Virtumonde also, No surprise.

Status
Not open for further replies.
J

jappee

New member
Hello, as per advice provided by spybot. I seek assistance to remove Virtumonde.exe(and .dll) from this system. I can barely browse here to post this. browser hijacked, popups, redirects etc. Scanned and fixed with spybot and antivirus both n-teen times all not making any difference. Here's a current HJT Log: And TIA!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:45 AM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero 8\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
E:\DOWNLOADS\FirefoxPortable\App\firefox\firefox.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [osCheck] "D:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [BM1b06d307] Rundll32.exe "D:\WINDOWS\system32\lkpcrnba.dll",s
O4 - HKLM\..\Run: [185b3ca4] rundll32.exe "D:\WINDOWS\system32\vrrfrust.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7444] command /c del "D:\WINDOWS\system32\ddcCRKBu.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3530] cmd /c del "D:\WINDOWS\system32\ddcCRKBu.dll"
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Windows Search.lnk.disabled
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219943999875
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O20 - AppInit_DLLs: odbsqm.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero 8\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7779 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Please do not start more than one topic for the same computer, during the same period. It will either be removed, or merged with your original thread.
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't.
Click to expand...
Since you are a new member, I will trash those mistakes you make, please read the directions so it does not happen again.

If you still want help, we will start like this:

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
 
combofix & HJT logs

Hello pskelley,

I appreciate your consideration in my oversight in following directions. I will take greater care in adhering to them.

The combofix, hjt logs:


ComboFix 08-09-24.08 - Cathy 2008-09-24 19:15:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.543 [GMT -7:00]
Running from: D:\Documents and Settings\Cathy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Cathy\Cookies\cathy@clicktorrent[2].txt
D:\Documents and Settings\Cathy\Cookies\cathy@ehg.fedex[2].txt
D:\Documents and Settings\Cathy\Cookies\cathy@photobucket[1].txt
D:\WINDOWS\BM1b06d307.txt
D:\WINDOWS\BM1b06d307.xml
D:\WINDOWS\system32\abmdpbvk.ini
D:\WINDOWS\system32\acusbqad.ini
D:\WINDOWS\system32\anhqietv.ini
D:\WINDOWS\system32\aqctsrih.ini
D:\WINDOWS\system32\bchdopuc.ini
D:\WINDOWS\system32\cbjfpohj.ini
D:\WINDOWS\system32\cqgsgsrd.ini
D:\WINDOWS\system32\ddcCRKBu.dll
D:\WINDOWS\system32\drimfhxv.ini
D:\WINDOWS\system32\janrtfcu.ini
D:\WINDOWS\system32\jkkiFwTn.dll
D:\WINDOWS\system32\lnxmhabb.ini
D:\WINDOWS\system32\lsqfbrlq.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\mhelpyof.ini
D:\WINDOWS\system32\micr0st.dll
D:\WINDOWS\system32\mmhmctgx.ini
D:\WINDOWS\system32\mqbjvlji.ini
D:\WINDOWS\system32\myqybmoo.ini
D:\WINDOWS\system32\qoMgghEv.dll
D:\WINDOWS\system32\sfgyqghc.ini
D:\WINDOWS\system32\tmvasnbq.ini
D:\WINDOWS\system32\tsurfrrv.ini
D:\WINDOWS\system32\uddqypln.ini
D:\WINDOWS\system32\ulnnvjah.ini
D:\WINDOWS\system32\vEhggMoq.ini
D:\WINDOWS\system32\vEhggMoq.ini2
D:\WINDOWS\system32\vnromrdb.ini
D:\WINDOWS\system32\vqttrfhv.ini
D:\WINDOWS\system32\wdmexceu.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2008-09-24 19:27 . 2008-09-24 19:27 233 ---hs---- D:\WINDOWS\system32\uddqypln.ini
2008-09-24 02:26 . 2008-09-24 02:26 116,224 --a------ D:\WINDOWS\system32\wvcyne.dll
2008-09-24 02:25 . 2008-09-24 02:26 116,224 --a------ D:\WINDOWS\system32\hgphaskn.dll
2008-09-24 02:23 . 2008-09-24 02:23 89,600 --a------ D:\WINDOWS\system32\nlpyqddu.dll
2008-09-23 15:15 . 2008-09-23 15:15 111,616 --a------ D:\WINDOWS\system32\xtvgdr.dll
2008-09-23 15:15 . 2008-09-23 15:15 111,616 --a------ D:\WINDOWS\system32\boefbukl.dll
2008-09-23 15:09 . 2008-09-23 15:09 97,280 --a------ D:\WINDOWS\system32\wokvmiwq.dll
2008-09-23 15:03 . 2008-09-23 15:03 111,616 --a------ D:\WINDOWS\system32\yefefg.dll
2008-09-23 15:03 . 2008-09-23 15:03 111,616 --a------ D:\WINDOWS\system32\bksfsecj.dll
2008-09-23 14:54 . 2008-09-23 14:54 97,280 --a------ D:\WINDOWS\system32\hlchveqy.dll
2008-09-23 11:51 . 2008-09-23 11:51 111,616 --a------ D:\WINDOWS\system32\iiqlmmdk.dll
2008-09-23 11:51 . 2008-09-23 11:51 111,616 --a------ D:\WINDOWS\system32\eqdeby.dll
2008-09-23 11:45 . 2008-09-23 11:45 97,280 --a------ D:\WINDOWS\system32\bxaggbcb.dll
2008-09-23 10:03 . 2008-09-23 10:03 111,616 --a------ D:\WINDOWS\system32\woqaaknp.dll
2008-09-23 10:03 . 2008-09-23 10:03 111,616 --a------ D:\WINDOWS\system32\dxybpo.dll
2008-09-23 09:57 . 2008-09-23 09:57 97,280 --a------ D:\WINDOWS\system32\xstxaivr.dll
2008-09-22 22:00 . 2008-09-22 21:59 113,152 --a------ D:\WINDOWS\system32\egxhnt.dll
2008-09-22 21:59 . 2008-09-22 21:59 113,152 --a------ D:\WINDOWS\system32\imxvwjga.dll
2008-09-22 05:39 . 2008-09-22 05:39 113,152 --a------ D:\WINDOWS\system32\odbsqm.dll
2008-09-22 05:39 . 2008-09-22 05:39 113,152 --a------ D:\WINDOWS\system32\khslpcru.dll
2008-09-22 04:02 . 2008-09-22 04:02 113,152 --a------ D:\WINDOWS\system32\xqphva.dll
2008-09-22 04:02 . 2008-09-22 04:02 113,152 --a------ D:\WINDOWS\system32\ngqynkqw.dll
2008-09-22 03:56 . 2008-09-22 03:56 99,328 --a------ D:\WINDOWS\system32\aapdmxhx.dll
2008-09-21 15:25 . 2008-09-21 15:25 113,152 --a------ D:\WINDOWS\system32\rsaawobq.dll
2008-09-21 15:25 . 2008-09-21 15:25 113,152 --a------ D:\WINDOWS\system32\pfcgll.dll
2008-09-21 13:14 . 2008-09-21 13:14 113,152 --a------ D:\WINDOWS\system32\ikaqdelc.dll
2008-09-21 13:14 . 2008-09-21 13:14 113,152 --a------ D:\WINDOWS\system32\fhfvtt.dll
2008-09-21 11:06 . 2008-09-21 11:06 113,152 --a------ D:\WINDOWS\system32\etetlw.dll
2008-09-21 11:06 . 2008-09-21 11:06 113,152 --a------ D:\WINDOWS\system32\cuwvttes.dll
2008-09-21 11:04 . 2008-09-21 11:04 97,792 --a------ D:\WINDOWS\system32\juabmtoa.dll
2008-09-21 04:10 . 2008-09-21 04:10 113,152 --a------ D:\WINDOWS\system32\rorowjpx.dll
2008-09-21 04:10 . 2008-09-21 04:10 113,152 --a------ D:\WINDOWS\system32\hrdovv.dll
2008-09-21 04:05 . 2008-09-21 04:05 90,624 --a------ D:\WINDOWS\system32\hajvnnlu.dll
2008-09-21 00:07 . 2008-09-21 00:07 113,152 --a------ D:\WINDOWS\system32\txtysy.dll
2008-09-21 00:07 . 2008-09-21 00:07 113,152 --a------ D:\WINDOWS\system32\lyvoqncq.dll
2008-09-21 00:04 . 2008-09-21 00:04 90,624 --a------ D:\WINDOWS\system32\qbnsavmt.dll
2008-09-21 00:02 . 2008-09-21 00:02 97,792 --a------ D:\WINDOWS\system32\vbxpefsr.dll
2008-09-20 21:09 . 2008-09-20 21:09 114,688 --a------ D:\WINDOWS\system32\ubirgjfw.dll
2008-09-20 21:09 . 2008-09-20 21:09 114,688 --a------ D:\WINDOWS\system32\dbeetm.dll
2008-09-20 21:06 . 2008-09-20 21:06 92,672 --a------ D:\WINDOWS\system32\chgqygfs.dll
2008-09-20 21:03 . 2008-09-20 21:03 97,280 --a------ D:\WINDOWS\system32\qrbwsnrw.dll
2008-09-20 17:40 . 2008-09-20 17:40 114,688 --a------ D:\WINDOWS\system32\qgqglmgt.dll
2008-09-20 17:40 . 2008-09-20 17:40 114,688 --a------ D:\WINDOWS\system32\kakeja.dll
2008-09-20 17:34 . 2008-09-20 17:34 97,280 --a------ D:\WINDOWS\system32\rcuneqnh.dll
2008-09-20 07:56 . 2008-09-20 07:56 <DIR> d-------- D:\Program Files\Trend Micro
2008-09-20 07:49 . 2008-09-20 07:49 114,688 --a------ D:\WINDOWS\system32\noukxeav.dll
2008-09-20 07:49 . 2008-09-20 07:49 114,688 --a------ D:\WINDOWS\system32\gmboew.dll
2008-09-20 07:46 . 2008-09-20 07:46 97,280 --a------ D:\WINDOWS\system32\qhyfxlab.dll
2008-09-20 04:56 . 2008-09-24 01:03 736 --a------ D:\WINDOWS\wininit.ini
2008-09-19 20:36 . 2008-09-19 20:36 255,488 --a------ D:\WINDOWS\system32\hgGwtuTJ.dll
2008-09-19 16:42 . 2008-09-19 16:42 112,640 --a------ D:\WINDOWS\system32\jicrei.dll
2008-09-19 16:42 . 2008-09-19 16:42 112,640 --a------ D:\WINDOWS\system32\hpypvecu.dll
2008-09-19 16:42 . 2008-09-19 16:42 97,280 --a------ D:\WINDOWS\system32\dslglpgb.dll
2008-09-19 16:42 . 2008-09-19 16:42 88,064 --a------ D:\WINDOWS\system32\foyplehm.dll
2008-09-19 14:12 . 2008-09-19 14:12 114,708 --a------ D:\WINDOWS\system32\phaollkn.exe
2008-09-19 14:12 . 2008-09-19 14:12 112,640 --a------ D:\WINDOWS\system32\vmivpv.dll
2008-09-19 14:12 . 2008-09-19 14:12 112,640 --a------ D:\WINDOWS\system32\hnvjhsri.dll
2008-09-19 14:11 . 2008-09-19 14:11 97,280 --a------ D:\WINDOWS\system32\cpjtlvmn.dll
2008-09-18 23:27 . 2008-09-18 23:27 114,708 --a------ D:\WINDOWS\system32\taybldlt.exe
2008-09-18 23:24 . 2008-09-18 23:24 112,640 --a------ D:\WINDOWS\system32\wstuqroj.dll
2008-09-18 23:24 . 2008-09-18 23:24 112,640 --a------ D:\WINDOWS\system32\bpfbhp.dll
2008-09-18 23:21 . 2008-09-18 23:21 97,280 --a------ D:\WINDOWS\system32\rwaaleiu.dll
2008-09-18 23:08 . 2008-09-18 23:08 112,640 --a------ D:\WINDOWS\system32\zwsmgd.dll
2008-09-18 23:08 . 2008-09-18 23:08 112,640 --a------ D:\WINDOWS\system32\hokxfecd.dll
2008-09-18 23:08 . 2008-09-18 23:08 97,280 --a------ D:\WINDOWS\system32\fvlabfig.dll
2008-09-15 19:11 . 2008-09-15 19:23 69 --a------ D:\WINDOWS\NeroDigital.ini
2008-09-15 03:03 . 2008-09-15 03:03 <DIR> d-------- D:\Program Files\MSXML 4.0
2008-09-15 01:38 . 2008-09-15 01:38 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Canon
2008-09-15 01:37 . 2008-09-15 01:37 <DIR> d--h----- D:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-09-15 01:37 . 2008-09-15 01:37 <DIR> d--h----- D:\Program Files\CanonBJ
2008-09-15 01:37 . 2006-07-21 00:51 1,298,432 --a------ D:\WINDOWS\system32\CNQC2411.DLL
2008-09-15 01:37 . 2006-06-02 05:18 155,648 --a------ D:\WINDOWS\system32\CNQL2411.DLL
2008-09-15 01:37 . 2006-06-29 23:29 106,496 --a------ D:\WINDOWS\system32\cnqo2411.dll
2008-09-15 01:37 . 2006-07-21 00:51 57,344 --a------ D:\WINDOWS\system32\CNQI2411.DLL
2008-09-14 00:55 . 2008-09-14 00:55 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Nero
2008-09-14 00:52 . 2008-09-14 00:53 <DIR> d-------- D:\Program Files\Common Files\Nero
2008-09-14 00:52 . 2008-09-14 00:52 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
2008-09-14 00:00 . 2008-09-23 15:07 365,568 --a------ D:\WINDOWS\system32\doskeys.exe
2008-09-14 00:00 . 2008-09-14 00:00 51,712 --a------ D:\WINDOWS\system32\dllhosts.exe
2008-09-14 00:00 . 2008-09-24 19:27 211 --a------ D:\WINDOWS\system32\Monitored2.dat
2008-09-13 00:13 . 2008-09-13 00:13 <DIR> d-------- D:\WINDOWS\system32\IOSUBSYS
2008-09-07 04:54 . 2008-09-07 04:54 <DIR> d-------- D:\Program Files\Avanquest update
2008-09-07 03:56 . 2008-09-07 03:57 <DIR> d-------- D:\Program Files\Motorola Phone Tools
2008-09-07 03:56 . 2008-09-07 03:56 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\InstallShield
2008-09-07 03:16 . 2008-09-07 03:16 24,192 --a------ D:\Documents and Settings\Cathy\usbsermptxp.sys
2008-09-07 03:16 . 2008-09-07 03:16 22,768 --a------ D:\WINDOWS\system32\drivers\usbsermpt.sys
2008-09-07 03:16 . 2008-09-07 03:16 22,768 --a------ D:\Documents and Settings\Cathy\usbsermpt.sys
2008-09-07 03:00 . 2008-09-07 03:00 <DIR> d-------- D:\Program Files\Common Files\Motorola Shared
2008-09-07 03:00 . 2007-06-18 15:18 23,680 --a------ D:\WINDOWS\system32\drivers\motmodem.sys
2008-09-07 03:00 . 2008-09-07 03:00 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-09-07 02:44 . 2008-04-13 11:45 26,112 --a------ D:\WINDOWS\system32\drivers\usbser.sys
2008-09-07 02:44 . 2008-04-13 11:45 26,112 --a--c--- D:\WINDOWS\system32\dllcache\usbser.sys
2008-09-07 02:25 . 2008-09-20 07:54 <DIR> d-------- D:\Program Files\uTorrent
2008-09-07 02:18 . 2008-09-07 02:20 <DIR> d-------- D:\Program Files\Your Uninstaller 2008
2008-09-07 02:18 . 2008-09-07 02:18 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\URSoft
2008-09-06 22:13 . 2008-09-07 03:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-06 21:34 . 2008-04-13 11:45 26,368 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-02 20:58 . 2008-09-18 23:55 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\LimeWire
2008-09-02 08:47 . 2008-09-02 08:49 <DIR> d-------- D:\Program Files\Common Files\wsm
2008-09-02 06:30 . 2008-09-02 06:30 552 --a------ D:\WINDOWS\system32\d3d8caps.dat
2008-09-01 21:22 . 2008-07-30 17:42 23,888 --a------ D:\WINDOWS\system32\drivers\COH_Mon.sys
2008-09-01 21:22 . 2008-07-30 17:28 10,537 --a------ D:\WINDOWS\system32\drivers\COH_Mon.cat
2008-09-01 21:22 . 2008-07-30 17:28 706 --a------ D:\WINDOWS\system32\drivers\COH_Mon.inf
2008-09-01 17:12 . 2008-09-01 17:12 50,772 --ah----- D:\WINDOWS\system32\mlfcache.dat
2008-09-01 16:54 . 2008-09-01 16:54 <DIR> d-------- D:\Program Files\CyberLink
2008-09-01 16:54 . 2008-09-01 16:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-01 16:14 . 2008-09-01 16:14 <DIR> d-------- D:\MySlideshow
2008-09-01 15:07 . 2008-09-22 06:10 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-09-01 15:07 . 2008-09-01 15:07 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Anvsoft
2008-08-31 22:36 . 2008-08-31 22:36 <DIR> d-------- D:\Program Files\Common Files\DVDVideoSoft
2008-08-30 22:49 . 2008-08-30 22:49 <DIR> d-------- D:\Documents and Settings\All Users\eBay
2008-08-30 06:28 . 2008-08-26 11:47 393,216 --a------ D:\WINDOWS\system32\fpres632.dll
2008-08-30 06:28 . 2008-08-26 11:46 376,832 --a------ D:\WINDOWS\system32\fpmon6.dll
2008-08-29 10:18 . 2008-08-29 10:18 2,302,017 --a------ D:\WINDOWS\system32\GPhotos.scr
2008-08-28 23:56 . 1996-01-12 03:00 935,632 --a------ D:\WINDOWS\system\Vb40016.dll
2008-08-28 23:56 . 1996-01-12 03:00 722,192 --a------ D:\WINDOWS\system\Vb40032.dll
2008-08-28 20:31 . 2008-04-13 11:47 25,856 --a------ D:\WINDOWS\system32\drivers\usbprint.sys
2008-08-28 20:31 . 2008-04-13 11:47 25,856 --a--c--- D:\WINDOWS\system32\dllcache\usbprint.sys
2008-08-28 20:31 . 2008-04-13 11:45 15,104 --a------ D:\WINDOWS\system32\drivers\usbscan.sys
2008-08-28 20:31 . 2008-04-13 11:45 15,104 --a--c--- D:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-28 17:29 . 2008-08-28 17:29 <DIR> d-------- D:\WINDOWS\Sun
2008-08-28 14:53 . 2008-08-28 14:56 <DIR> d-------- D:\Program Files\Google
2008-08-28 14:53 . 2008-09-24 03:32 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-28 12:56 . 2008-09-13 17:51 <DIR> d-------- D:\Program Files\TG Games
2008-08-28 12:56 . 2008-09-24 15:03 148 --a------ D:\WINDOWS\system32\acmeinc.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 12:19 --------- d-----w D:\Program Files\microsoft frontpage
2008-07-21 19:52 524,288 ----a-w D:\WINDOWS\opuc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2721ec9-9aad-4df3-aad1-b9d263ea31e1}]
2008-09-24 02:26 116224 --a------ D:\WINDOWS\system32\wvcyne.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="D:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 771704]
"185b3ca4"="D:\WINDOWS\system32\nlpyqddu.dll" [2008-09-24 89600]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services6"="dllhosts.exe" [2008-09-14 D:\WINDOWS\system32\dllhosts.exe]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2008-08-28 986]
Windows Search.lnk.disabled [2008-08-28 1787]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "D:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wvcyne.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
"swg"=D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"185b3ca4"=rundll32.exe "D:\WINDOWS\system32\foyplehm.dll",b
"WinampAgent"="D:\Program Files\Winamp\winampa.exe"
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"SecurDisc"=E:\Program Files\Nero 8\InCD\NBHGui.exe
"NeroFilterCheck"=D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="E:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe"
"InCD"=E:\Program Files\Nero 8\InCD\InCD.exe
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"itype"="D:\Program Files\Microsoft IntelliType Pro\itype.exe"
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"YOP"=D:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Program Files\\LimeWire\\LimeWire.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0753AA3E-1068-49D7-8B56-AE83606656Dc} - D:\WINDOWS\system32\wdmexceu.dll
BHO-{09C72999-5C10-41A3-A524-24661D942003} - D:\WINDOWS\system32\ddcCRKBu.dll
BHO-{9F90FDC8-D9EF-40AA-8EE1-FF7B1A76E267} - D:\WINDOWS\system32\qoMgghEv.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
ShellExecuteHooks-{09C72999-5C10-41A3-A524-24661D942003} - D:\WINDOWS\system32\ddcCRKBu.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 -: Add to Google Photos Screensa&ver - D:\WINDOWS\system32\GPhotos.scr/200
O8 -: E&xport to Microsoft Excel - D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 19:27:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\uddqypln.ini 915066 bytes
D:\Program Files\Common Files\Symantec Shared\SPBBC\2008-09-23-5252.kc 147388 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\explorer.exe
-> D:\WINDOWS\system32\nlpyqddu.dll
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero 8\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\searchindexer.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\searchprotocolhost.exe
D:\WINDOWS\system32\searchfilterhost.exe
D:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-09-24 19:30:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 02:29:57

Pre-Run: 16,319,799,296 bytes free
Post-Run: 16,315,072,512 bytes free

297 --- E O F --- 2008-09-15 10:03:05



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:31 PM, on 9/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero 8\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
E:\DOWNLOADS\FirefoxPortable\App\firefox\firefox.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\SearchProtocolHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O2 - BHO: {1e13ae36-2d9b-1daa-3fd4-daa99ce1272f} - {f2721ec9-9aad-4df3-aad1-b9d263ea31e1} - D:\WINDOWS\system32\wvcyne.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [185b3ca4] rundll32.exe "D:\WINDOWS\system32\nlpyqddu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Windows Search.lnk.disabled
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219943999875
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O20 - AppInit_DLLs: wvcyne.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero 8\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8167 bytes

I will await your response. thank you, for your assistance.

P.S. Which is proper; Reply with quote, OR Multi-quote this message?
 
Thanks for returning your information, you asked:
Which is proper; Reply with quote, OR Multi-quote this message?
Click to expand...
Copy/paste everything. Quote only if necessary, as in how I quoted to show it was coming from the "Before you Post" instructions.

You have a badly infected computer:sad: it looks like this infection has been on the computer for a while and the junk keeps morphing and adding files when you allow this to happen.

Please read and follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

This is a lot of bad files for combofix to remove, so it may take a while, be patient.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
D:\WINDOWS\system32\wvcyne.dll
D:\WINDOWS\system32\nlpyqddu.dll
D:\WINDOWS\system32\dllhosts.exe
D:\WINDOWS\system32\uddqypln.ini 
D:\WINDOWS\system32\hgphaskn.dll
D:\WINDOWS\system32\xtvgdr.dll
D:\WINDOWS\system32\boefbukl.dll
D:\WINDOWS\system32\wokvmiwq.dll
D:\WINDOWS\system32\yefefg.dll
D:\WINDOWS\system32\bksfsecj.dll
D:\WINDOWS\system32\hlchveqy.dll
D:\WINDOWS\system32\iiqlmmdk.dll
D:\WINDOWS\system32\eqdeby.dll
D:\WINDOWS\system32\bxaggbcb.dll
D:\WINDOWS\system32\woqaaknp.dll
D:\WINDOWS\system32\dxybpo.dll
D:\WINDOWS\system32\xstxaivr.dll
D:\WINDOWS\system32\egxhnt.dll
D:\WINDOWS\system32\imxvwjga.dll
D:\WINDOWS\system32\odbsqm.dll
D:\WINDOWS\system32\khslpcru.dll
D:\WINDOWS\system32\xqphva.dll
D:\WINDOWS\system32\ngqynkqw.dll
D:\WINDOWS\system32\aapdmxhx.dll
D:\WINDOWS\system32\rsaawobq.dll
D:\WINDOWS\system32\pfcgll.dll
D:\WINDOWS\system32\ikaqdelc.dll
D:\WINDOWS\system32\fhfvtt.dll
D:\WINDOWS\system32\etetlw.dll
D:\WINDOWS\system32\cuwvttes.dll
D:\WINDOWS\system32\juabmtoa.dll
D:\WINDOWS\system32\rorowjpx.dll
D:\WINDOWS\system32\hrdovv.dll
D:\WINDOWS\system32\hajvnnlu.dll
D:\WINDOWS\system32\txtysy.dll
D:\WINDOWS\system32\lyvoqncq.dll
D:\WINDOWS\system32\qbnsavmt.dll
D:\WINDOWS\system32\vbxpefsr.dll
D:\WINDOWS\system32\ubirgjfw.dll
D:\WINDOWS\system32\dbeetm.dll
D:\WINDOWS\system32\chgqygfs.dll
D:\WINDOWS\system32\qrbwsnrw.dll
D:\WINDOWS\system32\qgqglmgt.dll
D:\WINDOWS\system32\kakeja.dll
D:\WINDOWS\system32\rcuneqnh.dll
D:\WINDOWS\system32\noukxeav.dll
D:\WINDOWS\system32\gmboew.dll
D:\WINDOWS\system32\qhyfxlab.dll
D:\WINDOWS\system32\hgGwtuTJ.dll
D:\WINDOWS\system32\jicrei.dll
D:\WINDOWS\system32\hpypvecu.dll
D:\WINDOWS\system32\dslglpgb.dll
D:\WINDOWS\system32\foyplehm.dll
D:\WINDOWS\system32\phaollkn.exe
D:\WINDOWS\system32\vmivpv.dll
D:\WINDOWS\system32\hnvjhsri.dll
D:\WINDOWS\system32\cpjtlvmn.dll
D:\WINDOWS\system32\taybldlt.exe
D:\WINDOWS\system32\wstuqroj.dll
D:\WINDOWS\system32\bpfbhp.dll
D:\WINDOWS\system32\rwaaleiu.dll
D:\WINDOWS\system32\zwsmgd.dll
D:\WINDOWS\system32\hokxfecd.dll
D:\WINDOWS\system32\fvlabfig.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2721ec9-9aad-4df3-aad1-b9d263ea31e1}]

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone, removed by CFScript)

(first item may be left if set this way on purpose)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: {1e13ae36-2d9b-1daa-3fd4-daa99ce1272f} - {f2721ec9-9aad-4df3-aad1-b9d263ea31e1} - D:\WINDOWS\system32\wvcyne.dll
O4 - HKLM\..\Run: [185b3ca4] rundll32.exe "D:\WINDOWS\system32\nlpyqddu.dll",b
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O20 - AppInit_DLLs: wvcyne.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post log from CFScript, the log from MBAB and a new HJT log.

How is the computer running?

Thanks
 
Something went wrong, unable to complete steps

Proceeded as per instructions followed directions until step 3:

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone, removed by CFScript)

(first item may be left if set this way on purpose)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: {1e13ae36-2d9b-1daa-3fd4-daa99ce1272f} - {f2721ec9-9aad-4df3-aad1-b9d263ea31e1} - D:\WINDOWS\system32\wvcyne.dll
O4 - HKLM\..\Run: [185b3ca4] rundll32.exe "D:\WINDOWS\system32\nlpyqddu.dll",b
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O20 - AppInit_DLLs: wvcyne.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Then upon reviewing the Combofix log, cannot locate ANY:oops: of the mentioned files.(the first item was intentional) As nothing can be checked to fix, I cannot see proceeding further is useful. I ran hijack this to produce a current log in addition to the Combofix log below, I await on how to proceed hope this isn't too critical. again thanx

ComboFix 08-09-24.09 - Cathy 2008-09-25 5:13:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.515 [GMT -7:00]
Running from: D:\Documents and Settings\Cathy\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Cathy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\WINDOWS\system32\aapdmxhx.dll
D:\WINDOWS\system32\bksfsecj.dll
D:\WINDOWS\system32\boefbukl.dll
D:\WINDOWS\system32\bpfbhp.dll
D:\WINDOWS\system32\bxaggbcb.dll
D:\WINDOWS\system32\chgqygfs.dll
D:\WINDOWS\system32\cpjtlvmn.dll
D:\WINDOWS\system32\cuwvttes.dll
D:\WINDOWS\system32\dbeetm.dll
D:\WINDOWS\system32\dllhosts.exe
D:\WINDOWS\system32\dslglpgb.dll
D:\WINDOWS\system32\dxybpo.dll
D:\WINDOWS\system32\egxhnt.dll
D:\WINDOWS\system32\eqdeby.dll
D:\WINDOWS\system32\etetlw.dll
D:\WINDOWS\system32\fhfvtt.dll
D:\WINDOWS\system32\foyplehm.dll
D:\WINDOWS\system32\fvlabfig.dll
D:\WINDOWS\system32\gmboew.dll
D:\WINDOWS\system32\hajvnnlu.dll
D:\WINDOWS\system32\hgGwtuTJ.dll
D:\WINDOWS\system32\hgphaskn.dll
D:\WINDOWS\system32\hlchveqy.dll
D:\WINDOWS\system32\hnvjhsri.dll
D:\WINDOWS\system32\hokxfecd.dll
D:\WINDOWS\system32\hpypvecu.dll
D:\WINDOWS\system32\hrdovv.dll
D:\WINDOWS\system32\iiqlmmdk.dll
D:\WINDOWS\system32\ikaqdelc.dll
D:\WINDOWS\system32\imxvwjga.dll
D:\WINDOWS\system32\jicrei.dll
D:\WINDOWS\system32\juabmtoa.dll
D:\WINDOWS\system32\kakeja.dll
D:\WINDOWS\system32\khslpcru.dll
D:\WINDOWS\system32\lyvoqncq.dll
D:\WINDOWS\system32\ngqynkqw.dll
D:\WINDOWS\system32\nlpyqddu.dll
D:\WINDOWS\system32\noukxeav.dll
D:\WINDOWS\system32\odbsqm.dll
D:\WINDOWS\system32\pfcgll.dll
D:\WINDOWS\system32\phaollkn.exe
D:\WINDOWS\system32\qbnsavmt.dll
D:\WINDOWS\system32\qgqglmgt.dll
D:\WINDOWS\system32\qhyfxlab.dll
D:\WINDOWS\system32\qrbwsnrw.dll
D:\WINDOWS\system32\rcuneqnh.dll
D:\WINDOWS\system32\rorowjpx.dll
D:\WINDOWS\system32\rsaawobq.dll
D:\WINDOWS\system32\rwaaleiu.dll
D:\WINDOWS\system32\taybldlt.exe
D:\WINDOWS\system32\txtysy.dll
D:\WINDOWS\system32\ubirgjfw.dll
D:\WINDOWS\system32\uddqypln.ini
D:\WINDOWS\system32\vbxpefsr.dll
D:\WINDOWS\system32\vmivpv.dll
D:\WINDOWS\system32\wokvmiwq.dll
D:\WINDOWS\system32\woqaaknp.dll
D:\WINDOWS\system32\wstuqroj.dll
D:\WINDOWS\system32\wvcyne.dll
D:\WINDOWS\system32\xqphva.dll
D:\WINDOWS\system32\xstxaivr.dll
D:\WINDOWS\system32\xtvgdr.dll
D:\WINDOWS\system32\yefefg.dll
D:\WINDOWS\system32\zwsmgd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\BM1b06d307.txt
D:\WINDOWS\BM1b06d307.xml
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\aapdmxhx.dll
D:\WINDOWS\system32\bksfsecj.dll
D:\WINDOWS\system32\boefbukl.dll
D:\WINDOWS\system32\bpfbhp.dll
D:\WINDOWS\system32\bxaggbcb.dll
D:\WINDOWS\system32\chgqygfs.dll
D:\WINDOWS\system32\cpjtlvmn.dll
D:\WINDOWS\system32\cuwvttes.dll
D:\WINDOWS\system32\dbeetm.dll
D:\WINDOWS\system32\ddcaWnNF.dll
D:\WINDOWS\system32\dllhosts.exe
D:\WINDOWS\system32\dslglpgb.dll
D:\WINDOWS\system32\dxybpo.dll
D:\WINDOWS\system32\efcyYPhH.dll
D:\WINDOWS\system32\egxhnt.dll
D:\WINDOWS\system32\eqdeby.dll
D:\WINDOWS\system32\etetlw.dll
D:\WINDOWS\system32\fhfvtt.dll
D:\WINDOWS\system32\foyplehm.dll
D:\WINDOWS\system32\fvlabfig.dll
D:\WINDOWS\system32\gmboew.dll
D:\WINDOWS\system32\hajvnnlu.dll
D:\WINDOWS\system32\hgGwtuTJ.dll
D:\WINDOWS\system32\hgphaskn.dll
D:\WINDOWS\system32\HhPYycfe.ini
D:\WINDOWS\system32\HhPYycfe.ini2
D:\WINDOWS\system32\hlchveqy.dll
D:\WINDOWS\system32\hnvjhsri.dll
D:\WINDOWS\system32\hokxfecd.dll
D:\WINDOWS\system32\hpypvecu.dll
D:\WINDOWS\system32\hpyyonyu.ini
D:\WINDOWS\system32\hrdovv.dll
D:\WINDOWS\system32\iiqlmmdk.dll
D:\WINDOWS\system32\ikaqdelc.dll
D:\WINDOWS\system32\imxvwjga.dll
D:\WINDOWS\system32\jicrei.dll
D:\WINDOWS\system32\juabmtoa.dll
D:\WINDOWS\system32\kakeja.dll
D:\WINDOWS\system32\khslpcru.dll
D:\WINDOWS\system32\lyvoqncq.dll
D:\WINDOWS\system32\ngqynkqw.dll
D:\WINDOWS\system32\nlpyqddu.dll
D:\WINDOWS\system32\noukxeav.dll
D:\WINDOWS\system32\odbsqm.dll
D:\WINDOWS\system32\pfcgll.dll
D:\WINDOWS\system32\phaollkn.exe
D:\WINDOWS\system32\qbnsavmt.dll
D:\WINDOWS\system32\qgqglmgt.dll
D:\WINDOWS\system32\qhyfxlab.dll
D:\WINDOWS\system32\qrbwsnrw.dll
D:\WINDOWS\system32\rcuneqnh.dll
D:\WINDOWS\system32\rorowjpx.dll
D:\WINDOWS\system32\rsaawobq.dll
D:\WINDOWS\system32\rwaaleiu.dll
D:\WINDOWS\system32\ssqNFxWO.dll
D:\WINDOWS\system32\taybldlt.exe
D:\WINDOWS\system32\txtysy.dll
D:\WINDOWS\system32\ubirgjfw.dll
D:\WINDOWS\system32\uddqypln.ini
D:\WINDOWS\system32\vbxpefsr.dll
D:\WINDOWS\system32\vmivpv.dll
D:\WINDOWS\system32\wokvmiwq.dll
D:\WINDOWS\system32\woqaaknp.dll
D:\WINDOWS\system32\wstuqroj.dll
D:\WINDOWS\system32\wvcyne.dll
D:\WINDOWS\system32\xqphva.dll
D:\WINDOWS\system32\xstxaivr.dll
D:\WINDOWS\system32\xtvgdr.dll
D:\WINDOWS\system32\yefefg.dll
D:\WINDOWS\system32\zwsmgd.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-25 19:24 . 2008-09-25 19:24 294 ---hs---- D:\WINDOWS\system32\hpyyonyu.ini
2008-09-25 03:24 . 2008-09-25 03:24 88,576 --a------ D:\WINDOWS\system32\uynoyyph.dll
2008-09-25 03:21 . 2008-09-25 03:21 112,128 --a------ D:\WINDOWS\system32\xrwvqk.dll
2008-09-25 03:21 . 2008-09-25 03:21 112,128 --a------ D:\WINDOWS\system32\uqpgatmd.dll
2008-09-25 03:18 . 2008-09-25 03:18 98,816 --a------ D:\WINDOWS\system32\cfcmtyqw.dll
2008-09-20 07:56 . 2008-09-20 07:56 <DIR> d-------- D:\Program Files\Trend Micro
2008-09-20 04:56 . 2008-09-24 01:03 736 --a------ D:\WINDOWS\wininit.ini
2008-09-15 19:11 . 2008-09-15 19:23 69 --a------ D:\WINDOWS\NeroDigital.ini
2008-09-15 03:03 . 2008-09-15 03:03 <DIR> d-------- D:\Program Files\MSXML 4.0
2008-09-15 01:38 . 2008-09-15 01:38 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Canon
2008-09-15 01:37 . 2008-09-15 01:37 <DIR> d--h----- D:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-09-15 01:37 . 2008-09-15 01:37 <DIR> d--h----- D:\Program Files\CanonBJ
2008-09-15 01:37 . 2006-07-21 00:51 1,298,432 --a------ D:\WINDOWS\system32\CNQC2411.DLL
2008-09-15 01:37 . 2006-06-02 05:18 155,648 --a------ D:\WINDOWS\system32\CNQL2411.DLL
2008-09-15 01:37 . 2006-06-29 23:29 106,496 --a------ D:\WINDOWS\system32\cnqo2411.dll
2008-09-15 01:37 . 2006-07-21 00:51 57,344 --a------ D:\WINDOWS\system32\CNQI2411.DLL
2008-09-14 00:55 . 2008-09-14 00:55 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Nero
2008-09-14 00:52 . 2008-09-14 00:53 <DIR> d-------- D:\Program Files\Common Files\Nero
2008-09-14 00:52 . 2008-09-14 00:52 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
2008-09-14 00:00 . 2008-09-23 15:07 365,568 --a------ D:\WINDOWS\system32\doskeys.exe
2008-09-14 00:00 . 2008-09-25 05:05 186 --a------ D:\WINDOWS\system32\Monitored2.dat
2008-09-13 00:13 . 2008-09-13 00:13 <DIR> d-------- D:\WINDOWS\system32\IOSUBSYS
2008-09-07 04:54 . 2008-09-07 04:54 <DIR> d-------- D:\Program Files\Avanquest update
2008-09-07 03:56 . 2008-09-07 03:57 <DIR> d-------- D:\Program Files\Motorola Phone Tools
2008-09-07 03:56 . 2008-09-07 03:56 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\InstallShield
2008-09-07 03:16 . 2008-09-07 03:16 24,192 --a------ D:\Documents and Settings\Cathy\usbsermptxp.sys
2008-09-07 03:16 . 2008-09-07 03:16 22,768 --a------ D:\WINDOWS\system32\drivers\usbsermpt.sys
2008-09-07 03:16 . 2008-09-07 03:16 22,768 --a------ D:\Documents and Settings\Cathy\usbsermpt.sys
2008-09-07 03:00 . 2008-09-07 03:00 <DIR> d-------- D:\Program Files\Common Files\Motorola Shared
2008-09-07 03:00 . 2007-06-18 15:18 23,680 --a------ D:\WINDOWS\system32\drivers\motmodem.sys
2008-09-07 03:00 . 2008-09-07 03:00 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-09-07 02:44 . 2008-04-13 11:45 26,112 --a------ D:\WINDOWS\system32\drivers\usbser.sys
2008-09-07 02:44 . 2008-04-13 11:45 26,112 --a--c--- D:\WINDOWS\system32\dllcache\usbser.sys
2008-09-07 02:25 . 2008-09-20 07:54 <DIR> d-------- D:\Program Files\uTorrent
2008-09-07 02:18 . 2008-09-07 02:20 <DIR> d-------- D:\Program Files\Your Uninstaller 2008
2008-09-07 02:18 . 2008-09-07 02:18 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\URSoft
2008-09-06 22:13 . 2008-09-07 03:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-06 21:34 . 2008-04-13 11:45 26,368 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-02 20:58 . 2008-09-18 23:55 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\LimeWire
2008-09-02 08:47 . 2008-09-02 08:49 <DIR> d-------- D:\Program Files\Common Files\wsm
2008-09-02 06:30 . 2008-09-02 06:30 552 --a------ D:\WINDOWS\system32\d3d8caps.dat
2008-09-01 21:22 . 2008-07-30 17:42 23,888 --a------ D:\WINDOWS\system32\drivers\COH_Mon.sys
2008-09-01 21:22 . 2008-07-30 17:28 10,537 --a------ D:\WINDOWS\system32\drivers\COH_Mon.cat
2008-09-01 21:22 . 2008-07-30 17:28 706 --a------ D:\WINDOWS\system32\drivers\COH_Mon.inf
2008-09-01 17:12 . 2008-09-01 17:12 50,772 --ah----- D:\WINDOWS\system32\mlfcache.dat
2008-09-01 16:54 . 2008-09-01 16:54 <DIR> d-------- D:\Program Files\CyberLink
2008-09-01 16:54 . 2008-09-01 16:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-01 16:14 . 2008-09-01 16:14 <DIR> d-------- D:\MySlideshow
2008-09-01 15:07 . 2008-09-22 06:10 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-09-01 15:07 . 2008-09-01 15:07 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Anvsoft
2008-08-31 22:36 . 2008-08-31 22:36 <DIR> d-------- D:\Program Files\Common Files\DVDVideoSoft
2008-08-30 22:49 . 2008-08-30 22:49 <DIR> d-------- D:\Documents and Settings\All Users\eBay
2008-08-30 06:28 . 2008-08-26 11:47 393,216 --a------ D:\WINDOWS\system32\fpres632.dll
2008-08-30 06:28 . 2008-08-26 11:46 376,832 --a------ D:\WINDOWS\system32\fpmon6.dll
2008-08-29 10:18 . 2008-08-29 10:18 2,302,017 --a------ D:\WINDOWS\system32\GPhotos.scr
2008-08-28 23:56 . 1996-01-12 03:00 935,632 --a------ D:\WINDOWS\system\Vb40016.dll
2008-08-28 23:56 . 1996-01-12 03:00 722,192 --a------ D:\WINDOWS\system\Vb40032.dll
2008-08-28 20:31 . 2008-04-13 11:47 25,856 --a------ D:\WINDOWS\system32\drivers\usbprint.sys
2008-08-28 20:31 . 2008-04-13 11:47 25,856 --a--c--- D:\WINDOWS\system32\dllcache\usbprint.sys
2008-08-28 20:31 . 2008-04-13 11:45 15,104 --a------ D:\WINDOWS\system32\drivers\usbscan.sys
2008-08-28 20:31 . 2008-04-13 11:45 15,104 --a--c--- D:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-28 17:29 . 2008-08-28 17:29 <DIR> d-------- D:\WINDOWS\Sun
2008-08-28 14:53 . 2008-08-28 14:56 <DIR> d-------- D:\Program Files\Google
2008-08-28 14:53 . 2008-09-25 04:32 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-28 12:56 . 2008-09-13 17:51 <DIR> d-------- D:\Program Files\TG Games
2008-08-28 12:56 . 2008-09-24 15:03 148 --a------ D:\WINDOWS\system32\acmeinc.ini
2008-08-28 12:56 . 2008-09-24 15:03 116 --a------ D:\WINDOWS\system32\vxdtgm.ini
2008-08-28 12:25 . 2008-08-28 12:38 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\OfficeUpdate12
2008-08-28 12:24 . 2008-08-28 12:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-28 12:21 . 2007-04-09 13:23 28,040 --a------ D:\WINDOWS\system32\mdimon.dll
2008-08-28 12:21 . 2008-08-28 12:21 376 --a------ D:\WINDOWS\ODBC.INI
2008-08-28 12:19 . 2008-08-28 12:19 <DIR> d-------- D:\Program Files\Microsoft ActiveSync
2008-08-28 12:19 . 2008-08-28 12:19 <DIR> d-------- D:\Program Files\Common Files\L&H
2008-08-28 12:18 . 2008-08-28 12:19 <DIR> d-------- D:\WINDOWS\SHELLNEW
2008-08-28 12:18 . 2008-08-28 12:18 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-08-28 12:18 . 2008-08-28 12:31 <DIR> d-------- D:\Program Files\Microsoft Works
2008-08-28 11:39 . 2008-08-28 11:39 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Windows Search
2008-08-28 11:26 . 2008-08-28 11:26 <DIR> d-------- D:\WINDOWS\Downloaded Installations
2008-08-28 11:25 . 2008-08-28 11:25 <DIR> d-------- D:\WINDOWS\Adobe Illustrator CS
2008-08-28 11:15 . 2008-08-28 11:15 <DIR> d-------- D:\Program Files\Common Files\Adobe Systems Shared
2008-08-28 10:58 . 2008-08-28 10:58 <DIR> d-------- D:\WINDOWS\system32\GroupPolicy
2008-08-28 10:58 . 2008-08-28 10:58 <DIR> d-------- D:\Program Files\Windows Desktop Search
2008-08-28 10:58 . 2008-08-28 10:58 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Windows Desktop Search
2008-08-28 10:57 . 2008-03-07 10:02 192,000 -----c--- D:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-28 10:57 . 2008-03-07 10:02 98,304 -----c--- D:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-28 10:57 . 2008-03-07 10:02 29,696 -----c--- D:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-28 10:55 . 2008-08-28 10:55 <DIR> d-------- D:\WINDOWS\system32\URTTEMP
2008-08-28 10:29 . 2008-07-22 07:45 1,214,526 -----c--- D:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-28 10:29 . 2008-07-22 07:45 790,846 -----c--- D:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-28 10:29 . 2008-07-22 07:45 9,696 -----c--- D:\WINDOWS\system32\dllcache\drvmain.sdb
2008-08-28 10:27 . 2008-07-18 22:07 270,880 --a------ D:\WINDOWS\system32\mucltui.dll
2008-08-28 10:27 . 2008-07-18 22:07 29,728 --a------ D:\WINDOWS\system32\mucltui.dll.mui
2008-08-28 10:22 . 2008-06-23 09:57 6,066,176 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-28 10:22 . 2007-04-17 02:32 2,455,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-28 10:22 . 2007-03-07 22:10 991,232 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-28 10:22 . 2008-06-23 09:57 459,264 -----c--- D:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-28 10:22 . 2008-06-23 09:57 383,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-28 10:22 . 2008-06-23 09:57 267,776 -----c--- D:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-28 10:22 . 2008-06-23 09:57 63,488 -----c--- D:\WINDOWS\system32\dllcache\icardie.dll
2008-08-28 10:22 . 2008-06-23 09:57 52,224 -----c--- D:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-28 10:22 . 2008-06-23 02:20 13,824 -----c--- D:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-28 10:17 . 2008-08-28 10:49 <DIR> d-------- D:\Documents and Settings\Cathy\Contacts
2008-08-28 10:14 . 2008-08-28 10:14 268 --ah----- D:\sqmdata03.sqm
2008-08-28 10:14 . 2008-08-28 10:14 244 --ah----- D:\sqmnoopt03.sqm
2008-08-28 10:09 . 2008-08-28 10:09 268 --ah----- D:\sqmdata02.sqm
2008-08-28 10:09 . 2008-08-28 10:09 244 --ah----- D:\sqmnoopt02.sqm
2008-08-28 10:05 . 2008-08-28 10:05 268 --ah----- D:\sqmdata01.sqm
2008-08-28 10:05 . 2008-08-28 10:05 244 --ah----- D:\sqmnoopt01.sqm
2008-08-28 09:26 . 2008-08-28 09:26 268 --ah----- D:\sqmdata00.sqm
2008-08-28 09:26 . 2008-08-28 09:26 244 --ah----- D:\sqmnoopt00.sqm
2008-08-28 08:31 . 2008-08-28 08:33 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2008-08-28 08:31 . 2008-09-20 04:10 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-28 08:28 . 2008-08-28 08:28 <DIR> d-------- D:\Program Files\Windows Media Connect 2
2008-08-28 08:28 . 2008-04-13 17:12 221,184 --a------ D:\WINDOWS\system32\wmpns.dll
2008-08-28 08:27 . 2008-08-28 08:27 <DIR> d-------- D:\WINDOWS\system32\drivers\UMDF
2008-08-28 08:23 . 2008-08-28 08:23 <DIR> d-------- D:\Program Files\MSN Messenger
2008-08-28 08:12 . 2008-08-28 08:12 <DIR> d-------- D:\Program Files\Winamp Toolbar
2008-08-28 08:12 . 2008-08-28 08:12 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-08-28 08:10 . 2008-08-28 08:12 <DIR> d-------- D:\Program Files\Winamp
2008-08-28 08:10 . 2008-09-01 03:13 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Winamp
2008-08-28 07:57 . 2003-06-25 16:05 266,360 --a------ D:\WINDOWS\system32\TweakUI.exe
2008-08-28 07:57 . 2002-06-21 15:09 160,217 --a------ D:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-28 07:53 . 2008-08-28 07:53 <DIR> d-------- D:\WINDOWS\Logs
2008-08-28 07:48 . 2008-08-28 07:48 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\ATI
2008-08-28 07:44 . 2006-05-03 11:57 520,192 --a------ D:\WINDOWS\system32\ati2sgag.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 12:19 --------- d-----w D:\Program Files\microsoft frontpage
2008-07-31 17:41 68,616 ----a-w D:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 17:41 238,088 ----a-w D:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 17:40 509,448 ----a-w D:\WINDOWS\system32\XAudio2_2.dll
2008-07-30 21:55 49,152 ----a-r D:\WINDOWS\system32\inetwh32.dll
2008-07-30 21:55 1,044,480 ----a-r D:\WINDOWS\system32\roboex32.dll
2008-07-21 23:14 9,728 ----a-w D:\WINDOWS\system32\RtNicProp32.dll
2008-07-21 19:52 524,288 ----a-w D:\WINDOWS\opuc.dll
2008-07-19 05:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 210,976 ----a-w D:\WINDOWS\system32\muweb.dll
2008-07-12 15:18 467,984 ----a-w D:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 15:18 3,851,784 ----a-w D:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 15:18 1,493,528 ----a-w D:\WINDOWS\system32\D3DCompiler_39.dll
2008-07-07 20:26 253,952 ----a-w D:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20e057ee-9ed3-47a4-9e8b-f25ef9e138f0}]
2008-09-25 03:21 112128 --a------ D:\WINDOWS\system32\xrwvqk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="D:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 771704]
"185b3ca4"="D:\WINDOWS\system32\uynoyyph.dll" [2008-09-25 88576]
"BM1b06d307"="D:\WINDOWS\system32\cfcmtyqw.dll" [2008-09-25 98816]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2008-08-28 986]
Windows Search.lnk.disabled [2008-08-28 1787]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "D:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
"swg"=D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"185b3ca4"=rundll32.exe "D:\WINDOWS\system32\foyplehm.dll",b
"WinampAgent"="D:\Program Files\Winamp\winampa.exe"
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"SecurDisc"=E:\Program Files\Nero 8\InCD\NBHGui.exe
"NeroFilterCheck"=D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="E:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe"
"InCD"=E:\Program Files\Nero 8\InCD\InCD.exe
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"itype"="D:\Program Files\Microsoft IntelliType Pro\itype.exe"
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"YOP"=D:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Program Files\\LimeWire\\LimeWire.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{B09B0489-12B4-4EB1-92CD-D64BD0DDEC85} - D:\WINDOWS\system32\efcyYPhH.dll
HKCU-Explorer_Run-NT Printing Services6 - dllhosts.exe
ShellExecuteHooks-{C2D425B2-3452-427A-96BE-B3CD66620205} - D:\WINDOWS\system32\ssqNFxWO.dll



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 19:24:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\hpyyonyu.ini 921614 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\explorer.exe
-> D:\WINDOWS\system32\uynoyyph.dll
-> D:\WINDOWS\system32\cfcmtyqw.dll
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero 8\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\searchindexer.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\searchprotocolhost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-09-25 19:26:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-26 02:26:29
ComboFix2.txt 2008-09-25 02:30:04

Pre-Run: 16,532,967,424 bytes free
Post-Run: 16,591,396,864 bytes free

407 --- E O F --- 2008-09-15 10:03:05




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:12 PM, on 9/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero 8\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\WINDOWS\System32\svchost.exe
E:\DOWNLOADS\FirefoxPortable\App\firefox\firefox.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {0f831e9f-e52f-b8e9-4a74-3de9ee750e02} - {20e057ee-9ed3-47a4-9e8b-f25ef9e138f0} - D:\WINDOWS\system32\xrwvqk.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [185b3ca4] rundll32.exe "D:\WINDOWS\system32\uynoyyph.dll",b
O4 - HKLM\..\Run: [BM1b06d307] Rundll32.exe "D:\WINDOWS\system32\cfcmtyqw.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Windows Search.lnk.disabled
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219943999875
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero 8\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8029 bytes




pskelley said:
Thanks for returning your information, you asked:

Copy/paste everything. Quote only if necessary, as in how I quoted to show it was coming from the "Before you Post" instructions.

You have a badly infected computer:sad: it looks like this infection has been on the computer for a while and the junk keeps morphing and adding files when you allow this to happen.

Please read and follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

This is a lot of bad files for combofix to remove, so it may take a while, be patient.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
D:\WINDOWS\system32\wvcyne.dll
D:\WINDOWS\system32\nlpyqddu.dll
D:\WINDOWS\system32\dllhosts.exe
D:\WINDOWS\system32\uddqypln.ini 
D:\WINDOWS\system32\hgphaskn.dll
D:\WINDOWS\system32\xtvgdr.dll
D:\WINDOWS\system32\boefbukl.dll
D:\WINDOWS\system32\wokvmiwq.dll
D:\WINDOWS\system32\yefefg.dll
D:\WINDOWS\system32\bksfsecj.dll
D:\WINDOWS\system32\hlchveqy.dll
D:\WINDOWS\system32\iiqlmmdk.dll
D:\WINDOWS\system32\eqdeby.dll
D:\WINDOWS\system32\bxaggbcb.dll
D:\WINDOWS\system32\woqaaknp.dll
D:\WINDOWS\system32\dxybpo.dll
D:\WINDOWS\system32\xstxaivr.dll
D:\WINDOWS\system32\egxhnt.dll
D:\WINDOWS\system32\imxvwjga.dll
D:\WINDOWS\system32\odbsqm.dll
D:\WINDOWS\system32\khslpcru.dll
D:\WINDOWS\system32\xqphva.dll
D:\WINDOWS\system32\ngqynkqw.dll
D:\WINDOWS\system32\aapdmxhx.dll
D:\WINDOWS\system32\rsaawobq.dll
D:\WINDOWS\system32\pfcgll.dll
D:\WINDOWS\system32\ikaqdelc.dll
D:\WINDOWS\system32\fhfvtt.dll
D:\WINDOWS\system32\etetlw.dll
D:\WINDOWS\system32\cuwvttes.dll
D:\WINDOWS\system32\juabmtoa.dll
D:\WINDOWS\system32\rorowjpx.dll
D:\WINDOWS\system32\hrdovv.dll
D:\WINDOWS\system32\hajvnnlu.dll
D:\WINDOWS\system32\txtysy.dll
D:\WINDOWS\system32\lyvoqncq.dll
D:\WINDOWS\system32\qbnsavmt.dll
D:\WINDOWS\system32\vbxpefsr.dll
D:\WINDOWS\system32\ubirgjfw.dll
D:\WINDOWS\system32\dbeetm.dll
D:\WINDOWS\system32\chgqygfs.dll
D:\WINDOWS\system32\qrbwsnrw.dll
D:\WINDOWS\system32\qgqglmgt.dll
D:\WINDOWS\system32\kakeja.dll
D:\WINDOWS\system32\rcuneqnh.dll
D:\WINDOWS\system32\noukxeav.dll
D:\WINDOWS\system32\gmboew.dll
D:\WINDOWS\system32\qhyfxlab.dll
D:\WINDOWS\system32\hgGwtuTJ.dll
D:\WINDOWS\system32\jicrei.dll
D:\WINDOWS\system32\hpypvecu.dll
D:\WINDOWS\system32\dslglpgb.dll
D:\WINDOWS\system32\foyplehm.dll
D:\WINDOWS\system32\phaollkn.exe
D:\WINDOWS\system32\vmivpv.dll
D:\WINDOWS\system32\hnvjhsri.dll
D:\WINDOWS\system32\cpjtlvmn.dll
D:\WINDOWS\system32\taybldlt.exe
D:\WINDOWS\system32\wstuqroj.dll
D:\WINDOWS\system32\bpfbhp.dll
D:\WINDOWS\system32\rwaaleiu.dll
D:\WINDOWS\system32\zwsmgd.dll
D:\WINDOWS\system32\hokxfecd.dll
D:\WINDOWS\system32\fvlabfig.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2721ec9-9aad-4df3-aad1-b9d263ea31e1}]

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone, removed by CFScript)

(first item may be left if set this way on purpose)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: {1e13ae36-2d9b-1daa-3fd4-daa99ce1272f} - {f2721ec9-9aad-4df3-aad1-b9d263ea31e1} - D:\WINDOWS\system32\wvcyne.dll
O4 - HKLM\..\Run: [185b3ca4] rundll32.exe "D:\WINDOWS\system32\nlpyqddu.dll",b
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O20 - AppInit_DLLs: wvcyne.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post log from CFScript, the log from MBAB and a new HJT log.

How is the computer running?

Thanks
Click to expand...
 
Please use the standard black, do not change the color, that is much harder for me to read.

Do not copy and paste all of my instructions, you can scroll back to them if you wish to review them or print them. I know what I said.

I am not sure what you did, but please read and follow the directions, if you are not sure, ask someone with more computer experience for help or take the computer to a local technician.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
D:\WINDOWS\system32\xrwvqk.dll
D:\WINDOWS\system32\uynoyyph.dll
D:\WINDOWS\system32\cfcmtyqw.dll
D:\WINDOWS\system32\hpyyonyu.ini
D:\WINDOWS\system32\uqpgatmd.dll
D:\WINDOWS\system32\cfcmtyqw.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20e057ee-9ed3-47a4-9e8b-f25ef9e138f0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"185b3ca4"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM1b06d307"=-

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some of these may be gone, removed by CFScript)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {0f831e9f-e52f-b8e9-4a74-3de9ee750e02} - {20e057ee-9ed3-47a4-9e8b-f25ef9e138f0} - D:\WINDOWS\system32\xrwvqk.dll
O4 - HKLM\..\Run: [185b3ca4] rundll32.exe "D:\WINDOWS\system32\uynoyyph.dll",b
O4 - HKLM\..\Run: [BM1b06d307] Rundll32.exe "D:\WINDOWS\system32\cfcmtyqw.dll",s

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Thanks
 
pskelley,


Aside from the posting violation, I have been adhering to the directions given with precision and care. YET again the items you posted to check off(to fix in step #3) were all not present within the HJT scan, as before.(indicating nothing may have gone wrong both times) Assuming Combofix had removed them before this HJT detection scan, I proceeded to steps #4-5 regardless. Shocking the amount of infection present, detected and removed. Also if necessary for review I saved an HJT log from step #3 before executing ATF cleaner. I await your analysis. Again your assistance is wholly appreciated.

jappee

The log files;

ComboFix 08-09-24.09 - Cathy 2008-09-26 12:08:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.550 [GMT -7:00]
Running from: D:\Documents and Settings\Cathy\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Cathy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\WINDOWS\system32\cfcmtyqw.dll
D:\WINDOWS\system32\hpyyonyu.ini
D:\WINDOWS\system32\uqpgatmd.dll
D:\WINDOWS\system32\uynoyyph.dll
D:\WINDOWS\system32\xrwvqk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\BM1b06d307.txt
D:\WINDOWS\BM1b06d307.xml
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\cfcmtyqw.dll
D:\WINDOWS\system32\hpyyonyu.ini
D:\WINDOWS\system32\uqpgatmd.dll
D:\WINDOWS\system32\uynoyyph.dll
D:\WINDOWS\system32\xrwvqk.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-20 07:56 . 2008-09-20 07:56 <DIR> d-------- D:\Program Files\Trend Micro
2008-09-20 04:56 . 2008-09-24 01:03 736 --a------ D:\WINDOWS\wininit.ini
2008-09-15 19:11 . 2008-09-15 19:23 69 --a------ D:\WINDOWS\NeroDigital.ini
2008-09-15 03:03 . 2008-09-15 03:03 <DIR> d-------- D:\Program Files\MSXML 4.0
2008-09-15 01:38 . 2008-09-15 01:38 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Canon
2008-09-15 01:37 . 2008-09-15 01:37 <DIR> d--h----- D:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-09-15 01:37 . 2008-09-15 01:37 <DIR> d--h----- D:\Program Files\CanonBJ
2008-09-15 01:37 . 2006-07-21 00:51 1,298,432 --a------ D:\WINDOWS\system32\CNQC2411.DLL
2008-09-15 01:37 . 2006-06-02 05:18 155,648 --a------ D:\WINDOWS\system32\CNQL2411.DLL
2008-09-15 01:37 . 2006-06-29 23:29 106,496 --a------ D:\WINDOWS\system32\cnqo2411.dll
2008-09-15 01:37 . 2006-07-21 00:51 57,344 --a------ D:\WINDOWS\system32\CNQI2411.DLL
2008-09-14 00:55 . 2008-09-14 00:55 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Nero
2008-09-14 00:52 . 2008-09-14 00:53 <DIR> d-------- D:\Program Files\Common Files\Nero
2008-09-14 00:52 . 2008-09-14 00:52 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
2008-09-14 00:00 . 2008-09-23 15:07 365,568 --a------ D:\WINDOWS\system32\doskeys.exe
2008-09-14 00:00 . 2008-09-25 05:05 186 --a------ D:\WINDOWS\system32\Monitored2.dat
2008-09-13 00:13 . 2008-09-13 00:13 <DIR> d-------- D:\WINDOWS\system32\IOSUBSYS
2008-09-07 04:54 . 2008-09-07 04:54 <DIR> d-------- D:\Program Files\Avanquest update
2008-09-07 03:56 . 2008-09-07 03:57 <DIR> d-------- D:\Program Files\Motorola Phone Tools
2008-09-07 03:56 . 2008-09-07 03:56 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\InstallShield
2008-09-07 03:16 . 2008-09-07 03:16 24,192 --a------ D:\Documents and Settings\Cathy\usbsermptxp.sys
2008-09-07 03:16 . 2008-09-07 03:16 22,768 --a------ D:\WINDOWS\system32\drivers\usbsermpt.sys
2008-09-07 03:16 . 2008-09-07 03:16 22,768 --a------ D:\Documents and Settings\Cathy\usbsermpt.sys
2008-09-07 03:00 . 2008-09-07 03:00 <DIR> d-------- D:\Program Files\Common Files\Motorola Shared
2008-09-07 03:00 . 2007-06-18 15:18 23,680 --a------ D:\WINDOWS\system32\drivers\motmodem.sys
2008-09-07 03:00 . 2008-09-07 03:00 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-09-07 02:44 . 2008-04-13 11:45 26,112 --a------ D:\WINDOWS\system32\drivers\usbser.sys
2008-09-07 02:44 . 2008-04-13 11:45 26,112 --a--c--- D:\WINDOWS\system32\dllcache\usbser.sys
2008-09-07 02:25 . 2008-09-20 07:54 <DIR> d-------- D:\Program Files\uTorrent
2008-09-07 02:18 . 2008-09-07 02:20 <DIR> d-------- D:\Program Files\Your Uninstaller 2008
2008-09-07 02:18 . 2008-09-07 02:18 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\URSoft
2008-09-06 22:13 . 2008-09-07 03:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-06 21:34 . 2008-04-13 11:45 26,368 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-02 20:58 . 2008-09-18 23:55 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\LimeWire
2008-09-02 08:47 . 2008-09-02 08:49 <DIR> d-------- D:\Program Files\Common Files\wsm
2008-09-02 06:30 . 2008-09-02 06:30 552 --a------ D:\WINDOWS\system32\d3d8caps.dat
2008-09-01 21:22 . 2008-07-30 17:42 23,888 --a------ D:\WINDOWS\system32\drivers\COH_Mon.sys
2008-09-01 21:22 . 2008-07-30 17:28 10,537 --a------ D:\WINDOWS\system32\drivers\COH_Mon.cat
2008-09-01 21:22 . 2008-07-30 17:28 706 --a------ D:\WINDOWS\system32\drivers\COH_Mon.inf
2008-09-01 17:12 . 2008-09-01 17:12 50,772 --ah----- D:\WINDOWS\system32\mlfcache.dat
2008-09-01 16:54 . 2008-09-01 16:54 <DIR> d-------- D:\Program Files\CyberLink
2008-09-01 16:54 . 2008-09-01 16:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-01 16:14 . 2008-09-01 16:14 <DIR> d-------- D:\MySlideshow
2008-09-01 15:07 . 2008-09-22 06:10 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-09-01 15:07 . 2008-09-01 15:07 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Anvsoft
2008-08-31 22:36 . 2008-08-31 22:36 <DIR> d-------- D:\Program Files\Common Files\DVDVideoSoft
2008-08-30 22:49 . 2008-08-30 22:49 <DIR> d-------- D:\Documents and Settings\All Users\eBay
2008-08-30 06:28 . 2008-08-26 11:47 393,216 --a------ D:\WINDOWS\system32\fpres632.dll
2008-08-30 06:28 . 2008-08-26 11:46 376,832 --a------ D:\WINDOWS\system32\fpmon6.dll
2008-08-29 10:18 . 2008-08-29 10:18 2,302,017 --a------ D:\WINDOWS\system32\GPhotos.scr
2008-08-28 23:56 . 1996-01-12 03:00 935,632 --a------ D:\WINDOWS\system\Vb40016.dll
2008-08-28 23:56 . 1996-01-12 03:00 722,192 --a------ D:\WINDOWS\system\Vb40032.dll
2008-08-28 20:31 . 2008-04-13 11:47 25,856 --a------ D:\WINDOWS\system32\drivers\usbprint.sys
2008-08-28 20:31 . 2008-04-13 11:47 25,856 --a--c--- D:\WINDOWS\system32\dllcache\usbprint.sys
2008-08-28 20:31 . 2008-04-13 11:45 15,104 --a------ D:\WINDOWS\system32\drivers\usbscan.sys
2008-08-28 20:31 . 2008-04-13 11:45 15,104 --a--c--- D:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-28 17:29 . 2008-08-28 17:29 <DIR> d-------- D:\WINDOWS\Sun
2008-08-28 14:53 . 2008-08-28 14:56 <DIR> d-------- D:\Program Files\Google
2008-08-28 14:53 . 2008-09-26 12:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-28 12:56 . 2008-09-13 17:51 <DIR> d-------- D:\Program Files\TG Games
2008-08-28 12:56 . 2008-09-24 15:03 148 --a------ D:\WINDOWS\system32\acmeinc.ini
2008-08-28 12:56 . 2008-09-24 15:03 116 --a------ D:\WINDOWS\system32\vxdtgm.ini
2008-08-28 12:25 . 2008-08-28 12:38 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\OfficeUpdate12
2008-08-28 12:24 . 2008-08-28 12:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-28 12:21 . 2007-04-09 13:23 28,040 --a------ D:\WINDOWS\system32\mdimon.dll
2008-08-28 12:21 . 2008-08-28 12:21 376 --a------ D:\WINDOWS\ODBC.INI
2008-08-28 12:19 . 2008-08-28 12:19 <DIR> d-------- D:\Program Files\Microsoft ActiveSync
2008-08-28 12:19 . 2008-08-28 12:19 <DIR> d-------- D:\Program Files\Common Files\L&H
2008-08-28 12:18 . 2008-08-28 12:19 <DIR> d-------- D:\WINDOWS\SHELLNEW
2008-08-28 12:18 . 2008-08-28 12:18 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-08-28 12:18 . 2008-08-28 12:31 <DIR> d-------- D:\Program Files\Microsoft Works
2008-08-28 11:39 . 2008-08-28 11:39 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Windows Search
2008-08-28 11:26 . 2008-08-28 11:26 <DIR> d-------- D:\WINDOWS\Downloaded Installations
2008-08-28 11:25 . 2008-08-28 11:25 <DIR> d-------- D:\WINDOWS\Adobe Illustrator CS
2008-08-28 11:15 . 2008-08-28 11:15 <DIR> d-------- D:\Program Files\Common Files\Adobe Systems Shared
2008-08-28 10:58 . 2008-08-28 10:58 <DIR> d-------- D:\WINDOWS\system32\GroupPolicy
2008-08-28 10:58 . 2008-08-28 10:58 <DIR> d-------- D:\Program Files\Windows Desktop Search
2008-08-28 10:58 . 2008-08-28 10:58 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Windows Desktop Search
2008-08-28 10:57 . 2008-03-07 10:02 192,000 -----c--- D:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-28 10:57 . 2008-03-07 10:02 98,304 -----c--- D:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-28 10:57 . 2008-03-07 10:02 29,696 -----c--- D:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-28 10:55 . 2008-08-28 10:55 <DIR> d-------- D:\WINDOWS\system32\URTTEMP
2008-08-28 10:29 . 2008-07-22 07:45 1,214,526 -----c--- D:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-28 10:29 . 2008-07-22 07:45 790,846 -----c--- D:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-28 10:29 . 2008-07-22 07:45 9,696 -----c--- D:\WINDOWS\system32\dllcache\drvmain.sdb
2008-08-28 10:27 . 2008-07-18 22:07 270,880 --a------ D:\WINDOWS\system32\mucltui.dll
2008-08-28 10:27 . 2008-07-18 22:07 29,728 --a------ D:\WINDOWS\system32\mucltui.dll.mui
2008-08-28 10:22 . 2008-06-23 09:57 6,066,176 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-28 10:22 . 2007-04-17 02:32 2,455,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-28 10:22 . 2007-03-07 22:10 991,232 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-28 10:22 . 2008-06-23 09:57 459,264 -----c--- D:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-28 10:22 . 2008-06-23 09:57 383,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-28 10:22 . 2008-06-23 09:57 267,776 -----c--- D:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-28 10:22 . 2008-06-23 09:57 63,488 -----c--- D:\WINDOWS\system32\dllcache\icardie.dll
2008-08-28 10:22 . 2008-06-23 09:57 52,224 -----c--- D:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-28 10:22 . 2008-06-23 02:20 13,824 -----c--- D:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-28 10:17 . 2008-08-28 10:49 <DIR> d-------- D:\Documents and Settings\Cathy\Contacts
2008-08-28 10:14 . 2008-08-28 10:14 268 --ah----- D:\sqmdata03.sqm
2008-08-28 10:14 . 2008-08-28 10:14 244 --ah----- D:\sqmnoopt03.sqm
2008-08-28 10:09 . 2008-08-28 10:09 268 --ah----- D:\sqmdata02.sqm
2008-08-28 10:09 . 2008-08-28 10:09 244 --ah----- D:\sqmnoopt02.sqm
2008-08-28 10:05 . 2008-08-28 10:05 268 --ah----- D:\sqmdata01.sqm
2008-08-28 10:05 . 2008-08-28 10:05 244 --ah----- D:\sqmnoopt01.sqm
2008-08-28 09:26 . 2008-08-28 09:26 268 --ah----- D:\sqmdata00.sqm
2008-08-28 09:26 . 2008-08-28 09:26 244 --ah----- D:\sqmnoopt00.sqm
2008-08-28 08:31 . 2008-08-28 08:33 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2008-08-28 08:31 . 2008-09-20 04:10 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-28 08:28 . 2008-08-28 08:28 <DIR> d-------- D:\Program Files\Windows Media Connect 2
2008-08-28 08:28 . 2008-04-13 17:12 221,184 --a------ D:\WINDOWS\system32\wmpns.dll
2008-08-28 08:27 . 2008-08-28 08:27 <DIR> d-------- D:\WINDOWS\system32\drivers\UMDF
2008-08-28 08:23 . 2008-08-28 08:23 <DIR> d-------- D:\Program Files\MSN Messenger
2008-08-28 08:12 . 2008-08-28 08:12 <DIR> d-------- D:\Program Files\Winamp Toolbar
2008-08-28 08:12 . 2008-08-28 08:12 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-08-28 08:10 . 2008-08-28 08:12 <DIR> d-------- D:\Program Files\Winamp
2008-08-28 08:10 . 2008-09-01 03:13 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\Winamp
2008-08-28 07:57 . 2003-06-25 16:05 266,360 --a------ D:\WINDOWS\system32\TweakUI.exe
2008-08-28 07:57 . 2002-06-21 15:09 160,217 --a------ D:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-28 07:53 . 2008-08-28 07:53 <DIR> d-------- D:\WINDOWS\Logs
2008-08-28 07:48 . 2008-08-28 07:48 <DIR> d-------- D:\Documents and Settings\Cathy\Application Data\ATI
2008-08-28 07:44 . 2006-05-03 11:57 520,192 --a------ D:\WINDOWS\system32\ati2sgag.exe
2008-08-28 07:43 . 2008-08-28 07:44 <DIR> d-------- D:\Program Files\ATI Technologies
2008-08-28 07:41 . 2008-08-28 07:41 <DIR> d-------- D:\Program Files\Hewlett-Packard
2008-08-28 07:41 . 2008-08-28 07:41 <DIR> d-------- D:\Program Files\Common Files\Hewlett-Packard
2008-08-28 07:40 . 2008-08-28 07:40 <DIR> d-------- D:\Program Files\HP
2008-08-28 07:39 . 2005-04-08 00:51 606,208 --a------ D:\WINDOWS\system32\hpotscl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 12:19 --------- d-----w D:\Program Files\microsoft frontpage
2008-07-31 17:41 68,616 ----a-w D:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 17:41 238,088 ----a-w D:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 17:40 509,448 ----a-w D:\WINDOWS\system32\XAudio2_2.dll
2008-07-30 21:55 49,152 ----a-r D:\WINDOWS\system32\inetwh32.dll
2008-07-30 21:55 1,044,480 ----a-r D:\WINDOWS\system32\roboex32.dll
2008-07-21 23:14 9,728 ----a-w D:\WINDOWS\system32\RtNicProp32.dll
2008-07-21 19:52 524,288 ----a-w D:\WINDOWS\opuc.dll
2008-07-19 05:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 210,976 ----a-w D:\WINDOWS\system32\muweb.dll
2008-07-12 15:18 467,984 ----a-w D:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 15:18 3,851,784 ----a-w D:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 15:18 1,493,528 ----a-w D:\WINDOWS\system32\D3DCompiler_39.dll
2008-07-07 20:26 253,952 ----a-w D:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-24_19.29.26.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-26 06:37:06 55,392 ----a-w D:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="D:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 771704]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2008-08-28 986]
Windows Search.lnk.disabled [2008-08-28 1787]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "D:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
"swg"=D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"185b3ca4"=rundll32.exe "D:\WINDOWS\system32\foyplehm.dll",b
"WinampAgent"="D:\Program Files\Winamp\winampa.exe"
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"SecurDisc"=E:\Program Files\Nero 8\InCD\NBHGui.exe
"NeroFilterCheck"=D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="E:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe"
"InCD"=E:\Program Files\Nero 8\InCD\InCD.exe
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"itype"="D:\Program Files\Microsoft IntelliType Pro\itype.exe"
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"YOP"=D:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Program Files\\LimeWire\\LimeWire.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 12:12:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero 8\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\searchindexer.exe
D:\WINDOWS\system32\searchprotocolhost.exe
D:\WINDOWS\system32\searchfilterhost.exe
D:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-26 12:15:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-26 19:15:06
ComboFix2.txt 2008-09-26 02:26:37
ComboFix3.txt 2008-09-25 02:30:04

Pre-Run: 18,768,441,344 bytes free
Post-Run: 18,766,970,880 bytes free

272 --- E O F --- 2008-09-15 10:03:05





Malwarebytes' Anti-Malware 1.28
Database version: 1211
Windows 5.1.2600 Service Pack 3

9/26/2008 3:09:53 PM
mbam-log-2008-09-26 (15-09-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 479227
Time elapsed: 2 hour(s), 30 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 153

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\QooBox\Quarantine\D\WINDOWS\system32\aapdmxhx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\bksfsecj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\boefbukl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\bpfbhp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\dslglpgb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\dxybpo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\efcyYPhH.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\egxhnt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\eqdeby.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\etetlw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\fhfvtt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\foyplehm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\fvlabfig.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\gmboew.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\ngqynkqw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\noukxeav.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\odbsqm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\pfcgll.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\qbnsavmt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\qgqglmgt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\bxaggbcb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\cfcmtyqw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\chgqygfs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\cpjtlvmn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\cuwvttes.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\dbeetm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\ddcCRKBu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\hajvnnlu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\hgGwtuTJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\hlchveqy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\hnvjhsri.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\hokxfecd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\hpypvecu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\hrdovv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\iiqlmmdk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\ikaqdelc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\imxvwjga.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\jicrei.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\jkkiFwTn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\juabmtoa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\kakeja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\khslpcru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\lyvoqncq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\txtysy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\ubirgjfw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\uqpgatmd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\uynoyyph.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\vbxpefsr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\vmivpv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\rorowjpx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\rsaawobq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\rwaaleiu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\wdmexceu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\wokvmiwq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\woqaaknp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\wstuqroj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\xqphva.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\xrwvqk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\xstxaivr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\xtvgdr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\yefefg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\zwsmgd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP82\A0009347.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP83\A0009369.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP83\A0009367.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP83\A0009368.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP84\A0009409.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP84\A0009416.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP84\A0009417.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP84\A0009418.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP85\A0012472.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP85\A0012515.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP86\A0013589.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP86\A0013597.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP86\A0014589.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP86\A0014602.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP87\A0016651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP87\A0017651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP87\A0017661.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP88\A0018651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP88\A0018670.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP88\A0018683.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP88\A0018684.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP88\A0018685.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP88\A0018686.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP89\A0018695.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP89\A0018696.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP90\A0018717.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP90\A0018718.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP90\A0018720.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP90\A0018747.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018903.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018904.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018905.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018906.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018907.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018908.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018909.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018910.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018911.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018913.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018914.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018915.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018916.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018917.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018918.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018919.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018921.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018922.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018923.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018924.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018925.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018926.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018927.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018928.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018929.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018930.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018931.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018932.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018933.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018934.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018935.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018936.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018937.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018939.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018940.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018941.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018942.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018944.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018945.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018949.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018950.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018951.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018953.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018954.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018957.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018958.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018959.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018960.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018961.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018962.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018963.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018964.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018965.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018966.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018969.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018920.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018938.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP92\A0018956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP94\A0019121.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP94\A0019123.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP94\A0019124.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A303B706-ABED-46A1-A39A-EE87FB4FD324}\RP94\A0019125.dll (Trojan.Vundo) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:59 PM, on 9/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Program Files\Nero 8\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
E:\DOWNLOADS\FirefoxPortable\App\firefox\firefox.exe
D:\WINDOWS\notepad.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Windows Search.lnk.disabled
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219943999875
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero 8\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7857 bytes
 
Assuming Combofix had removed them before this HJT detection scan,
Click to expand...
Yes...that is the case, CFScript removed them and the HJT instructions were a doublecheck by me. That is the reason I posted this:
(some of these may be gone, removed by CFScript)
Click to expand...

The bad news is the items in the MBAM report is excessive, the GOOD NEWS is all of them are either in the combofix quarantine folder or infected System Restore files which we will take care of now.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the infected System Restore files:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we got all of the junk, no need to post a clean scan result.

Update Symantec and scan your system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp

If all is well at this point, let me know and I will close your topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

In doing some research about files that look like this:
D:\sqmdata03.sqm (have different numbers) I found this information and will post it for you.
http://forums.techguy.org/windows-nt-2000-xp/453936-solved-question-about-file-sqm.html
http://answers.yahoo.com/question/index?qid=20080614191334AAb2d7X
the file association sqm stands for Service Quality Monitoring, they are used by MSN
to help to improve their programs. To get rid of them open MSN then, in the help,
select "Program to improve our services" and check "I don't want to participate in the program".
 
Thankfully it's gone.

Pskelley,
Thank you. The last scan came up clean. I appreciate your help in this matter. Would have had to wipe a drive and do a fresh install otherwise.
Again thanx, jappee
 
Status
Not open for further replies.
Back
Top