Virtumonde and Virtumonde.dll - please help

Status
Not open for further replies.
3

3rdwatch

New member
I have tried Vundofix and it did not detect anything. I did start in safe mode and ran Spybot three times. Three times I removed C:\windows\system32\ssqQijkh.dll_old I thought it was getting me no where so I run HJT and here it is.

A little background - The computer was infected so I removed the hard drive put in and formated a small one and reloaded Windows XP to SP3 and I still have this problem. Can it be in the computer carried through the memory?

Let me know if you can help.

3rdwatch
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

If you still need help, read the directions posted above and pinned (sticky) at the top of this forum, including this one:
All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
Click to expand...
Copy and paste the HJT log as instructed and I will be glad to take a look.

Thanks
 
My computer is not user friendly

Sorry. Here is my HJT file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:26 PM, on 6/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {aa4104a2-c2fd-c7cb-6174-e0bc4d83a6b2} - {2b6a38d4-cb0e-4716-bc7c-df2c2a4014aa} - C:\WINDOWS\system32\kirivw.dll
O2 - BHO: (no name) - {399E3A6A-CB7F-4204-B642-E871775FB2B8} - C:\WINDOWS\system32\ssqPIcbA.dll (file missing)
O2 - BHO: (no name) - {45EDA2CC-030E-4D66-A4C1-7EB22A348379} - C:\WINDOWS\system32\ddcDutqq.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {599C79BA-DF65-42F4-89C8-4126C8649228} - C:\WINDOWS\system32\ssqQijkh.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {AFDEA771-B847-4729-8F41-698CCDE2E00C} - C:\WINDOWS\system32\geBsttRL.dll (file missing)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\jkkJdCRL.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [8ce7743f] rundll32.exe "C:\WINDOWS\system32\kmkuctme.dll",b
O4 - HKLM\..\Run: [BM8fd447a3] Rundll32.exe "C:\WINDOWS\system32\ouyhdnjc.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214626441281
O20 - Winlogon Notify: jkkJdCRL - C:\WINDOWS\SYSTEM32\jkkJdCRL.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 4773 bytes



Three times in safe mode I ran Spybot and deleted C:\windows\system32\ssqQijkh.dll_old file

In restarting more files were created. I have the Viruralmonde and .dll files. They were not detected by Vundofix so I have kept looking for an answer.
 
Thanks for the HJT log, Spybot S&D is a great program but as of now it and few others can remove this junk.
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

1) I don't see TeaTimer running but if it is:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
 
ComboFix and HJT logs

Here they are.

ComboFix

ComboFix 08-07-02.5 - Cole 2008-07-03 21:12:01.3 - NTFSx86
Running from: C:\Documents and Settings\Cole\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8fd447a3.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cnazub.dll
C:\WINDOWS\system32\emtcukmk.ini
C:\WINDOWS\system32\fkwjmfyo.ini
C:\WINDOWS\system32\hkjiQqss.ini
C:\WINDOWS\system32\hkjiQqss.ini2
C:\WINDOWS\system32\jkkJdCRL.dll
C:\WINDOWS\system32\kirivw.dll
C:\WINDOWS\system32\knybsvjn.ini
C:\WINDOWS\system32\njvsbynk.dll
C:\WINDOWS\system32\oiqcumeu.dll
C:\WINDOWS\system32\ouyhdnjc.dll
C:\WINDOWS\system32\qybtky.dll
C:\WINDOWS\system32\tAHkknmp.ini
C:\WINDOWS\system32\tAHkknmp.ini2
C:\WINDOWS\system32\tsgaclrs.dll
C:\WINDOWS\system32\uemucqio.ini
C:\WINDOWS\system32\wcifmnhl.dll
C:\WINDOWS\system32\yddnkhfd.dll
C:\WINDOWS\system32\ygbodloq.dll
C:\WINDOWS\system32\yintbrcp.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-02 20:59 . 2008-07-02 23:14 <DIR> d-------- C:\Documents and Settings\Cole\.housecall6.6
2008-06-29 17:24 . 2008-06-29 17:24 284,672 --a------ C:\WINDOWS\system32\pmnkkHAt.dll_old
2008-06-29 17:21 . 2008-06-29 17:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 13:56 . 2008-07-03 18:27 110,415 --a------ C:\WINDOWS\BM8fd447a3.xml
2008-06-29 00:27 . 2008-06-29 00:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 00:26 . 2008-06-29 00:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-28 20:59 . 2008-07-02 21:48 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-06-28 15:55 . 2008-06-28 15:55 <DIR> d-------- C:\VundoFix Backups
2008-06-28 11:58 . 2008-07-03 20:58 762 --a------ C:\WINDOWS\wininit.ini
2008-06-28 00:59 . 2008-06-28 00:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 00:59 . 2008-07-03 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 00:57 . 2008-06-28 00:57 <DIR> d-------- C:\Program Files\Tetris
2008-06-28 00:49 . 2008-06-28 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-28 00:47 . 2008-06-28 00:47 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-28 00:47 . 2008-06-28 00:47 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-06-28 00:46 . 2008-06-28 00:46 <DIR> d-------- C:\Program Files\CA
2008-06-28 00:46 . 2008-06-28 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-06-28 00:46 . 2008-06-28 00:57 99,904 --a------ C:\WINDOWS\system32\isafeif.dll
2008-06-28 00:46 . 2008-06-28 00:57 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-06-28 00:46 . 2008-06-28 00:57 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2008-06-28 00:46 . 2008-06-28 00:57 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-28 00:46 . 2008-06-28 00:57 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-28 00:46 . 2008-06-28 00:57 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-28 00:46 . 2008-06-28 00:57 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-28 00:45 . 2008-06-28 21:00 <DIR> d-------- C:\Program Files\Google
2008-06-28 00:44 . 2008-04-13 13:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-28 00:23 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-28 00:23 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-28 00:23 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-28 00:23 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-28 00:23 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-28 00:23 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-28 00:23 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-28 00:23 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-28 00:23 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-28 00:05 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-28 00:04 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-27 23:49 . 2008-06-27 23:49 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-27 23:39 . 2008-06-27 23:39 <DIR> d-------- C:\WINDOWS\EHome
2008-06-27 23:31 . 2004-08-03 22:29 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-27 23:20 . 2008-06-28 00:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-27 23:20 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-27 23:14 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-27 23:14 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-27 23:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-27 23:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-27 23:14 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-27 23:13 . 2008-06-27 23:13 <DIR> d--hs---- C:\Documents and Settings\Cole\UserData
2008-06-27 23:13 . 2008-06-27 23:13 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-27 23:00 . 2008-07-02 20:59 <DIR> d-------- C:\Documents and Settings\Cole

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 03:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:28 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:23 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 17:23 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_19.22.09.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 00:18:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 02:50:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 19:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-01-16 03:12:48 296,336 ----a-w C:\WINDOWS\Downloaded Program Files\rufsi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 00:46 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-28 00:57 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-28 00:57 230928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04281118-44d7-11dd-aa10-00e0184fdf2a}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
- - - - ORPHANS REMOVED - - - -

BHO-{1636F804-0AD6-4D91-BAB4-FA325B22979A} - C:\WINDOWS\system32\pmnkkHAt.dll
BHO-{399E3A6A-CB7F-4204-B642-E871775FB2B8} - C:\WINDOWS\system32\ssqPIcbA.dll
BHO-{45EDA2CC-030E-4D66-A4C1-7EB22A348379} - C:\WINDOWS\system32\ddcDutqq.dll
BHO-{599C79BA-DF65-42F4-89C8-4126C8649228} - C:\WINDOWS\system32\ssqQijkh.dll
BHO-{AFDEA771-B847-4729-8F41-698CCDE2E00C} - C:\WINDOWS\system32\geBsttRL.dll
HKLM-Run-8ce7743f - C:\WINDOWS\system32\oiqcumeu.dll
HKLM-Run-BM8fd447a3 - C:\WINDOWS\system32\ygbodloq.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 21:51:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
.
**************************************************************************
.
Completion time: 2008-07-03 21:55:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 02:54:21
ComboFix2.txt 2008-06-29 05:20:23
ComboFix3.txt 2008-06-29 00:24:47

Pre-Run: 1,016,688,640 bytes free
Post-Run: 1,004,306,432 bytes free

202 --- E O F --- 2008-06-28 05:25:40


HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:18 PM, on 7/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214626441281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 4096 bytes


I have disconnected this computer from the internet. It asked several times during the ComboFix run if I wanted to connect to the net.

I did not.

Thanks.
 
Thanks for returning your information, read and follow all directions carefully and in the numbered order.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\BM8fd447a3.xml <<< delete that file

C:\WINDOWS\system32\pmnkkHAt.dll_old <<< delete that file

C:\VundoFix Backups <<< delete that folder and contents

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Tell me how the computer is running.

Thanks
 
Wow - quite an improvement!

Computer is running much better. I rebooted and it came right up.

Here is the log:

Malwarebytes' Anti-Malware 1.19
Database version: 921
Windows 5.1.2600 Service Pack 3

5:40:34 PM 7/4/2008
mbam-log-7-4-2008 (17-40-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 49704
Time elapsed: 13 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Documents and Settings\Cole\lsass.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8716F7CE-D2E9-44A2-A471-6727BC45E46A}\RP10\A0003799.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8716F7CE-D2E9-44A2-A471-6727BC45E46A}\RP7\A0003603.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8716F7CE-D2E9-44A2-A471-6727BC45E46A}\RP7\A0003604.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8716F7CE-D2E9-44A2-A471-6727BC45E46A}\RP8\A0003637.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8716F7CE-D2E9-44A2-A471-6727BC45E46A}\RP9\A0003711.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Thanks.
 
Thanks for that feedback, I see infected System Restore files in the MBAM scan, we will clean those soon. This is the next bridge we must cross.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif


Thanks
 
That respose was pretty fast.

Here is the last CF-RC log. I did not come up exactly as your response said. It may have been fast and I was slow looking.

Altough it looks like the RC was not insatlled.

Let me know the next step.


ComboFix 08-07-02.5 - Cole 2008-07-04 19:45:38.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1621 [GMT -5:00]
Running from: C:\Documents and Settings\Cole\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-04 17:22 . 2008-07-04 17:22 <DIR> d-------- C:\Documents and Settings\Cole\Application Data\Malwarebytes
2008-07-04 17:22 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-04 17:21 . 2008-07-04 17:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 17:21 . 2008-07-04 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-04 17:21 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-02 20:59 . 2008-07-02 23:14 <DIR> d-------- C:\Documents and Settings\Cole\.housecall6.6
2008-06-29 17:21 . 2008-06-29 17:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 00:27 . 2008-06-29 00:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 00:26 . 2008-06-29 00:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-28 20:59 . 2008-07-04 18:31 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-06-28 11:58 . 2008-07-03 20:58 762 --a------ C:\WINDOWS\wininit.ini
2008-06-28 00:59 . 2008-06-28 00:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 00:59 . 2008-07-03 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 00:57 . 2008-06-28 00:57 <DIR> d-------- C:\Program Files\Tetris
2008-06-28 00:49 . 2008-06-28 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-28 00:47 . 2008-06-28 00:47 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-28 00:47 . 2008-06-28 00:47 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-06-28 00:46 . 2008-06-28 00:46 <DIR> d-------- C:\Program Files\CA
2008-06-28 00:46 . 2008-06-28 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-06-28 00:46 . 2008-06-28 00:57 99,904 --a------ C:\WINDOWS\system32\isafeif.dll
2008-06-28 00:46 . 2008-06-28 00:57 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-06-28 00:46 . 2008-06-28 00:57 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2008-06-28 00:46 . 2008-06-28 00:57 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-28 00:46 . 2008-06-28 00:57 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-28 00:46 . 2008-06-28 00:57 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-28 00:46 . 2008-06-28 00:57 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-28 00:45 . 2008-06-28 21:00 <DIR> d-------- C:\Program Files\Google
2008-06-28 00:44 . 2008-04-13 13:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-28 00:23 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-28 00:23 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-28 00:23 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-28 00:23 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-28 00:23 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-28 00:23 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-28 00:23 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-28 00:23 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-28 00:23 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-28 00:05 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-28 00:04 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-27 23:49 . 2008-06-27 23:49 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-27 23:39 . 2008-06-27 23:39 <DIR> d-------- C:\WINDOWS\EHome
2008-06-27 23:31 . 2004-08-03 22:29 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-27 23:20 . 2008-06-28 00:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-27 23:20 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-27 23:14 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-27 23:14 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-27 23:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-27 23:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-27 23:14 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-27 23:13 . 2008-06-27 23:13 <DIR> d--hs---- C:\Documents and Settings\Cole\UserData
2008-06-27 23:13 . 2008-06-27 23:13 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-27 23:00 . 2008-07-02 20:59 <DIR> d-------- C:\Documents and Settings\Cole

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 03:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:28 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:23 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 17:23 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_19.22.09.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 00:18:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 22:58:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 19:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-01-16 03:12:48 296,336 ----a-w C:\WINDOWS\Downloaded Program Files\rufsi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 00:46 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-28 00:57 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-28 00:57 230928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04281118-44d7-11dd-aa10-00e0184fdf2a}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 19:46:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 19:48:22
ComboFix-quarantined-files.txt 2008-07-05 00:48:07
ComboFix2.txt 2008-07-04 02:55:06
ComboFix3.txt 2008-06-29 05:20:23
ComboFix4.txt 2008-06-29 00:24:47

Pre-Run: 1,023,983,616 bytes free
Post-Run: 1,014,935,552 bytes free

164 --- E O F --- 2008-06-28 05:25:40


Thanks.
 
Looks like it was not installed to me also. You need to look at the instructions starting here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
How to install and use the Windows XP Recovery Console

and ending about here:
Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer

at that point look closely at the screenshot I posted for you so you can choose NO when you are asked if you want to run combofix.

You must read the directions carefully, this is a powerful tool and it needs to be used as intended.
 
RC installed

Thanks for your help. I am trying to follow instructions.

It did get installed, but not like you outlined. Is it okay?

Let me know.


ComboFix 08-07-02.5 - Cole 2008-07-04 21:15:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1727 [GMT -5:00]
Running from: C:\Documents and Settings\Cole\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-04 17:22 . 2008-07-04 17:22 <DIR> d-------- C:\Documents and Settings\Cole\Application Data\Malwarebytes
2008-07-04 17:22 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-04 17:21 . 2008-07-04 17:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 17:21 . 2008-07-04 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-04 17:21 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-02 20:59 . 2008-07-02 23:14 <DIR> d-------- C:\Documents and Settings\Cole\.housecall6.6
2008-06-29 17:21 . 2008-06-29 17:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 00:27 . 2008-06-29 00:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 00:26 . 2008-06-29 00:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-28 20:59 . 2008-07-04 18:31 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-06-28 11:58 . 2008-07-03 20:58 762 --a------ C:\WINDOWS\wininit.ini
2008-06-28 00:59 . 2008-06-28 00:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-28 00:59 . 2008-07-03 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 00:57 . 2008-06-28 00:57 <DIR> d-------- C:\Program Files\Tetris
2008-06-28 00:49 . 2008-06-28 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-28 00:47 . 2008-06-28 00:47 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-28 00:47 . 2008-06-28 00:47 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-06-28 00:46 . 2008-06-28 00:46 <DIR> d-------- C:\Program Files\CA
2008-06-28 00:46 . 2008-06-28 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-06-28 00:46 . 2008-06-28 00:57 99,904 --a------ C:\WINDOWS\system32\isafeif.dll
2008-06-28 00:46 . 2008-06-28 00:57 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-06-28 00:46 . 2008-06-28 00:57 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2008-06-28 00:46 . 2008-06-28 00:57 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-28 00:46 . 2008-06-28 00:57 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-28 00:46 . 2008-06-28 00:57 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-28 00:46 . 2008-06-28 00:57 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-28 00:45 . 2008-06-28 21:00 <DIR> d-------- C:\Program Files\Google
2008-06-28 00:44 . 2008-04-13 13:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-28 00:23 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-28 00:23 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-28 00:23 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-28 00:23 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-28 00:23 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-28 00:23 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-28 00:23 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-28 00:23 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-28 00:23 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-28 00:05 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-28 00:04 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-27 23:51 . 2008-06-27 23:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-27 23:49 . 2008-06-27 23:49 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-27 23:39 . 2008-06-27 23:39 <DIR> d-------- C:\WINDOWS\EHome
2008-06-27 23:31 . 2004-08-03 22:29 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-27 23:20 . 2008-06-28 00:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-27 23:20 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-27 23:14 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-27 23:14 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-27 23:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-27 23:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-27 23:14 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-27 23:13 . 2008-06-27 23:13 <DIR> d--hs---- C:\Documents and Settings\Cole\UserData
2008-06-27 23:13 . 2008-06-27 23:13 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-27 23:00 . 2008-07-02 20:59 <DIR> d-------- C:\Documents and Settings\Cole

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 03:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:28 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:23 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 17:23 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_19.22.09.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 00:18:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 02:12:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 19:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-01-16 03:12:48 296,336 ----a-w C:\WINDOWS\Downloaded Program Files\rufsi.dll
+ 2001-07-14 22:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 00:46 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-28 00:57 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-28 00:57 230928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04281118-44d7-11dd-aa10-00e0184fdf2a}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c141aba-44d5-11dd-aa0f-00e0184fdf2a}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 21:16:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 21:18:20
ComboFix-quarantined-files.txt 2008-07-05 02:18:08
ComboFix2.txt 2008-07-05 00:48:23
ComboFix3.txt 2008-07-04 02:55:06
ComboFix4.txt 2008-06-29 05:20:23
ComboFix5.txt 2008-06-29 00:24:47

Pre-Run: 1,028,562,944 bytes free
Post-Run: 1,018,187,776 bytes free

167 --- E O F --- 2008-06-28 05:25:40
 
Remove combofix from your computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


How is your computer running, any malware problems?

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Infections

It is uninstalled. Should I do the same to the malware program?

I have not been using the computer for much since the infection but it seems to run fine.


From your post#8 -Thanks for that feedback, I see infected System Restore files in the MBAM scan, we will clean those soon. This is the next bridge we must cross.

Do we need to remove the Systerm Restore files? Here is the current HJT log.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:45 AM, on 7/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214626441281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 4017 bytes

Thanks for all of your help.

How did you learn about the trojans, malware and etc anyway?
 
Do we need to remove the Systerm Restore files?
Click to expand...
I posted those instructions for you:
Clear System Restore Points for Performance
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
How did you learn about the trojans, malware and etc anyway?
Click to expand...
It all started when I got infected maybe ten years ago. I went to Dell forums and the helper because my mentor and pointed me in the direction of free online training. The free online training is still available if you have an interest. Malware is no longer easy to remove as kids playing games were moved aside by organized crime:
Example: http://en.wikipedia.org/wiki/Russian_Business_Network
http://rbnexploit.blogspot.com/
as I said, free training is available, but it is not easy, requires a lot of hard work on your part and a desire to help people.

MBAM is a good free on demand scanner, keep it if you wish.

Thanks...Phil
 
Computer runs great.

Many thanks. I deleted the restore points and the computer is fine. I also reactivated the anti-virus programs.

I would like to know more about this free training for malware and trojans.

You spoke of helping people. This computer is my brothers. His grandchildren were on it (I am cleaning it up for no charge). His daughter's (their mother) computer is next. It problably has similar problems.

Thanks again :bigthumb: and let me know what I need to do to sign up for the training.
 
 
Status
Not open for further replies.
Back
Top