Need help with Virtumonde and other problems

[pskelley]

why am I having such a difficult time getting you to post the information I request?:sad:

 

[Garyrunningdude]

I'm trying

Vundofix didn't work. What do you want me to do and what information do you need from me?

 

[pskelley]

I posted the directions, would you please follow them:

Restart and post the report from Vundofix and a new HJT log.

 

[Garyrunningdude]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:05 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\Garyrunningdude.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A98D0065-7326-41B5-B8D9-C5B692CDB82F} - C:\WINDOWS\system32\geBuUlLE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1206583687759
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11300 bytes

 

[Garyrunningdude]

VundoFix V7.0.3

Scan started at 3:03:18 AM 4/10/2008

Listing files found while scanning....


VundoFix V7.0.0

Scan started at 3:17:17 AM 4/10/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V7.0.3

Scan started at 2:33:18 PM 4/11/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\geBuUlLE.dll
C:\WINDOWS\system32\geBuUlLE.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geBuUlLE.dll
C:\WINDOWS\system32\geBuUlLE.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V7.0.3

Scan started at 4:05:01 PM 4/11/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\geBuUlLE.dll
C:\WINDOWS\system32\geBuUlLE.dll Could not be deleted.

Performing Repairs to the registry.
Done!

 

[pskelley]

I am not sure why, but this is the second Vundofix report that I see this old version running in it: VundoFix V7.0.0. The newest version is V7.0.3 and I am since I did not create the tool, I am not sure if having an old version onboard can effect how the tool works. In case we need this tool again, make 100% sure there is no version on the computer except V7.0.3.

Please submit that file: C:\WINDOWS\SYSTEM32\geBuUlLE.dll
to upload malware http://www.uploadmalware.com
Please take the time to fill out that basic information and make sure to post a link from where it was sent:
http://forums.spybot.info/showthread.php?t=26654

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

 

[Garyrunningdude]

Hi,

I noticed the log file contains two versions of vundofix, 7.0.0 and 7.0.3.

I actually found a version of 7.0.0 in a different folder which I didn't delete previously. I don't know if that can cause the two versions showing up in the log file. I was running the 7.0.3 when the log file was generated.

Following the rest of your instructions above now.

 

[Garyrunningdude]

can't upload file

Hi,

I tried to upload the file but couldn't. It told me to turn off the anti-virus on my computer and retry. Does this sound right to you? In any event I do not have rights on my work computer to turn it off and I am unable to.

I am leaving for home now and will upload from the infected computer tonight.

Thanks for your help today. In your opinion, will we be able to fix this?

 

[pskelley]

Thanks for the feedback, It would be appreciated if you can get that file uploaded, may help the next user because the creator of Vundofix will add it to the databases. I see no reason (other than you following directions) that we should not be able to kill this infection. We have only one file to go. I have many tools to use yet and will be the first to let you know if I am out of ways to remove it. I start very early and will shut down soon until AM EST.

 

[Garyrunningdude]

Hi,

I was able to upload the file.

Here is the combofix text.

ComboFix 08-04-11.5 - Gary 2008-04-11 20:14:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.534 [GMT -4:00]
Running from: C:\Documents and Settings\Gary\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gary\Desktopblackbird.jpg
C:\Documents and Settings\Gary\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Gary\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Gary\Desktopfilemanagerclient.exe
C:\Documents and Settings\Gary\Desktopfkwp1.5.exe
C:\Documents and Settings\Gary\Desktopfkwp2.0.exe
C:\Documents and Settings\Gary\Desktopfwebd.exe
C:\Documents and Settings\Gary\DesktopFWebdEditor.exe
C:\Documents and Settings\Gary\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Gary\Desktopvirii
C:\WINDOWS\a.bat
C:\WINDOWS\apoxqwfv.exe
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\acehgMoq.ini
C:\WINDOWS\system32\acehgMoq.ini2
C:\WINDOWS\system32\cdhtvapj.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\efcDUnME.dll
C:\WINDOWS\system32\EMnUDcfe.ini
C:\WINDOWS\system32\EMnUDcfe.ini2
C:\WINDOWS\system32\geBuUlLE.dll
C:\WINDOWS\system32\jpavthdc.ini
C:\WINDOWS\system32\UBHiQXbc.ini
C:\WINDOWS\system32\UBHiQXbc.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\vnbptxlf.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTMGR
-------\Service_ccEvtMgr


((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-11 20:07 . 2008-04-11 20:07 3,648 --a------ C:\WINDOWS\system32\anxuqrpd.dll
2008-04-11 17:23 . 2008-04-11 17:23 <DIR> d-------- C:\VundoFix Backups
2008-04-11 16:30 . 2008-04-11 16:30 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-11 00:35 . 2008-04-11 00:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-11 00:35 . 2008-04-11 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-10 03:49 . 2008-04-10 03:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 03:43 . 2008-04-10 03:43 98,304 --a------ C:\WINDOWS\system32\fodivmlq.exe
2008-04-10 03:00 . 2008-04-11 01:30 153 --a------ C:\WINDOWS\wininit.ini
2008-04-10 02:01 . 2008-04-10 02:01 <DIR> d-------- C:\WINDOWS\resources
2008-04-10 01:48 . 2008-04-10 01:56 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-10 01:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-10 01:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-10 01:47 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-10 01:47 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-10 01:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-10 01:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-10 01:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-10 01:24 . 2008-04-10 01:24 98,304 --a------ C:\WINDOWS\system32\livulode.exe
2008-04-10 01:18 . 2008-04-10 01:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-10 00:33 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-04-10 00:33 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-04-10 00:33 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-04-09 23:43 . 2008-04-09 23:43 110,592 --a------ C:\WINDOWS\system32\mxynapwx.exe
2008-04-09 23:43 . 2008-04-09 23:43 2,591 --a------ C:\Program Files\instaler.exe
2008-04-09 22:44 . 2008-04-09 22:44 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2008-04-09 22:43 . 2008-04-09 22:43 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-04-09 22:43 . 2008-04-09 22:43 52 --a------ C:\WINDOWS\intuprof.ini
2008-04-09 22:41 . 2008-04-09 22:43 665 --a------ C:\WINDOWS\QUICKEN.INI
2008-04-09 22:40 . 2008-04-09 22:40 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-04-09 22:39 . 2008-04-09 22:43 <DIR> d-------- C:\Program Files\Quicken
2008-04-07 23:39 . 2008-04-10 01:37 <DIR> d-------- C:\Program Files\Cadsoft
2008-04-07 23:39 . 2008-04-07 23:39 0 --a------ C:\WINDOWS\system32\_r_a_p_.tmp
2008-04-06 19:45 . 2008-04-06 19:45 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Yahoo!
2008-04-03 23:44 . 2008-04-03 23:44 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-03 22:33 . 2008-04-10 00:30 <DIR> d-------- C:\Program Files\Symantec
2008-04-03 22:33 . 2008-04-10 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-03 22:33 . 2008-04-03 23:36 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-03 22:33 . 2008-04-03 23:36 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-03 22:33 . 2008-04-03 23:36 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-03 22:33 . 2008-04-03 23:36 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-03 22:32 . 2008-04-11 20:15 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-03 16:42 . 2008-04-06 09:57 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Yahoo!
2008-04-03 16:38 . 2008-04-03 16:39 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\AVG7
2008-04-01 18:05 . 2008-04-03 21:43 <DIR> d-------- C:\Documents and Settings\Carissa\Application Data\Yahoo!
2008-04-01 18:03 . 2008-04-01 18:03 <DIR> d-------- C:\Documents and Settings\Carissa\Application Data\Apple Computer
2008-04-01 18:02 . 2008-04-03 21:29 <DIR> d-------- C:\Documents and Settings\Carissa\Application Data\AVG7
2008-03-31 21:12 . 2008-03-31 21:12 <DIR> d-------- C:\WINDOWS\Sun
2008-03-31 21:11 . 2008-03-31 21:11 <DIR> d-------- C:\Program Files\Java
2008-03-31 21:11 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-31 21:07 . 2008-03-31 21:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-31 21:02 . 2008-03-31 21:09 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Yahoo!
2008-03-31 20:57 . 2008-04-11 20:22 6,944 --a------ C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2008-03-31 20:56 . 2008-03-31 20:56 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-31 20:56 . 2008-03-31 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YAHOO
2008-03-31 20:52 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-03-31 20:52 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-03-31 20:20 . 2008-03-31 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-31 20:19 . 2008-04-03 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-31 20:18 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-03-31 20:18 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-03-31 20:18 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-03-27 01:56 . 2008-03-27 02:02 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\parentalcontrol
2008-03-27 01:37 . 2008-03-27 01:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 01:37 . 2008-03-27 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 01:15 . 2008-03-27 01:15 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\GTek
2008-03-27 01:15 . 2008-03-27 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-03-27 00:05 . 2008-04-03 17:36 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\AVG7
2008-03-27 00:04 . 2008-03-27 00:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-27 00:04 . 2008-04-03 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 22:23 . 2008-03-27 01:30 <DIR> d-------- C:\Program Files\Google
2008-03-26 22:23 . 2008-04-11 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-26 22:01 . 2008-03-26 22:01 <DIR> d--hs---- C:\Documents and Settings\Gary\UserData
2008-03-24 14:08 . 2008-03-24 14:08 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-24 11:11 . 2008-04-09 17:48 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\AdobeUM
2008-03-20 22:12 . 2008-03-20 22:12 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Ahead
2008-03-19 22:59 . 2008-03-19 23:03 2,048 --a------ C:\WINDOWS\system32\win32xml.TX1
2008-03-19 22:49 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-19 22:30 . 2008-03-19 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
2008-03-19 22:23 . 2008-03-31 20:57 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-19 22:23 . 2008-03-19 22:25 <DIR> d-------- C:\Program Files\Rogers
2008-03-15 23:26 . 2008-03-15 23:26 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Ahead
2008-03-15 23:26 . 2008-03-26 07:53 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-15 23:25 . 2008-03-15 23:25 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-15 23:22 . 2008-03-15 23:22 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-15 23:22 . 2001-07-09 12:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-15 23:21 . 2005-07-06 11:12 2,973,696 --------- C:\WINDOWS\UNNeroVision.exe
2008-03-15 23:21 . 2005-10-24 10:23 192,817 --------- C:\WINDOWS\UNNeroVision.cfg
2008-03-15 23:21 . 2002-02-21 18:56 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-03-15 23:20 . 2008-03-15 23:20 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-15 23:20 . 2008-03-15 23:22 <DIR> d-------- C:\Program Files\Ahead
2008-03-15 23:20 . 2008-03-15 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-15 23:20 . 2004-07-26 18:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-03-15 23:20 . 2004-07-26 18:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-03-15 23:20 . 2004-07-26 18:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-03-15 23:20 . 2004-07-09 10:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-03-15 23:20 . 2004-07-26 18:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-03-15 23:20 . 2000-06-26 12:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-15 23:20 . 2001-06-26 09:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 03:31 --------- d-----w C:\Program Files\Dell
2008-04-10 05:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:43 --------- d-----w C:\Program Files\UFile 2007
2008-02-12 01:18 5 ----a-w C:\WINDOWS\system32\drivers\DELL_LAT_D600.MRK
2008-02-12 01:18 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_LAT_D600.MRK
2008-02-12 01:17 --------- d-----w C:\Documents and Settings\Gary\Application Data\InstallShield
2008-02-12 01:13 --------- d-----w C:\Program Files\Intel
2008-02-12 01:13 --------- d-----w C:\Program Files\Apoint
2008-02-12 01:12 --------- d-----w C:\Program Files\ATI Technologies
2008-02-12 01:10 --------- d-----w C:\Program Files\CONEXANT
2008-02-12 01:09 --------- d-----w C:\Program Files\SigmaTel
2008-02-12 01:08 --------- d-----w C:\Program Files\Modem Helper
2008-02-12 01:08 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-12 01:07 --------- d-----w C:\Program Files\Broadcom Advanced Control Suite
2008-02-12 01:07 --------- d-----w C:\Program Files\Broadcom
2008-02-12 01:06 --------- d-----w C:\Program Files\Common Files\InstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51 478968]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-10-12 16:30 5166392]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-10-12 16:30 136504]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-26 22:23 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-09-12 14:04 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2005-12-09 02:30 35328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 03:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 19:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 07:22 267048]
"bascstray"="BascsTray.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 01:05 344064]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 18:13 176128]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 16:13 1032192]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 22:10 1392640]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"YPC"="C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe" [2005-06-03 16:32 352256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 03:11 771704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26 29696]
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-11-19 20:03:48 36864]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-02-11 21:08:52 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-26 22:23:37 124400]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-11-19 20:04:06 53248]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-11-19 20:04:10 36864]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-19 23:51:46 118784]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-17 13:20:06 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-22 01:58]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 21:27:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-04 03:23:20 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Gary.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 20:23:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2008-04-11 20:25:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 00:25:37
Pre-Run: 64,125,345,792 bytes free
Post-Run: 64,052,092,928 bytes free
.
2008-04-09 21:52:24 --- E O F ---

 

[Garyrunningdude]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:18 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Garyrunningdude.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1206583687759
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11159 bytes

 

[Garyrunningdude]

Hi, I noticed the troublesome file was removed by the combifix so thinking that things were fixed I ran a S&D scan and it found none of the previous problems but 3 tracking cookies which I had it fix plus the windows protection was still disabled. I fixed this as well and believe my Norton AV is working again.

I then ran the KOS again and the result was not so good. On the upside the scan took about 1/3 the time it took last time to run. Here is the result of that scan.

KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 11:22:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 698819


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 40474
Number of viruses found 5
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 00:57:52

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-11_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\0C4B71F6.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\48CDFCB3.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\6504540C.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\EA65BD76.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\Gary\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\History\History.IE5\MSHist012008041120080412\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temp\Perflib_Perfdata_a04.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temp\Perflib_Perfdata_c48.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temp\~DFF058.tmp Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Gary\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Gary\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080411-133327-958.dll Infected: Packed.Win32.Monder.gen skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Gary.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Gary.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Gary.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\geBuUlLE.dll.vir Infected: Packed.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP60\A0013706.dll Infected: Trojan.Win32.Agent.jqa skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP64\A0015784.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP65\A0015970.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP65\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{B67EC137-E655-4AC2-9156-B2162A99BC22}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\anxuqrpd.dll Infected: Trojan.Win32.KillAV.rf skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[pskelley]

Post only the information I request please, when I need to see a KOS I will ask for it.

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\anxuqrpd.dll
C:\WINDOWS\system32\fodivmlq.exe
C:\WINDOWS\system32\mxynapwx.exe
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080411-133327-958.dll

Folder::
C:\VundoFix Backups

Save this as CFScript

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Once that is complete, see this:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.

If you decide to install Recovery Console, once the installation is complete, post the contents of the text file: Log from combofix for installing recovery console.

Thanks

 

[Garyrunningdude]

ComboFix 08-04-11.5 - Gary 2008-04-12 12:30:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.584 [GMT -4:00]
Running from: C:\Documents and Settings\Gary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gary\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080411-133327-958.dll
C:\WINDOWS\system32\anxuqrpd.dll
C:\WINDOWS\system32\fodivmlq.exe
C:\WINDOWS\system32\mxynapwx.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080411-133327-958.dll
C:\VundoFix Backups
C:\WINDOWS\system32\anxuqrpd.dll
C:\WINDOWS\system32\fodivmlq.exe
C:\WINDOWS\system32\mxynapwx.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-11 22:20 . 2008-04-11 22:20 50 --a------ C:\WINDOWS\qwimp.ini
2008-04-11 16:30 . 2008-04-11 16:30 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-11 00:35 . 2008-04-11 00:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-11 00:35 . 2008-04-11 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-10 03:49 . 2008-04-10 03:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 03:00 . 2008-04-11 01:30 153 --a------ C:\WINDOWS\wininit.ini
2008-04-10 02:01 . 2008-04-10 02:01 <DIR> d-------- C:\WINDOWS\resources
2008-04-10 01:48 . 2008-04-10 01:56 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-10 01:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-10 01:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-10 01:47 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-10 01:47 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-10 01:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-10 01:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-10 01:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-10 01:24 . 2008-04-10 01:24 98,304 --a------ C:\WINDOWS\system32\livulode.exe
2008-04-10 01:18 . 2008-04-10 01:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-10 00:33 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-04-10 00:33 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-04-10 00:33 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-04-09 23:43 . 2008-04-09 23:43 2,591 --a------ C:\Program Files\instaler.exe
2008-04-09 22:44 . 2008-04-09 22:44 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2008-04-09 22:43 . 2008-04-09 22:43 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-04-09 22:43 . 2008-04-09 22:43 52 --a------ C:\WINDOWS\intuprof.ini
2008-04-09 22:41 . 2008-04-11 22:20 783 --a------ C:\WINDOWS\QUICKEN.INI
2008-04-09 22:40 . 2008-04-09 22:40 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-04-09 22:39 . 2008-04-11 22:20 <DIR> d-------- C:\Program Files\Quicken
2008-04-07 23:39 . 2008-04-10 01:37 <DIR> d-------- C:\Program Files\Cadsoft
2008-04-07 23:39 . 2008-04-07 23:39 0 --a------ C:\WINDOWS\system32\_r_a_p_.tmp
2008-04-06 19:45 . 2008-04-06 19:45 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\Yahoo!
2008-04-03 23:44 . 2008-04-03 23:44 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-03 22:33 . 2008-04-10 00:30 <DIR> d-------- C:\Program Files\Symantec
2008-04-03 22:33 . 2008-04-10 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-03 22:33 . 2008-04-03 23:36 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-03 22:33 . 2008-04-03 23:36 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-03 22:33 . 2008-04-03 23:36 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-03 22:33 . 2008-04-03 23:36 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-03 22:32 . 2008-04-11 21:35 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-03 16:42 . 2008-04-06 09:57 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Yahoo!
2008-04-03 16:38 . 2008-04-03 16:39 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\AVG7
2008-04-01 18:05 . 2008-04-03 21:43 <DIR> d-------- C:\Documents and Settings\Carissa\Application Data\Yahoo!
2008-04-01 18:03 . 2008-04-01 18:03 <DIR> d-------- C:\Documents and Settings\Carissa\Application Data\Apple Computer
2008-04-01 18:02 . 2008-04-03 21:29 <DIR> d-------- C:\Documents and Settings\Carissa\Application Data\AVG7
2008-03-31 21:12 . 2008-03-31 21:12 <DIR> d-------- C:\WINDOWS\Sun
2008-03-31 21:11 . 2008-03-31 21:11 <DIR> d-------- C:\Program Files\Java
2008-03-31 21:11 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-31 21:07 . 2008-03-31 21:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-31 21:02 . 2008-03-31 21:09 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Yahoo!
2008-03-31 20:57 . 2008-04-11 20:22 6,944 --a------ C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2008-03-31 20:56 . 2008-03-31 20:56 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-31 20:56 . 2008-03-31 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YAHOO
2008-03-31 20:52 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-03-31 20:52 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-03-31 20:20 . 2008-03-31 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-31 20:19 . 2008-04-03 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-31 20:18 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-03-31 20:18 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-03-31 20:18 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-03-27 01:56 . 2008-03-27 02:02 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\parentalcontrol
2008-03-27 01:37 . 2008-03-27 01:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 01:37 . 2008-03-27 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 01:15 . 2008-03-27 01:15 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\GTek
2008-03-27 01:15 . 2008-03-27 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-03-27 00:05 . 2008-04-03 17:36 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\AVG7
2008-03-27 00:04 . 2008-03-27 00:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-27 00:04 . 2008-04-03 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 22:23 . 2008-03-27 01:30 <DIR> d-------- C:\Program Files\Google
2008-03-26 22:23 . 2008-04-12 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-26 22:01 . 2008-03-26 22:01 <DIR> d--hs---- C:\Documents and Settings\Gary\UserData
2008-03-24 14:08 . 2008-03-24 14:08 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-24 11:11 . 2008-04-09 17:48 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\AdobeUM
2008-03-20 22:12 . 2008-03-20 22:12 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Ahead
2008-03-19 22:59 . 2008-03-19 23:03 2,048 --a------ C:\WINDOWS\system32\win32xml.TX1
2008-03-19 22:49 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-19 22:30 . 2008-03-19 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
2008-03-19 22:23 . 2008-03-31 20:57 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-19 22:23 . 2008-03-19 22:25 <DIR> d-------- C:\Program Files\Rogers
2008-03-15 23:26 . 2008-03-15 23:26 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Ahead
2008-03-15 23:26 . 2008-03-26 07:53 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-15 23:25 . 2008-03-15 23:25 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-15 23:22 . 2008-03-15 23:22 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-15 23:22 . 2001-07-09 12:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-15 23:21 . 2005-07-06 11:12 2,973,696 --------- C:\WINDOWS\UNNeroVision.exe
2008-03-15 23:21 . 2005-10-24 10:23 192,817 --------- C:\WINDOWS\UNNeroVision.cfg
2008-03-15 23:21 . 2002-02-21 18:56 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-03-15 23:20 . 2008-03-15 23:20 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-15 23:20 . 2008-03-15 23:22 <DIR> d-------- C:\Program Files\Ahead
2008-03-15 23:20 . 2008-03-15 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-15 23:20 . 2004-07-26 18:16 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-03-15 23:20 . 2004-07-26 18:16 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-03-15 23:20 . 2004-07-26 18:16 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-03-15 23:20 . 2004-07-09 10:43 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-03-15 23:20 . 2004-07-26 18:16 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-03-15 23:20 . 2000-06-26 12:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-15 23:20 . 2001-06-26 09:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 03:31 --------- d-----w C:\Program Files\Dell
2008-04-10 05:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:43 --------- d-----w C:\Program Files\UFile 2007
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-12 01:18 5 ----a-w C:\WINDOWS\system32\drivers\DELL_LAT_D600.MRK
2008-02-12 01:18 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_LAT_D600.MRK
2008-02-12 01:17 --------- d-----w C:\Documents and Settings\Gary\Application Data\InstallShield
2008-02-12 01:13 --------- d-----w C:\Program Files\Intel
2008-02-12 01:13 --------- d-----w C:\Program Files\Apoint
2008-02-12 01:12 --------- d-----w C:\Program Files\ATI Technologies
2008-02-12 01:10 --------- d-----w C:\Program Files\CONEXANT
2008-02-12 01:09 --------- d-----w C:\Program Files\SigmaTel
2008-02-12 01:08 --------- d-----w C:\Program Files\Modem Helper
2008-02-12 01:08 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-12 01:07 --------- d-----w C:\Program Files\Broadcom Advanced Control Suite
2008-02-12 01:07 --------- d-----w C:\Program Files\Broadcom
2008-02-12 01:06 --------- d-----w C:\Program Files\Common Files\InstallShield
.

((((((((((((((((((((((((((((( snapshot@2008-04-11_20.25.19.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-11 05:52:50 237,568 ----a-w C:\WINDOWS\system32\ati2cqag.dll
+ 2004-06-11 01:25:26 229,376 ----a-w C:\WINDOWS\system32\ati2cqag.dll
- 2005-11-11 06:49:44 252,416 ----a-w C:\WINDOWS\system32\ati2dvag.dll
+ 2004-06-11 02:57:24 207,360 ----a-w C:\WINDOWS\system32\ati2dvag.dll
- 2005-11-11 06:44:24 40,960 ----a-w C:\WINDOWS\system32\ati2edxx.dll
+ 2004-06-11 02:46:52 30,720 ----a-w C:\WINDOWS\system32\ati2edxx.dll
- 2005-11-11 06:44:14 47,616 ----a-w C:\WINDOWS\system32\ati2evxx.dll
+ 2004-06-11 02:46:34 86,016 ----a-w C:\WINDOWS\system32\ati2evxx.dll
- 2005-11-11 06:43:12 389,120 ----a-w C:\WINDOWS\system32\ati2evxx.exe
+ 2004-06-11 02:44:56 376,832 ----a-w C:\WINDOWS\system32\ati2evxx.exe
- 2005-11-11 06:44:30 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
+ 2004-06-11 02:47:00 65,536 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
- 2005-11-11 06:35:36 2,516,992 ----a-w C:\WINDOWS\system32\ati3duag.dll
+ 2004-06-11 02:31:30 2,155,680 ----a-w C:\WINDOWS\system32\ati3duag.dll
- 2005-11-11 06:42:48 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
+ 2004-06-11 02:44:28 81,920 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
- 2005-11-11 08:56:48 258,048 ----a-w C:\WINDOWS\system32\ATIDEMGR.dll
+ 2004-06-11 05:27:12 131,072 ----a-w C:\WINDOWS\system32\ATIDEMGR.dll
- 2005-11-11 09:34:30 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
+ 2004-06-11 05:54:10 294,912 ----a-w C:\WINDOWS\system32\atiiiexx.dll
- 2005-11-11 07:04:28 4,956,160 ----a-w C:\WINDOWS\system32\atioglxx.dll
+ 2004-06-11 03:43:20 6,524,928 ----a-w C:\WINDOWS\system32\atioglxx.dll
- 2005-11-11 06:44:48 110,592 ----a-w C:\WINDOWS\system32\atipdlxx.dll
+ 2004-06-11 02:47:28 118,784 ----a-w C:\WINDOWS\system32\atipdlxx.dll
- 2005-11-11 05:58:04 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
+ 2004-06-11 01:35:48 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
- 2005-11-11 06:29:52 1,090,240 ----a-w C:\WINDOWS\system32\ativvaxx.dll
+ 2004-06-11 01:51:36 518,240 ----a-w C:\WINDOWS\system32\ativvaxx.dll
- 2005-11-11 06:49:24 1,406,464 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
+ 2004-06-11 02:57:04 746,496 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
- 2005-11-11 06:49:24 1,406,464 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
+ 2004-06-11 02:57:04 746,496 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
- 2005-11-11 06:44:36 73,728 ----a-w C:\WINDOWS\system32\Oemdspif.dll
+ 2004-06-11 02:47:12 102,400 ----a-w C:\WINDOWS\system32\Oemdspif.dll
+ 2005-11-11 05:52:50 237,568 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2cqag.dll
+ 2005-11-11 06:49:44 252,416 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2dvag.dll
+ 2005-11-11 06:44:24 40,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2edxx.dll
+ 2005-11-11 05:57:20 40,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2erec.dll
+ 2005-11-11 06:44:14 47,616 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2evxx.dll
+ 2005-11-11 06:43:12 389,120 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2evxx.exe
+ 2005-11-11 06:44:30 26,112 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\Ati2mdxx.exe
+ 2005-11-11 06:49:24 1,406,464 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2mtag.sys
+ 2005-11-11 06:35:36 2,516,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati3duag.dll
+ 2005-11-11 06:42:48 53,248 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ATIDDC.DLL
+ 2005-11-11 08:56:48 258,048 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ATIDEMGR.dll
+ 2005-09-14 18:13:38 104,376 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atiicdxx.dat
+ 2005-11-11 09:34:30 307,200 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atiiiexx.dll
+ 2005-11-11 06:17:06 151,552 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atikvmag.dll
+ 2005-11-11 08:09:44 6,684,672 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atioglx1.dll
+ 2005-11-11 07:04:28 4,956,160 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atioglxx.dll
+ 2005-11-11 06:44:48 110,592 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atipdlxx.dll
+ 2005-11-11 05:58:04 17,408 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atitvo32.dll
+ 2001-11-09 19:01:04 24,064 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ativcoxx.dll
+ 2005-11-11 06:29:52 1,090,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ativvaxx.dll
+ 2005-11-11 06:44:36 73,728 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\Oemdspif.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51 478968]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-10-12 16:30 5166392]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-10-12 16:30 136504]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-26 22:23 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-09-12 14:04 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2005-12-09 02:30 35328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 03:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 19:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 07:22 267048]
"bascstray"="BascsTray.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10 339968]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 18:13 176128]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 16:13 1032192]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 22:10 1392640]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"YPC"="C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe" [2005-06-03 16:32 352256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 03:11 771704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26 29696]
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-11-19 20:03:48 36864]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-02-11 21:08:52 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-26 22:23:37 124400]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-11-19 20:04:06 53248]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-11-19 20:04:10 36864]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-19 23:51:46 118784]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-17 13:20:06 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-22 01:58]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 21:27:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-04 03:23:20 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Gary.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 12:32:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-12 12:33:11
ComboFix-quarantined-files.txt 2008-04-12 16:32:54
ComboFix2.txt 2008-04-12 00:25:51
Pre-Run: 63,913,345,024 bytes free
Post-Run: 63,903,412,224 bytes free
.
2008-04-09 21:52:24 --- E O F ---

 

[pskelley]

If you wish to install Recovery Console, do it now before you remove the tools we used.

Uninstall combofix, the C:\qoobox\quarantine\ folder and Vundofix from your computer, run a last Kaspersky Online Scan using these settings:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

 

[Garyrunningdude]

I have installed the recovery console.

I read on another thread that the reason there are so many malware programs and viruses is that the people that write them make money from this. Who pays them to write this crap?

 

[Garyrunningdude]

How do I uninstall combofix, do I just delete it and the quarantine folder? Also delete from recycle bin?

 

[pskelley]

Yes, right click and choose delete.

Thanks

 

[Garyrunningdude]

KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 2:09:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 628155


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 47102
Number of viruses found 3
Number of infected objects 4
Number of suspicious objects 0
Duration of the scan process 01:06:29

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\380C7F6B.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\EE326DAD.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\Gary\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temp\Perflib_Perfdata_898.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temp\Perflib_Perfdata_df0.dat Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temp\~DF551D.tmp Object is locked skipped

C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Gary\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Gary\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Gary.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Gary.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Gary.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP60\A0013706.dll Infected: Trojan.Win32.Agent.jqa skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP65\A0015970.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP66\A0016220.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP66\A0016221.dll Infected: Trojan.Win32.KillAV.rf skipped

C:\System Volume Information\_restore{17913FD4-45AD-4887-AA5D-26A9E19EBD19}\RP66\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{7E980DF7-8780-42CF-8102-5913933088CA}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[pskelley]

All items are infected System Restore files, follow these directions.

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.