windows\system32\jhmdgija.dll
c:\windows\system32\jkhqgojr.dll
c:\windows\system32\kfrmbcio.dll
c:\windows\system32\kjjtqv.dll
c:\windows\system32\koseveti.dll
c:\windows\system32\lsqqaabp.dll
c:\windows\system32\luhupaga.dll
c:\windows\system32\mbhncxwq.dll
c:\windows\system32\mekyexsa.dll
c:\windows\system32\mjpvwgif.dll
c:\windows\system32\msansspc.dll
c:\windows\system32\myhtlz.dll
c:\windows\system32\ocgcps.dll
c:\windows\system32\piwozasu.dll
c:\windows\system32\psdbxypb.dll
c:\windows\system32\pydekder.dll
c:\windows\system32\qufhkubg.dll
c:\windows\system32\rchfhd.dll
c:\windows\system32\rjjwmbeg.dll
c:\windows\system32\rmiyytsq.dll
c:\windows\system32\seyununu.dll
c:\windows\system32\sssyeuwt.dll
c:\windows\system32\stpdqqak.dll
c:\windows\system32\suerqd.dll
c:\windows\system32\suvimido.dll
c:\windows\system32\totnvi.dll
c:\windows\system32\trukkrpm.dll
c:\windows\system32\txkclask.dll
c:\windows\system32\wafoqh.dll
c:\windows\system32\wcspjccx.dll
c:\windows\system32\wnvlgeqs.dll
c:\windows\system32\wxomyn.dll
c:\windows\system32\xhgjwsip.dll
c:\windows\system32\xzgwls.dll
c:\windows\system32\yitqijgo.dll
c:\windows\system32\zepusf.dll
c:\windows\system32\zggold.dll
c:\windows\system32\zotepuwa.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-15 17:32 . 2008-12-15 17:32 2,098 ---hs---- c:\windows\SYSTEM32\zepaluma.exe
2008-12-14 23:31 . 2008-12-14 23:31 120 ---hs---- c:\windows\SYSTEM32\ebupafof.ini
2008-12-14 11:30 . 2008-12-14 11:30 2,098 ---hs---- c:\windows\SYSTEM32\jusuyepu.exe
2008-12-13 17:28 . 2008-12-13 17:28 2,098 ---hs---- c:\windows\SYSTEM32\vakepuha.exe
2008-12-12 23:26 . 2008-12-12 23:26 2,098 ---hs---- c:\windows\SYSTEM32\mekipabo.exe
2008-12-12 05:24 . 2008-12-12 05:24 2,098 ---hs---- c:\windows\SYSTEM32\zizupusa.exe
2008-12-11 11:23 . 2008-12-11 11:23 2,098 ---hs---- c:\windows\SYSTEM32\seweyaka.exe
2008-12-10 17:20 . 2008-12-10 17:20 2,098 ---hs---- c:\windows\SYSTEM32\yalemera.exe
2008-12-09 23:18 . 2008-12-09 23:18 2,098 ---hs---- c:\windows\SYSTEM32\babekelu.exe
2008-12-09 05:16 . 2008-12-09 05:16 2,098 ---hs---- c:\windows\SYSTEM32\woyobizi.exe
2008-12-08 06:13 . 2008-12-08 06:13 2,098 ---hs---- c:\windows\SYSTEM32\zehifoze.exe
2008-12-07 06:42 . 2008-12-07 06:42 2,098 ---hs---- c:\windows\SYSTEM32\wibiragu.exe
2008-12-06 12:40 . 2008-12-06 12:40 2,098 ---hs---- c:\windows\SYSTEM32\kazogagu.exe
2008-12-05 18:39 . 2008-12-05 18:39 2,098 ---hs---- c:\windows\SYSTEM32\gujepono.exe
2008-12-05 00:37 . 2008-12-05 00:37 2,098 ---hs---- c:\windows\SYSTEM32\zekizuma.exe
2008-12-03 04:48 . 2008-12-03 04:48 2,098 --ahs---- c:\windows\SYSTEM32\yezumoyu.exe
2008-12-02 22:18 . 2008-12-02 22:18 120 --ahs---- c:\windows\SYSTEM32\epkpbuvd.ini
2008-12-02 21:03 . 2002-01-28 11:25 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-02 21:03 . 2002-01-28 11:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-02 21:03 . 2008-04-21 21:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-02 21:03 . 2008-12-02 21:03 <DIR> d-------- c:\documents and settings\Administrator
2008-12-02 10:45 . 2008-12-02 10:45 2,098 --ahs---- c:\windows\SYSTEM32\tufamovo.exe
2008-11-30 22:54 . 2008-11-30 22:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 22:09 . 2008-11-30 22:13 <DIR> d-------- c:\program files\Linksys EasyLink Advisor
2008-11-29 04:31 . 2008-11-29 04:31 2,098 --ahs---- c:\windows\SYSTEM32\momewohu.exe
2008-11-28 14:59 . 2008-11-28 14:59 2,098 --ahs---- c:\windows\SYSTEM32\pefedamu.exe
2008-11-28 11:32 . 2008-11-28 11:34 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2008-11-28 00:10 . 2008-12-12 18:16 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-28 00:10 . 2008-11-28 00:10 1,409 --a------ c:\windows\QTFont.for
2008-11-26 13:25 . 2008-11-26 13:25 2,098 --ahs---- c:\windows\SYSTEM32\haferabo.exe
2008-11-24 19:23 . 2008-11-24 19:23 2,098 --ahs---- c:\windows\SYSTEM32\gomukamu.exe
2008-11-24 01:24 . 2008-11-24 01:24 2,098 --ahs---- c:\windows\SYSTEM32\peyubisu.exe
2008-11-23 19:05 . 2008-11-23 19:08 <DIR> d-------- c:\documents and settings\Uname\Application Data\MSN6
2008-11-23 19:05 . 2008-11-23 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\MSN6
2008-11-23 18:23 . 2008-11-23 18:23 22 --a------ c:\windows\kodakpcd.Uname.ini
2008-11-23 06:20 . 2008-11-23 06:20 2,098 --ahs---- c:\windows\SYSTEM32\wazuhope.exe
2008-11-21 17:24 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\SYSTEM32\d3dx9_33.dll
2008-11-21 17:24 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\SYSTEM32\d3dx9_32.dll
2008-11-21 17:24 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\SYSTEM32\d3dx9_31.dll
2008-11-21 17:24 . 2007-01-24 15:27 255,848 --a------ c:\windows\SYSTEM32\xactengine2_6.dll
2008-11-21 17:24 . 2006-12-08 12:02 251,672 --a------ c:\windows\SYSTEM32\xactengine2_5.dll
2008-11-21 17:24 . 2006-09-28 16:05 237,848 --a------ c:\windows\SYSTEM32\xactengine2_4.dll
2008-11-21 17:24 . 2006-07-28 09:30 236,824 --a------ c:\windows\SYSTEM32\xactengine2_3.dll
2008-11-21 17:24 . 2006-07-28 09:30 62,744 --a------ c:\windows\SYSTEM32\xinput1_2.dll
2008-11-21 17:24 . 2007-03-05 12:42 15,128 --a------ c:\windows\SYSTEM32\x3daudio1_1.dll
2008-11-21 17:22 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\SYSTEM32\d3dx9_26.dll
2008-11-19 15:12 . 2008-11-19 15:12 2,098 --ahs---- c:\windows\SYSTEM32\leyeluto.exe
2008-11-16 14:34 . 2008-11-16 14:34 <DIR> d-------- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 03:31 --------- d-----w c:\program files\Webroot
2008-12-09 03:31 --------- d-----w c:\documents and settings\Uname\Application Data\Webroot
2008-12-04 02:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 02:42 --------- d-----w c:\program files\Common Files\Adobe
2008-12-01 02:22 73,144 -c--a-w c:\documents and settings\Uname\Application Data\GDIPFONTCACHEV1.DAT
2008-11-28 17:36 --------- d-----w c:\documents and settings\Uname\Application Data\Vso
2008-11-28 04:36 --------- d-----w c:\program files\SSI
2008-11-26 22:14 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-21 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 01:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 21:04 --------- d-----w c:\program files\FlashGet
2008-11-16 18:46 --------- d-----w c:\program files\Webtools
2008-11-11 04:53 --------- d-----w c:\program files\NovaLogic
2008-11-10 14:59 --------- d-----w c:\program files\Common Files\mrzo
2008-11-08 04:22 --------- d-----w c:\program files\GetRight
2008-10-31 02:46 --------- d-----w c:\program files\NewzToolz
2008-10-30 03:06 47,360 -c--a-w c:\documents and settings\Uname\Application Data\pcouffin.sys
2008-10-30 03:06 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-10-30 03:06 --------- d-----w c:\program files\vso
2008-10-12 18:18 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-04-12 13:53 87,608 -c--a-w c:\documents and settings\Uname\Application Data\ezpinst.exe
2008-11-17 02:03 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-17 02:03 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-17 02:03 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-17 02:03 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-17 02:03 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
1757-03-17 20:21 4,263 -csh--w c:\windows\windllreg1c.sys
2008-09-08 02:42 87,552 --sha-w c:\windows\SYSTEM32\sofonufo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-06-10 1095680]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-04-12 1383936]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PD6000StatusMonitor"="c:\windows\System32\PD6000SM.EXE" [2003-10-16 266240]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"VBSysTray"="c:\progra~1\VEXIRA~1\Bin\vbsystry.exe" [2008-03-26 239000]
"AVLoginToDo"="c:\progra~1\VEXIRA~1\Bin\avltd.exe" [2008-04-24 50552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 185896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux1"= ctwdm32.dll
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-14 18:26 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\PD6000SM.exe"=

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-08-06 28672]
R2 PackethSvc;Virtual NIC Service;c:\windows\System32\PackethSvc.exe [2002-03-07 64512]
R2 VACompManService;Vexira Antivirus Component Manager Service;c:\progra~1\VEXIRA~1\Bin\vbcmserv.exe [2008-04-24 46496]
R2 VBShld;VBShld;c:\windows\system32\Drivers\VBShld.Sys [2008-04-24 271232]
R3 insektxp;insektxp;c:\windows\system32\Drivers\InsektXp.sys [2002-07-20 29407]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 VBEngNT;VBEngNT;c:\windows\system32\Drivers\VBEngNT.Sys [2008-04-02 1077992]
R3 VBFilter;VBFilter;c:\windows\system32\Drivers\VBFilter.Sys [2008-04-24 27096]
R3 VBRec;VBRec;c:\windows\system32\Drivers\VBRec.Sys [2008-04-24 18528]
S0 ElbyVCD;ElbyVCD; []
S3 papycpu;papycpu; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a3c183d-a251-11da-868f-00038a000015}]
\Shell\AutoRun\command - LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]

2008-12-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2002-01-31 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-08-04 00:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9995AE07-48B8-4055-9981-0CAC4F89D0A1} - (no file)
BHO-{B64AEA0F-177E-4827-940D-723C61934FE6} - c:\windows\system32\ssqOHywT.dll
BHO-{CC891230-E171-4BAE-9034-830AC1768C81} - (no file)
BHO-{ee59867e-ab0b-42fd-93d5-63c69e708c44} - c:\windows\system32\suvimido.dll
MSConfigStartUp-gadcom - c:\documents and settings\Uname\Application Data\gadcom\gadcom.exe
MSConfigStartUp-GetPack24 - c:\program files\GetPack\GetPack24.exe
MSConfigStartUp-Gool - c:\documents and settings\Uname\Application Data\Gool\Gool.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN MSN MSN MSN MSN Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?83404bc94c3d497c98da30d88b501c2b
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?83404bc94c3d497c98da30d88b501c2b

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Uname\Application Data\Mozilla\Firefox\Profiles\tz8ozk5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 22:45:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\DRIVERS\CDAC11BA.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\SYSTEM32\DRIVERS\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\ScsiAccess.EXE
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\wwSecure.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\Netropa\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-15 22:49:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 03:49:29

Pre-Run: 20,409,585,664 bytes free
Post-Run: 20,273,303,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

287
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:20 PM, on 12/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
O4 - HKLM\..\Run: [DellTouch] "C:\WINDOWS\DELLMMKB.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PD6000StatusMonitor] "C:\WINDOWS\System32\PD6000SM.EXE"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\Updreg.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?83404bc94c3d497c98da30d88b501c2b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?83404bc94c3d497c98da30d88b501c2b
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email1.hillenbrand.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1226630815640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209692064718
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

--
End of file - 7018 bytes

---Uninstall list---
2001 TurboTax Deluxe
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Reader 8
AnswerWorks 4.0 Runtime - English
Apple Software Update
aspi
Call of Duty
Call of Duty - United Offensive
CCHelp
CCleaner (remove only)
CCScore
Compatibility Pack for the 2007 Office system
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
ConvertXtoDVD 3.2.0.50
CR2
Creative Modem Blaster PCI Value DI5652-1
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
DivX Player
Drivers Install For Linksys Easylink Advisor
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSTUTOR
ESSvpaht
ESSvpot
Form Fill (Windows Live Toolbar)
HijackThis 2.0.2
HLPCCTR
HLPIndex
HLPPDOCK
Hotfix for Windows XP (KB926239)
ItsDeductible Express
iTunes
K-Lite Codec Pack 3.9.0 Full
Kodak EasyShare software
KSU
Linksys EasyLink Advisor 1.6 (0032)
Map Button (Windows Live Toolbar)
MasterSplitter Program
Microsoft .NET Framework 2.0
Microsoft 3D Movie Maker 1.0
Microsoft Access 2000 SR-1 Runtime
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Interactive Training
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (2.0.0.18)
Nero Suite
Notifier
NVIDIA Windows 2000/XP Display Drivers
OneCare Advisor (Windows Live Toolbar)
OTtBP
PCDLNCH
Popup Blocker (Windows Live Toolbar)
ProPanel
QuickTime
ReadPlease 2003/ReadPlease PLUS 2003
RealPlayer
Rhapsody Player Engine
Runtime Access 2000
SafeCast Shared Components
SFR
SFR2
Shockwave Player
Sierra Utilities
Smart Menus (Windows Live Toolbar)
Sound Blaster Live! Value
Spybot - Search & Destroy
Star Wars Jedi Knight Jedi Academy
Tabbed Browsing (Windows Live Toolbar)
The Family Doctor, 4th Edition
ThrustMaster Formula Pro (WDM)
TurboTax Deluxe 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Uninstall ESS Modem
Update for Windows XP (KB898461)
VCAMCEN
Vexira Antivirus Professional
Viewpoint Media Player
WavePad Uninstall
WexTech AnswerWorks
WildBlue Optimizer NRTC Ver 2005-11-22
Window Washer
Windows Installer 3.1 (KB893803)
Windows Live Favorites for Windows Live Toolbar
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WinRAR archiver
Wipeout for 3D Rage
 
Thanks for returning your information, read and follow the directions carefully and in the numbered order. You had a VERY infected computer, where did you get all of this junk?

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
c:\windows\SYSTEM32\zepaluma.exe
c:\windows\SYSTEM32\ebupafof.ini
c:\windows\SYSTEM32\jusuyepu.exe
c:\windows\SYSTEM32\vakepuha.exe
c:\windows\SYSTEM32\mekipabo.exe
c:\windows\SYSTEM32\zizupusa.exe
c:\windows\SYSTEM32\seweyaka.exe
c:\windows\SYSTEM32\yalemera.exe
c:\windows\SYSTEM32\babekelu.exe
c:\windows\SYSTEM32\woyobizi.exe
c:\windows\SYSTEM32\zehifoze.exe
c:\windows\SYSTEM32\wibiragu.exe
c:\windows\SYSTEM32\kazogagu.exe
c:\windows\SYSTEM32\gujepono.exe
c:\windows\SYSTEM32\zekizuma.exe
c:\windows\SYSTEM32\yezumoyu.exe
c:\windows\SYSTEM32\epkpbuvd.ini
c:\windows\SYSTEM32\tufamovo.exe
c:\windows\SYSTEM32\momewohu.exe
c:\windows\SYSTEM32\pefedamu.exe
c:\windows\SYSTEM32\haferabo.exe
c:\windows\SYSTEM32\gomukamu.exe
c:\windows\SYSTEM32\peyubisu.exe
c:\windows\SYSTEM32\wazuhope.exe
c:\windows\SYSTEM32\leyeluto.exe
c:\windows\SYSTEM32\sofonufo.dll

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8 <<< ouut of date and not safe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Spybot - Search & Destroy << please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html

Viewpoint Media Player << For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
 
1216 logs

I ran the comboFix script twice the first time it ended all icons were hidden and the teatimer.exe was running in the processes??
Restarted and ran again I’ll list both logs

as for the source of the junk ??
adobe 8, popups for security alerts, and multiple iexplorer running in processes before that.

Thanks

ComboFix 08-12-15.04 - Uname 2008-12-16 20:21:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.42 [GMT -5:00]
Running from: c:\documents and settings\Uname\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Uname\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ebupafof.ini
c:\windows\system32\epkpbuvd.ini
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-15 17:32 . 2008-12-15 17:32 2,098 ---hs---- c:\windows\SYSTEM32\zepaluma.exe
2008-12-14 11:30 . 2008-12-14 11:30 2,098 ---hs---- c:\windows\SYSTEM32\jusuyepu.exe
2008-12-13 17:28 . 2008-12-13 17:28 2,098 ---hs---- c:\windows\SYSTEM32\vakepuha.exe
2008-12-12 23:26 . 2008-12-12 23:26 2,098 ---hs---- c:\windows\SYSTEM32\mekipabo.exe
2008-12-12 05:24 . 2008-12-12 05:24 2,098 ---hs---- c:\windows\SYSTEM32\zizupusa.exe
2008-12-11 11:23 . 2008-12-11 11:23 2,098 ---hs---- c:\windows\SYSTEM32\seweyaka.exe
2008-12-10 17:20 . 2008-12-10 17:20 2,098 ---hs---- c:\windows\SYSTEM32\yalemera.exe
2008-12-09 23:18 . 2008-12-09 23:18 2,098 ---hs---- c:\windows\SYSTEM32\babekelu.exe
2008-12-09 05:16 . 2008-12-09 05:16 2,098 ---hs---- c:\windows\SYSTEM32\woyobizi.exe
2008-12-08 06:13 . 2008-12-08 06:13 2,098 ---hs---- c:\windows\SYSTEM32\zehifoze.exe
2008-12-07 06:42 . 2008-12-07 06:42 2,098 ---hs---- c:\windows\SYSTEM32\wibiragu.exe
2008-12-06 12:40 . 2008-12-06 12:40 2,098 ---hs---- c:\windows\SYSTEM32\kazogagu.exe
2008-12-05 18:39 . 2008-12-05 18:39 2,098 ---hs---- c:\windows\SYSTEM32\gujepono.exe
2008-12-05 00:37 . 2008-12-05 00:37 2,098 ---hs---- c:\windows\SYSTEM32\zekizuma.exe
2008-12-03 04:48 . 2008-12-03 04:48 2,098 --ahs---- c:\windows\SYSTEM32\yezumoyu.exe
2008-12-02 21:03 . 2002-01-28 11:25 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-02 21:03 . 2002-01-28 11:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-02 21:03 . 2008-04-21 21:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-02 21:03 . 2008-12-02 21:03 <DIR> d-------- c:\documents and settings\Administrator
2008-12-02 10:45 . 2008-12-02 10:45 2,098 --ahs---- c:\windows\SYSTEM32\tufamovo.exe
2008-11-30 22:54 . 2008-11-30 22:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 22:09 . 2008-11-30 22:13 <DIR> d-------- c:\program files\Linksys EasyLink Advisor
2008-11-29 04:31 . 2008-11-29 04:31 2,098 --ahs---- c:\windows\SYSTEM32\momewohu.exe
2008-11-28 14:59 . 2008-11-28 14:59 2,098 --ahs---- c:\windows\SYSTEM32\pefedamu.exe
2008-11-28 11:32 . 2008-11-28 11:34 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2008-11-28 00:10 . 2008-12-12 18:16 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-28 00:10 . 2008-11-28 00:10 1,409 --a------ c:\windows\QTFont.for
2008-11-26 13:25 . 2008-11-26 13:25 2,098 --ahs---- c:\windows\SYSTEM32\haferabo.exe
2008-11-24 19:23 . 2008-11-24 19:23 2,098 --ahs---- c:\windows\SYSTEM32\gomukamu.exe
2008-11-24 01:24 . 2008-11-24 01:24 2,098 --ahs---- c:\windows\SYSTEM32\peyubisu.exe
2008-11-23 19:05 . 2008-11-23 19:08 <DIR> d-------- c:\documents and settings\Uname\Application Data\MSN6
2008-11-23 19:05 . 2008-11-23 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\MSN6
2008-11-23 18:23 . 2008-11-23 18:23 22 --a------ c:\windows\kodakpcd.Uname.ini
2008-11-23 06:20 . 2008-11-23 06:20 2,098 --ahs---- c:\windows\SYSTEM32\wazuhope.exe
2008-11-21 17:24 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\SYSTEM32\d3dx9_33.dll
2008-11-21 17:24 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\SYSTEM32\d3dx9_32.dll
2008-11-21 17:24 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\SYSTEM32\d3dx9_31.dll
2008-11-21 17:24 . 2007-01-24 15:27 255,848 --a------ c:\windows\SYSTEM32\xactengine2_6.dll
2008-11-21 17:24 . 2006-12-08 12:02 251,672 --a------ c:\windows\SYSTEM32\xactengine2_5.dll
2008-11-21 17:24 . 2006-09-28 16:05 237,848 --a------ c:\windows\SYSTEM32\xactengine2_4.dll
2008-11-21 17:24 . 2006-07-28 09:30 236,824 --a------ c:\windows\SYSTEM32\xactengine2_3.dll
2008-11-21 17:24 . 2006-07-28 09:30 62,744 --a------ c:\windows\SYSTEM32\xinput1_2.dll
2008-11-21 17:24 . 2007-03-05 12:42 15,128 --a------ c:\windows\SYSTEM32\x3daudio1_1.dll
2008-11-21 17:22 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\SYSTEM32\d3dx9_26.dll
2008-11-19 15:12 . 2008-11-19 15:12 2,098 --ahs---- c:\windows\SYSTEM32\leyeluto.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 03:31 --------- d-----w c:\program files\Webroot
2008-12-09 03:31 --------- d-----w c:\documents and settings\Uname\Application Data\Webroot
2008-12-04 02:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 02:42 --------- d-----w c:\program files\Common Files\Adobe
2008-12-01 02:22 73,144 -c--a-w c:\documents and settings\Uname\Application Data\GDIPFONTCACHEV1.DAT
2008-11-28 17:36 --------- d-----w c:\documents and settings\Uname\Application Data\Vso
2008-11-28 04:36 --------- d-----w c:\program files\SSI
2008-11-26 22:14 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-21 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 01:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 21:04 --------- d-----w c:\program files\FlashGet
2008-11-16 19:34 --------- d-----w c:\program files\CCleaner
2008-11-16 18:46 --------- d-----w c:\program files\Webtools
2008-11-11 04:53 --------- d-----w c:\program files\NovaLogic
2008-11-10 14:59 --------- d-----w c:\program files\Common Files\mrzo
2008-11-08 04:22 --------- d-----w c:\program files\GetRight
2008-10-31 02:46 --------- d-----w c:\program files\NewzToolz
2008-10-30 03:06 47,360 -c--a-w c:\documents and settings\Uname\Application Data\pcouffin.sys
2008-10-30 03:06 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-10-30 03:06 --------- d-----w c:\program files\vso
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-12 18:18 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-04-12 13:53 87,608 -c--a-w c:\documents and settings\Uname\Application Data\ezpinst.exe
2008-11-17 02:03 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-17 02:03 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-17 02:03 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-17 02:03 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-17 02:03 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
1757-03-17 20:21 4,263 -csh--w c:\windows\windllreg1c.sys
2008-09-08 02:42 87,552 --sha-w c:\windows\SYSTEM32\sofonufo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-06-10 1095680]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-04-12 1383936]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PD6000StatusMonitor"="c:\windows\System32\PD6000SM.EXE" [2003-10-16 266240]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"VBSysTray"="c:\progra~1\VEXIRA~1\Bin\vbsystry.exe" [2008-03-26 239000]
"AVLoginToDo"="c:\progra~1\VEXIRA~1\Bin\avltd.exe" [2008-04-24 50552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 185896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux1"= ctwdm32.dll
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-14 18:26 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\PD6000SM.exe"=

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-08-06 28672]
R2 PackethSvc;Virtual NIC Service;c:\windows\System32\PackethSvc.exe [2002-03-07 64512]
R2 VACompManService;Vexira Antivirus Component Manager Service;c:\progra~1\VEXIRA~1\Bin\vbcmserv.exe [2008-04-24 46496]
R2 VBShld;VBShld;c:\windows\system32\Drivers\VBShld.Sys [2008-04-24 271232]
R3 insektxp;insektxp;c:\windows\system32\Drivers\InsektXp.sys [2002-07-20 29407]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 VBEngNT;VBEngNT;c:\windows\system32\Drivers\VBEngNT.Sys [2008-04-02 1077992]
R3 VBFilter;VBFilter;c:\windows\system32\Drivers\VBFilter.Sys [2008-04-24 27096]
R3 VBRec;VBRec;c:\windows\system32\Drivers\VBRec.Sys [2008-04-24 18528]
S0 ElbyVCD;ElbyVCD; []
S3 papycpu;papycpu; []
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]

2008-12-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2002-01-31 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-08-04 00:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?83404bc94c3d497c98da30d88b501c2b
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?83404bc94c3d497c98da30d88b501c2b

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Uname\Application Data\Mozilla\Firefox\Profiles\tz8ozk5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 20:24:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-16 20:27:12
ComboFix-quarantined-files.txt 2008-12-17 01:27:09
ComboFix2.txt 2008-12-16 03:49:36

Pre-Run: 20,219,285,504 bytes free
Post-Run: 20,206,399,488 bytes free

206


ComboFix 08-12-15.04 - Uname 2008-12-16 20:41:05.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.38 [GMT -5:00]
Running from: c:\documents and settings\Uname\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Uname\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-15 17:32 . 2008-12-15 17:32 2,098 ---hs---- c:\windows\SYSTEM32\zepaluma.exe
2008-12-14 11:30 . 2008-12-14 11:30 2,098 ---hs---- c:\windows\SYSTEM32\jusuyepu.exe
2008-12-13 17:28 . 2008-12-13 17:28 2,098 ---hs---- c:\windows\SYSTEM32\vakepuha.exe
2008-12-12 23:26 . 2008-12-12 23:26 2,098 ---hs---- c:\windows\SYSTEM32\mekipabo.exe
2008-12-12 05:24 . 2008-12-12 05:24 2,098 ---hs---- c:\windows\SYSTEM32\zizupusa.exe
2008-12-11 11:23 . 2008-12-11 11:23 2,098 ---hs---- c:\windows\SYSTEM32\seweyaka.exe
2008-12-10 17:20 . 2008-12-10 17:20 2,098 ---hs---- c:\windows\SYSTEM32\yalemera.exe
2008-12-09 23:18 . 2008-12-09 23:18 2,098 ---hs---- c:\windows\SYSTEM32\babekelu.exe
2008-12-09 05:16 . 2008-12-09 05:16 2,098 ---hs---- c:\windows\SYSTEM32\woyobizi.exe
2008-12-08 06:13 . 2008-12-08 06:13 2,098 ---hs---- c:\windows\SYSTEM32\zehifoze.exe
2008-12-07 06:42 . 2008-12-07 06:42 2,098 ---hs---- c:\windows\SYSTEM32\wibiragu.exe
2008-12-06 12:40 . 2008-12-06 12:40 2,098 ---hs---- c:\windows\SYSTEM32\kazogagu.exe
2008-12-05 18:39 . 2008-12-05 18:39 2,098 ---hs---- c:\windows\SYSTEM32\gujepono.exe
2008-12-05 00:37 . 2008-12-05 00:37 2,098 ---hs---- c:\windows\SYSTEM32\zekizuma.exe
2008-12-03 04:48 . 2008-12-03 04:48 2,098 --ahs---- c:\windows\SYSTEM32\yezumoyu.exe
2008-12-02 21:03 . 2002-01-28 11:25 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-02 21:03 . 2002-01-28 11:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-02 21:03 . 2008-04-21 21:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-02 21:03 . 2008-12-02 21:03 <DIR> d-------- c:\documents and settings\Administrator
2008-12-02 10:45 . 2008-12-02 10:45 2,098 --ahs---- c:\windows\SYSTEM32\tufamovo.exe
2008-11-30 22:54 . 2008-11-30 22:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 22:09 . 2008-11-30 22:13 <DIR> d-------- c:\program files\Linksys EasyLink Advisor
2008-11-29 04:31 . 2008-11-29 04:31 2,098 --ahs---- c:\windows\SYSTEM32\momewohu.exe
2008-11-28 14:59 . 2008-11-28 14:59 2,098 --ahs---- c:\windows\SYSTEM32\pefedamu.exe
2008-11-28 11:32 . 2008-11-28 11:34 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2008-11-28 00:10 . 2008-12-12 18:16 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-28 00:10 . 2008-11-28 00:10 1,409 --a------ c:\windows\QTFont.for
2008-11-26 13:25 . 2008-11-26 13:25 2,098 --ahs---- c:\windows\SYSTEM32\haferabo.exe
2008-11-24 19:23 . 2008-11-24 19:23 2,098 --ahs---- c:\windows\SYSTEM32\gomukamu.exe
2008-11-24 01:24 . 2008-11-24 01:24 2,098 --ahs---- c:\windows\SYSTEM32\peyubisu.exe
2008-11-23 19:05 . 2008-11-23 19:08 <DIR> d-------- c:\documents and settings\Uname\Application Data\MSN6
2008-11-23 19:05 . 2008-11-23 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\MSN6
2008-11-23 18:23 . 2008-11-23 18:23 22 --a------ c:\windows\kodakpcd.Uname.ini
2008-11-23 06:20 . 2008-11-23 06:20 2,098 --ahs---- c:\windows\SYSTEM32\wazuhope.exe
2008-11-21 17:24 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\SYSTEM32\d3dx9_33.dll
2008-11-21 17:24 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\SYSTEM32\d3dx9_32.dll
2008-11-21 17:24 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\SYSTEM32\d3dx9_31.dll
2008-11-21 17:24 . 2007-01-24 15:27 255,848 --a------ c:\windows\SYSTEM32\xactengine2_6.dll
2008-11-21 17:24 . 2006-12-08 12:02 251,672 --a------ c:\windows\SYSTEM32\xactengine2_5.dll
2008-11-21 17:24 . 2006-09-28 16:05 237,848 --a------ c:\windows\SYSTEM32\xactengine2_4.dll
2008-11-21 17:24 . 2006-07-28 09:30 236,824 --a------ c:\windows\SYSTEM32\xactengine2_3.dll
2008-11-21 17:24 . 2006-07-28 09:30 62,744 --a------ c:\windows\SYSTEM32\xinput1_2.dll
2008-11-21 17:24 . 2007-03-05 12:42 15,128 --a------ c:\windows\SYSTEM32\x3daudio1_1.dll
2008-11-21 17:22 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\SYSTEM32\d3dx9_26.dll
2008-11-19 15:12 . 2008-11-19 15:12 2,098 --ahs---- c:\windows\SYSTEM32\leyeluto.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 01:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 03:31 --------- d-----w c:\program files\Webroot
2008-12-09 03:31 --------- d-----w c:\documents and settings\Uname\Application Data\Webroot
2008-12-04 02:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 02:42 --------- d-----w c:\program files\Common Files\Adobe
2008-12-01 02:22 73,144 -c--a-w c:\documents and settings\Uname\Application Data\GDIPFONTCACHEV1.DAT
2008-11-28 17:36 --------- d-----w c:\documents and settings\Uname\Application Data\Vso
2008-11-28 04:36 --------- d-----w c:\program files\SSI
2008-11-26 22:14 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-21 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 01:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 21:04 --------- d-----w c:\program files\FlashGet
2008-11-16 19:34 --------- d-----w c:\program files\CCleaner
2008-11-16 18:46 --------- d-----w c:\program files\Webtools
2008-11-11 04:53 --------- d-----w c:\program files\NovaLogic
2008-11-10 14:59 --------- d-----w c:\program files\Common Files\mrzo
2008-11-08 04:22 --------- d-----w c:\program files\GetRight
2008-10-31 02:46 --------- d-----w c:\program files\NewzToolz
2008-10-30 03:06 47,360 -c--a-w c:\documents and settings\Uname\Application Data\pcouffin.sys
2008-10-30 03:06 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-10-30 03:06 --------- d-----w c:\program files\vso
2008-10-12 18:18 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-04-12 13:53 87,608 -c--a-w c:\documents and settings\Uname\Application Data\ezpinst.exe
2008-11-17 02:03 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-17 02:03 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-17 02:03 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-17 02:03 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-17 02:03 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
1757-03-17 20:21 4,263 -csh--w c:\windows\windllreg1c.sys
2008-09-08 02:42 87,552 --sha-w c:\windows\SYSTEM32\sofonufo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-06-10 1095680]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-04-12 1383936]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PD6000StatusMonitor"="c:\windows\System32\PD6000SM.EXE" [2003-10-16 266240]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"VBSysTray"="c:\progra~1\VEXIRA~1\Bin\vbsystry.exe" [2008-03-26 239000]
"AVLoginToDo"="c:\progra~1\VEXIRA~1\Bin\avltd.exe" [2008-04-24 50552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 185896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux1"= ctwdm32.dll
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-14 18:26 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\PD6000SM.exe"=

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-08-06 28672]
R2 PackethSvc;Virtual NIC Service;c:\windows\System32\PackethSvc.exe [2002-03-07 64512]
R2 VACompManService;Vexira Antivirus Component Manager Service;c:\progra~1\VEXIRA~1\Bin\vbcmserv.exe [2008-04-24 46496]
R2 VBShld;VBShld;c:\windows\system32\Drivers\VBShld.Sys [2008-04-24 271232]
R3 insektxp;insektxp;c:\windows\system32\Drivers\InsektXp.sys [2002-07-20 29407]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 VBEngNT;VBEngNT;c:\windows\system32\Drivers\VBEngNT.Sys [2008-04-02 1077992]
R3 VBFilter;VBFilter;c:\windows\system32\Drivers\VBFilter.Sys [2008-04-24 27096]
R3 VBRec;VBRec;c:\windows\system32\Drivers\VBRec.Sys [2008-04-24 18528]
S0 ElbyVCD;ElbyVCD; []
S3 papycpu;papycpu; []
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]

2008-12-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2002-01-31 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-08-04 00:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9995AE07-48B8-4055-9981-0CAC4F89D0A1} - (no file)
BHO-{A263DA6B-1617-4B9C-904A-FC97B40F6A15} - (no file)
BHO-{CC891230-E171-4BAE-9034-830AC1768C81} - (no file)
BHO-{ee59867e-ab0b-42fd-93d5-63c69e708c44} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?83404bc94c3d497c98da30d88b501c2b
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?83404bc94c3d497c98da30d88b501c2b

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Uname\Application Data\Mozilla\Firefox\Profiles\tz8ozk5n.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 20:44:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-16 20:46:59
ComboFix-quarantined-files.txt 2008-12-17 01:46:56
ComboFix2.txt 2008-12-17 01:27:14
ComboFix3.txt 2008-12-16 03:49:36

Pre-Run: 20,143,689,728 bytes free
Post-Run: 20,092,932,096 bytes free

193


Malwarebytes' Anti-Malware 1.31
Database version: 1510
Windows 5.1.2600 Service Pack 2

12/16/2008 10:23:31 PM
mbam-log-2008-12-16 (22-23-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116145
Time elapsed: 27 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 76

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Patrick Kinker\My Documents\YSTEM3~1\mmc.exe.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aqgdqi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dvavxeig.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dvmhbe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dvubpkpe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fofapube.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hjkvclvf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hrylvdcr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hwnpshdj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ifteae.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ituoyg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jkhqgojr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kfrmbcio.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kjjtqv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lsqqaabp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mekyexsa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mjpvwgif.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msansspc.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\myhtlz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ocgcps.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\psdbxypb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pydekder.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qufhkubg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rchfhd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rmiyytsq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sssyeuwt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\stpdqqak.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\suerqd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\trukkrpm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\txkclask.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wafoqh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wcspjccx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wnvlgeqs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wxomyn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xhgjwsip.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yitqijgo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\zepusf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1243\A0102508.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1248\A0104892.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106555.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106558.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106559.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106560.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106561.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106563.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106565.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106566.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106567.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106570.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106571.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106573.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106574.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106575.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106577.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106580.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106581.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106582.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106583.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106585.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106586.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106587.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106588.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106590.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106592.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106593.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106594.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106597.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106598.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106599.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106600.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106601.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106602.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106603.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106605.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP1260\A0106606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sofonufo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:00 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9995AE07-48B8-4055-9981-0CAC4F89D0A1} - (no file)
O2 - BHO: (no name) - {A263DA6B-1617-4B9C-904A-FC97B40F6A15} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CC891230-E171-4BAE-9034-830AC1768C81} - (no file)
O2 - BHO: (no name) - {ee59867e-ab0b-42fd-93d5-63c69e708c44} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
O4 - HKLM\..\Run: [DellTouch] "C:\WINDOWS\DELLMMKB.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PD6000StatusMonitor] "C:\WINDOWS\System32\PD6000SM.EXE"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\Updreg.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2188283067-3000887322-1647371527-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2188283067-3000887322-1647371527-1003\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?83404bc94c3d497c98da30d88b501c2b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?83404bc94c3d497c98da30d88b501c2b
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email1.hillenbrand.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1226630815640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209692064718
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

--
End of file - 7784 bytes
 
How is the computer running now?
Click to expand...
If I missed the information I apologize, I need that information when I request it, you are my eyes and the one in front of the computer. Remote repairs are not easy.


We have problems and work to do.

My first instruction.
1) DO NOT ENABLE Spybot S&D TeaTimer while we work together.
Click to expand...
and TeaTimer is running in the newest HJT log.
Scan saved at 10:31:00 PM, on 12/16/2008
Running processes:
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Follow these instructions to disable TeaTimer, if you can not disable it then uninstall Spybot S&D completely in Add Remove programs for now.
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

The next it is in this combofix log, this one:
Command switches used :: c:\documents and settings\Uname\Desktop\CFScript.txt

many items I had in the CFScript to be removed are not showing in "Other Deletions" and you said this:
"I ran the comboFix script twice" and I am not sure how that effected this. Look carefully at the files here:
Files Created from 2008-11-17 to 2008-12-17

The first 15 files (and more elsewhere) are the same size (2,098) and I am 99.9% sure they are malware, I just don't know if they were removed because of the way you ran the script twice, but we must find out.

Make sure you can view all files and folders:
http://www.bleepingcomputer.com/tutorials/tutorial62.html

Navigate to the c:\windows\SYSTEM32\ <<< folder in red and tell me if those files are there. If they are there, please use one or more of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

scan two or three of those files and post the results here.

once you have done that, post a new HJT log this is NOT running TeaTimer and that information.

Thanks
 
Thanks
The computer is running a lot better now the CPU usage %is down near 0 and windows explore works fast again
I apologize for not posting that

The TeaTimer was not marked and is not marked now
after I restart it is no longer listed in the processes


all of the .exe files in CFScript are still in the SYSTEM32 folder
the .ini's are not

below is the last line in my CFScript I didn't notice I copied to much till now
c:\windows\SYSTEM32\sofonufo.dllSave this as CFScript


Scanned file:** zepaluma.exe
Statistics:
Known viruses: 1474046 Updated: 18-12-2008
File size (Kb): 3 Virus bodies: 0
Files: 1 Warnings: 0

Scanned file:** jusuyepu.exe
Statistics:
Known viruses: 1474046 Updated: 18-12-2008
File size (Kb): 3 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Scanned file:** vakepuha.exe
Statistics:
Known viruses: 1474046 Updated: 18-12-2008
File size (Kb): 3 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:21 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9995AE07-48B8-4055-9981-0CAC4F89D0A1} - (no file)
O2 - BHO: (no name) - {A263DA6B-1617-4B9C-904A-FC97B40F6A15} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CC891230-E171-4BAE-9034-830AC1768C81} - (no file)
O2 - BHO: (no name) - {ee59867e-ab0b-42fd-93d5-63c69e708c44} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
O4 - HKLM\..\Run: [DellTouch] "C:\WINDOWS\DELLMMKB.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PD6000StatusMonitor] "C:\WINDOWS\System32\PD6000SM.EXE"
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\Updreg.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?83404bc94c3d497c98da30d88b501c2b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?83404bc94c3d497c98da30d88b501c2b
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email1.hillenbrand.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1226630815640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209692064718
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

--
End of file - 6881 bytes
 
Thanks for the feedback, there is just not much information, here are the files you scanned:

zepaluma.exe
jusuyepu.exe
vakepuha.exe

Use the other two scanners to see what they say. You can also right click the file and look at Properties, see if anything about that tells you what those files are.

Thanks
 
Not any new info so far
all the properties for the files are about the same
nothing more under type of file that it's an application.
I have been keeping track of the files and the scanner use on
on a spreadsheet but don't know how to paste it here without losing
the spacing but so far all file scan results are clean
 
Without more information, it is hard to advise you, the files may be legitimate and needed for one of your programs. All I can suggest is you have the list from CFScript, boot to safe mode and manually move the files to the Recycle Bin (delete them) Let them set there for a few days and if there are no adverse effects to any of your programs, then empty the Recycle Bin. If it turns out the files are needed, you can restore them from the Bin.

Let's see if we can wrap up like this:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Vexira Antivirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Status
Not open for further replies.
Back
Top