Virtumonde Prx detected please help

Status
Not open for further replies.
J

jjshodan20

New member
Spybot S & D has detected Virtumonde Prx on my system, attempted to remove Virtumonde using the giude from Bleepingcomputer.com
(http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde)
including the use of the following tools:

rkill.com
Malwarebytes
Vundo Fix
Virtumundoegone

Though Malwarebytes found traces of Virtumonde prx in the system and said it removed it. System still suffers symptoms and Spybot still detects its presence.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Executive_Director2 at 13:12:07.48 on Mon 06/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.329 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\PaperPort\xdcla.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Executive_Director2\My Documents\stickit.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Executive_Director2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.patchoguechamber.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [Pnalegixo] rundll32.exe "c:\windows\mtkbdhut.dll",Startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PCDrProfiler]
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Azecexopakenupi] rundll32.exe "c:\windows\ilisehih.dll",Startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\execut~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\execut~1\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\executive_director2\my documents\stickit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imager~1.lnk - c:\program files\scansoft\paperport\xdcla.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: netscape.com\mail.isp
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-9 331640]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100613.018\NAVENG.SYS [2010-6-14 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100613.018\NAVEX15.SYS [2010-6-14 1347504]
R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [2006-12-17 7168]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-13 30192]

=============== Created Last 30 ================

2010-06-11 18:19:05 0 d-----w- C:\VundoFix Backups
2010-06-11 16:01:04 0 d-----w- c:\docume~1\execut~1\applic~1\Malwarebytes
2010-06-11 15:56:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-11 15:56:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-10 16:34:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 11
2010-06-10 16:29:47 19 ----a-w- c:\windows\QBChanUtil_Trigger.ini
2010-06-10 16:28:50 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-06-10 16:06:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Nuance
2010-06-10 15:40:12 0 d-----w- c:\windows\system32\XPSViewer
2010-06-10 15:35:45 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-10 15:35:45 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-06-10 15:35:45 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-10 15:35:45 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-10 15:35:45 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-10 15:35:45 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-06-10 15:35:45 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-10 15:22:36 0 d-----w- c:\program files\MSXML 6.0
2010-06-10 14:08:45 0 d-----w- c:\windows\Intuit
2010-06-10 13:53:47 0 d-----w- c:\program files\Akamai
2010-06-10 13:39:22 14585856 ----a-w- C:\Greater Patchogue Foundation Inc (Backup Jun 10,2010 09 38 AM).QBB
2010-06-03 13:49:12 24391680 ----a-w- C:\Greater Patchogue Chamber of Commerce (Backup Jun 03,2010 09 48 AM).QBB
2010-06-03 13:47:40 24387584 ----a-w- C:\Greater Patchogue Chamber of Commerce (Backup Jun 03,2010 09 46 AM).QBB
2010-06-03 12:47:25 14540800 ----a-w- C:\Greater Patchogue Foundation Inc (Backup Jun 03,2010 08 46 AM).QBB
2010-06-01 14:06:59 120 ----a-w- c:\windows\Vbibikuxiya.dat
2010-06-01 14:06:59 0 ----a-w- c:\windows\Uxumabupiceri.bin
2010-05-27 14:20:09 24354816 ----a-w- C:\Greater Patchogue Chamber of Commerce (Backup May 27,2010 10 19 AM).QBB
2010-05-27 13:22:46 14491648 ----a-w- C:\Greater Patchogue Foundation Inc (Backup May 27,2010 09 22 AM).QBB

==================== Find3M ====================

2010-06-02 17:17:02 157069 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-LAST.ZIP
2010-05-12 16:26:07 157014 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLD.ZIP
2010-05-03 17:21:38 157043 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDER.ZIP
2010-03-30 14:54:45 157045 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDEST.ZIP
2010-03-26 14:27:59 237623 ----a-w- C:\BACKUP-MMS-FRIENDSOF-AUTOBACKUP-LAST.ZIP

============= FINISH: 13:14:13.64 ===============
 
Hello jjshodan20 and :welcome:

My name is JonTom.

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.


  1. Combofix

    • Download ComboFix from one of the following locations:

      Link 1
      Link 2
    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RC1.png

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    RC2-1.png

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
 
JonTom,
Thank you for getting back to me. I did as instructed and ran Combofix. It had to restart initially because it found Rkil still running. This was one of the tools I was instructed to use from the Bleepingcomputer.com guide but I had deleted it after I finished using it as the guide had instructed, I found this rather odd.

Combofix rebooted the computer and scanned it. When it reached the desktop though, two error messages about programs unable to start popped up. Unfortunately the messages went by too fast for me to write down. Just thought you should know in order to help you to assist me with this problem, which I appreciate.

Here is the Combofix log:

ComboFix 10-06-17.02 - Executive_Director2 06/18/2010 10:58:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.518 [GMT -4:00]
Running from: c:\documents and settings\Executive_Director2\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Executive_Director2\Local Settings\Application Data\{74B13F74-A436-489B-9934-DD0FA144C9B2}
c:\documents and settings\Executive_Director2\Local Settings\Application Data\{74B13F74-A436-489B-9934-DD0FA144C9B2}\chrome.manifest
c:\documents and settings\Executive_Director2\Local Settings\Application Data\{74B13F74-A436-489B-9934-DD0FA144C9B2}\chrome\content\_cfg.js
c:\documents and settings\Executive_Director2\Local Settings\Application Data\{74B13F74-A436-489B-9934-DD0FA144C9B2}\chrome\content\overlay.xul
c:\documents and settings\Executive_Director2\Local Settings\Application Data\{74B13F74-A436-489B-9934-DD0FA144C9B2}\install.rdf
c:\windows\ilisehih.dll
c:\windows\mtkbdhut.dll
c:\windows\system32\bszip.dll
c:\windows\system32\win.com
D:\Autorun.inf
J:\Autorun.inf

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-14 17:21 . 2010-06-14 17:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-14 17:21 . 2010-06-14 17:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 17:19 . 2010-06-14 17:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-14 16:53 . 2010-06-14 16:54 -------- d-----w- c:\program files\ERUNT
2010-06-11 18:19 . 2010-06-11 18:19 -------- d-----w- C:\VundoFix Backups
2010-06-11 16:01 . 2010-06-11 16:01 -------- d-----w- c:\documents and settings\Executive_Director2\Application Data\Malwarebytes
2010-06-11 15:56 . 2010-06-11 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-11 15:56 . 2010-06-11 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 14:31 . 2010-06-11 14:30 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-06-11 14:31 . 2010-06-11 14:30 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-06-11 14:31 . 2010-06-11 14:29 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-06-11 14:31 . 2010-06-11 14:29 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-06-10 16:51 . 2010-06-17 20:20 3341 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-06-10 16:34 . 2010-06-10 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-06-10 16:28 . 2009-06-22 13:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-06-10 16:06 . 2010-06-10 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-06-10 15:45 . 2010-06-17 20:22 192096 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-10 15:40 . 2010-06-10 15:40 -------- d-----w- c:\windows\system32\XPSViewer
2010-06-10 15:39 . 2010-06-10 15:39 -------- d-----w- c:\program files\MSBuild
2010-06-10 15:39 . 2010-06-10 15:39 -------- d-----w- c:\program files\Reference Assemblies
2010-06-10 15:38 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-06-10 15:35 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-10 15:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-10 15:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-10 15:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-10 15:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-06-10 15:35 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-10 15:35 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-06-10 15:35 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-06-10 15:22 . 2010-06-10 15:22 -------- d-----w- c:\program files\MSXML 6.0
2010-06-10 14:08 . 2010-06-10 14:08 -------- d-----w- c:\windows\Intuit
2010-06-10 13:53 . 2010-06-10 16:36 -------- d-----w- c:\documents and settings\Executive_Director2\Application Data\Download Manager
2010-06-10 13:53 . 2010-06-10 13:53 -------- d-----w- c:\program files\Akamai
2010-06-04 14:01 . 2010-06-04 14:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-06-01 14:06 . 2010-06-18 13:58 0 ----a-w- c:\windows\Uxumabupiceri.bin
2010-06-01 14:06 . 2010-06-11 18:16 120 ----a-w- c:\windows\Vbibikuxiya.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 15:30 . 2007-01-19 15:34 1418329 ----a-w- C:\BACKUP-MMS-GREATERPATCH-AUTOBACKUP-LAST.ZIP
2010-06-15 15:03 . 2007-02-05 14:42 157068 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-LAST.ZIP
2010-06-11 19:22 . 2009-01-20 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-10 16:44 . 2006-12-15 14:15 63304 ----a-w- c:\documents and settings\Executive_Director2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-10 16:31 . 2007-01-25 15:14 8944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-06-10 16:16 . 2006-10-09 17:29 -------- d-----w- c:\program files\Common Files\Intuit
2010-06-07 13:45 . 2009-10-20 19:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 17:17 . 2007-02-05 14:42 157069 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLD.ZIP
2010-05-14 17:56 . 2009-01-20 20:20 -------- d-----w- c:\program files\CCleaner
2010-05-12 16:26 . 2007-02-05 14:42 157014 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDER.ZIP
2010-05-03 17:21 . 2007-02-05 14:42 157043 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDEST.ZIP
2010-04-27 14:39 . 2006-10-09 17:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-23 15:10 . 2008-05-29 15:32 -------- d-----w- c:\documents and settings\Executive_Director2\Application Data\U3
2010-03-26 14:27 . 2007-02-10 16:38 237623 ----a-w- C:\BACKUP-MMS-FRIENDSOF-AUTOBACKUP-LAST.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-02 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-02 40960]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-07 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-09 180269]

c:\documents and settings\QBDataServiceUser17\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-9 27136]

c:\documents and settings\Executive_Director2\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Shortcut to stickit.lnk - c:\documents and settings\Executive_Director2\My Documents\stickit.exe [2007-2-10 98304]

c:\documents and settings\QBDataServiceUser20\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-9 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Retriever.lnk - c:\program files\ScanSoft\PaperPort\xdcla.exe [2004-6-16 184320]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-5-18 1154848]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-10 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-10-09 17:16 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Executive_Director2\\My Documents\\stickit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/3/2010 11:56 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/3/2010 11:56 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/3/2010 11:56 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100617.001\IDSXpx86.sys [6/18/2010 10:13 AM 331640]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/3/2010 11:56 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 4:07 PM 102448]
R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [12/17/2006 3:04 PM 7168]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/13/2008 2:54 PM 30192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.patchoguechamber.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: netscape.com\mail.isp
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Pnalegixo - c:\windows\mtkbdhut.dll
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-Azecexopakenupi - c:\windows\ilisehih.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 11:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Java\jre1.5.0_06\bin\jusched.exe
.
**************************************************************************
.
Completion time: 2010-06-18 11:15:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-18 15:15

Pre-Run: 43,905,073,152 bytes free
Post-Run: 43,843,702,784 bytes free

- - End Of File - - 3A3F42FB288DC796C27EA048F648DB4F


Thank you again for your help
 
Hello jjshodan20

Thank you for the log. We need to use ComboFix again, but this time we will be running it in a slightly different way.

  1. Please work through the following steps

    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the codebox below (including the link) into the open Notepad window:

      Code: 
      http://forums.spybot.info/showthread.php?t=58094

collect::
c:\windows\Uxumabupiceri.bin
c:\windows\Vbibikuxiya.dat

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      CFScriptB-4.gif



    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.
    • Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    Please provide the ComboFix log in your next reply.
 
JonTom,
Thank you for your continued assistance. When the message box popped up I reconnected my computer to the internet and waited a minute to ensure that it established a connection before clicking okay. Unfortunately, when I clicked okay, it said I would have to do a manual send. At this point I did not have access to anything on my computer. After I clicked okay on the message telling me I would have to manually send the information, and the notepad log came back, I had access to everything again, I noticed it could not re-acquire a network connection. I needed to use the windows network wizard in order for it to reestablish a connection.

Here is a copy of the log though from the notepad file:

ComboFix 10-06-17.02 - Executive_Director2 06/18/2010 16:24:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.469 [GMT -4:00]
Running from: c:\documents and settings\Executive_Director2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Executive_Director2\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

file zipped: c:\windows\Uxumabupiceri.bin
file zipped: c:\windows\Vbibikuxiya.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Uxumabupiceri.bin
c:\windows\Vbibikuxiya.dat
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-18 20:18 . 2010-06-18 20:18 -------- d-----w- c:\windows\LastGood
2010-06-14 17:21 . 2010-06-14 17:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-14 17:21 . 2010-06-14 17:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 17:19 . 2010-06-14 17:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-14 16:53 . 2010-06-14 16:54 -------- d-----w- c:\program files\ERUNT
2010-06-11 18:19 . 2010-06-11 18:19 -------- d-----w- C:\VundoFix Backups
2010-06-11 16:01 . 2010-06-11 16:01 -------- d-----w- c:\documents and settings\Executive_Director2\Application Data\Malwarebytes
2010-06-11 15:56 . 2010-06-11 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-11 15:56 . 2010-06-11 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 14:31 . 2010-06-11 14:30 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-06-11 14:31 . 2010-06-11 14:30 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-06-11 14:31 . 2010-06-11 14:29 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-06-11 14:31 . 2010-06-11 14:29 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-06-10 16:51 . 2010-06-17 20:20 3341 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-06-10 16:34 . 2010-06-10 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-06-10 16:28 . 2009-06-22 13:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-06-10 16:06 . 2010-06-10 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-06-10 15:45 . 2010-06-17 20:22 192096 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-10 15:40 . 2010-06-10 15:40 -------- d-----w- c:\windows\system32\XPSViewer
2010-06-10 15:39 . 2010-06-10 15:39 -------- d-----w- c:\program files\MSBuild
2010-06-10 15:39 . 2010-06-10 15:39 -------- d-----w- c:\program files\Reference Assemblies
2010-06-10 15:38 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-06-10 15:35 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-10 15:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-10 15:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-10 15:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-10 15:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-06-10 15:35 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-10 15:35 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-06-10 15:35 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-06-10 15:22 . 2010-06-10 15:22 -------- d-----w- c:\program files\MSXML 6.0
2010-06-10 14:08 . 2010-06-10 14:08 -------- d-----w- c:\windows\Intuit
2010-06-10 13:53 . 2010-06-10 16:36 -------- d-----w- c:\documents and settings\Executive_Director2\Application Data\Download Manager
2010-06-10 13:53 . 2010-06-10 13:53 -------- d-----w- c:\program files\Akamai
2010-06-04 14:01 . 2010-06-04 14:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 15:30 . 2007-01-19 15:34 1418329 ----a-w- C:\BACKUP-MMS-GREATERPATCH-AUTOBACKUP-LAST.ZIP
2010-06-15 15:03 . 2007-02-05 14:42 157068 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-LAST.ZIP
2010-06-11 19:22 . 2009-01-20 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-10 16:44 . 2006-12-15 14:15 63304 ----a-w- c:\documents and settings\Executive_Director2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-10 16:31 . 2007-01-25 15:14 8944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-06-10 16:16 . 2006-10-09 17:29 -------- d-----w- c:\program files\Common Files\Intuit
2010-06-07 13:45 . 2009-10-20 19:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 17:17 . 2007-02-05 14:42 157069 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLD.ZIP
2010-05-14 17:56 . 2009-01-20 20:20 -------- d-----w- c:\program files\CCleaner
2010-05-12 16:26 . 2007-02-05 14:42 157014 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDER.ZIP
2010-05-03 17:21 . 2007-02-05 14:42 157043 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDEST.ZIP
2010-04-27 14:39 . 2006-10-09 17:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-23 15:10 . 2008-05-29 15:32 -------- d-----w- c:\documents and settings\Executive_Director2\Application Data\U3
2010-03-26 14:27 . 2007-02-10 16:38 237623 ----a-w- C:\BACKUP-MMS-FRIENDSOF-AUTOBACKUP-LAST.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-03-02 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-03-02 40960]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-07 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-09 180269]

c:\documents and settings\QBDataServiceUser17\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-9 27136]

c:\documents and settings\Executive_Director2\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Shortcut to stickit.lnk - c:\documents and settings\Executive_Director2\My Documents\stickit.exe [2007-2-10 98304]

c:\documents and settings\QBDataServiceUser20\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-9 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Retriever.lnk - c:\program files\ScanSoft\PaperPort\xdcla.exe [2004-6-16 184320]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-5-18 1154848]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-10 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-10-09 17:16 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Executive_Director2\\My Documents\\stickit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/3/2010 11:56 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/3/2010 11:56 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/3/2010 11:56 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100617.001\IDSXpx86.sys [6/18/2010 10:13 AM 331640]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/3/2010 11:56 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 4:07 PM 102448]
R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [12/17/2006 3:04 PM 7168]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/13/2008 2:54 PM 30192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.patchoguechamber.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: netscape.com\mail.isp
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 16:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-18 16:38:55
ComboFix-quarantined-files.txt 2010-06-18 20:38
ComboFix2.txt 2010-06-18 15:15

Pre-Run: 43,699,150,848 bytes free
Post-Run: 43,724,201,984 bytes free

- - End Of File - - 5A15F90A297F9339A870394AAA35BC4A



Thank You for all you are doing and I await your further assistance.
 
Hello jjshodan20

Thank you for the log.

I noticed it could not re-acquire a network connection
Click to expand...
This is (sometimes) known to happen after running ComboFix and can usually be fixed by rebooting your machine.

I needed to use the windows network wizard in order for it to reestablish a connection
Click to expand...
This is the second way to fix the connection issue. You did the right thing :bigthumb:

it said I would have to do a manual send
Click to expand...
We'll do that now:


  1. Please manually upload the following files for analysis

    • The CFScript I asked you to run was designed to upload the malware files on your system for analysis. Unfortunately the upload failed so I would like you to upload these files manually. Please do the following:
    • Please click on the following LINK. A new window will open.
    • In the box marked "Link to topic where this file was requested:" please paste in the following text:

    Code: 
    http://forums.spybot.info/showthread.php?p=374792#post374792
    • Click the "Browse" button and navigate to C:\Qoobox\Quarantine
    • There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip (the * denotes the Date and Time stamp - it will be close to this: 2010-06-18 20:38).
    • Select this file and click "Open".
    • In the Largest box please put:

    Code: 
    File Requested By JonTom
Failed Collect::
    • Finally click "SendFile".
    • Please return here and let me know when that file has been uploaded.
 
JonTom,

Okay I got the file uploaded and sent successfully according to bleepingcomputer.com. ready for next steps when you are. Thank you for your help.
 
Hello jjshodan20

I got the file uploaded and sent successfully
Click to expand...
Thanks for letting me know.

Please work your way through the following steps. If you encounter any problems, come back and let me know.


  1. Temporary File Cleaner

    • Download TFC to your desktop.
    • Close any open windows.
    • Double click the TFC icon to run the program.
    • TFC will close all open programs itself in order to run.
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish.
    • Once complete it should automatically reboot your machine.
    • If your machine does not reboot automatically, manually reboot to ensure a complete clean.
    • Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.

  2. MalwareBytes AntiMalware:

    • I can see that you have MBAM installed.
    • Double click on your MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

  3. Please update your Java

    • Click on "Start", then on "Control Panel".
    • Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find.
    • Reboot your computer.
    • Next, download the latest version of Java by clicking here
    • Scroll down the page until you reach "Java Platform Standard Edition".
    • Beneath this and to the right, you will see a red button marked "Download JRE".
    • Click the "Download JRE" button.
    • Select the platform (Windows, in your case), multi language.
    • Accept the license agreement and click on "Continue".
    • You do not have to register if you do not want to (the registration step is optional).
    • Scroll down and click on the file called jre-6u20-windows-i586.exe located under "Windows Offline Installation".
    • Save the file to your desktop.
    • Do not select Run.
    • Double click on the saved file (jre-6u20-windows-i586.exe) to install the update.
    • Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.

  4. Please perform the following scan:

    • This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.

    • It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
    • DO NOT surf the net while your resident protection is disabled!
    • Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.

    • Please perform a Kaspersky Online Scan of your computer by clicking here or here.

    • Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run (at times it may appear to stall).
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Once the scan is complete, click on View scan report. To obtain the report:
    • Click on: Save Report As
    • Next, in the Save as prompt, Save in area, select: Desktop
    • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
    • Then, click: Save
    • Please post the Kaspersky Online Scanner Report in your reply.
    • If you need help performing the above steps, an animated tutorial can be found here.

    Please provide the MBAM log and the Kaspersky Online Scan log in your next reply.

    Also, please describe how your machine is behaving now. Are you still experiencing problems?
 
JonTom,
Thank you for all your help, I have made it up to the Kaspersky Online Scan step from your previous posted instructions. First I would like to tell you the Mbam came back with no infection. I will still post the log anyway, but I have some concerns about this next step.

First, I am running Norton 360 and am not honestly sure how much of the security I need to turn off for the Kaspersky scan to run properly. If you could post instructions for what I need to turn off and how to get to it I would greatly appreciate it.

Secondly, when I was first infected with Virtumonde Prx Norton was constantly blocking virus attacks to my computer when it was just simply connected to the internet even if I wasn't web surfing or doing anything internet related. My Concern is while the Kaspersky scan is running, if my computer is attacked with Norton down, will kaspersky catch it and protect me?

Thank you for all your help and here is the Mbam log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4219

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/20/2010 3:03:13 PM
mbam-log-2010-06-20 (15-03-13).txt

Scan type: Full scan (C:\|D:\|J:\|)
Objects scanned: 238062
Time elapsed: 1 hour(s), 7 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Hello jjshodan20

Thank you for the MBAM log. Things are looking better.

If you could post instructions for what I need to turn off and how to get to it I would greatly appreciate it.
Click to expand...
Lets try this:


  • Right click the Norton 360 icon in your system tray (bottom right hand corner of the screen) and select "Open Tasks and Settings Window".
  • On the right side, under Settings, click on "Change advanced settings".
  • Next, click on the "Virus & Spyware Protection Settings".
  • Uncheck "Turn on Auto-Protect" and select "Apply".
  • You will be asked to select a time for Norton to reactivate.
  • Choose "Until I turn it back on".
  • Once the Online scan has completed, you can re-enable your security by re-checking the "Turn on Auto-Protect" box and selecting "Apply".

My Concern is while the Kaspersky scan is running, if my computer is attacked with Norton down, will kaspersky catch it and protect me?
Click to expand...
Provided that you do no browsing/downloading while your resident security is disabled everything should be okay.

As a double check, after you have saved the Online Scan log and re-enabled your security, please scan your system with DDS again.

Please post the Kaspersky Online Scan log and the DDS log in your next reply, and let me know how your system is behaving now.
 
JonTom,

Unfortunately the computer froze first time I tried to scan so I had to run it a second time which was successful.

Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 22, 2010 10:33:41
Records in database: 4310543
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 103455
Threats found: 5
Infected objects found: 8
Suspicious objects found: 1
Scan duration: 05:11:03


File name / Threat / Threats count
C:\Documents and Settings\Executive_Director2\Desktop\jZipV1c.exe Infected: not-a-virus:AdWare.Win32.Shopper.ax 1
C:\Documents and Settings\Executive_Director2\Local Settings\Application Data\Identities\{BC6C64B3-9745-4E27-928C-8E8251CA4AAA}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\hp\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
C:\Qoobox\Quarantine\C\WINDOWS\mtkbdhut.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.tio 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\termdd.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{88E8F61A-B12E-4EC1-B170-429C575A3159}\RP1534\A0091494.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{88E8F61A-B12E-4EC1-B170-429C575A3159}\RP1534\A0091534.dll Infected: Trojan-Downloader.Win32.Mufanom.tio 1
D:\I386\APPS\APP07748\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP07748\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.




here is a copy of the DDS that you also requested to be sent as well as the attached file:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Executive_Director2 at 16:18:44.01 on Tue 06/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.504 [GMT -4:00]

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ScanSoft\PaperPort\xdcla.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Executive_Director2\My Documents\stickit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\MMS6\mms6.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Executive_Director2\Local Settings\Temporary Internet Files\Content.IE5\W3LF4BB1\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.patchoguechamber.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\execut~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\execut~1\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\executive_director2\my documents\stickit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imager~1.lnk - c:\program files\scansoft\paperport\xdcla.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: netscape.com\mail.isp
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100617.005\IDSXpx86.sys [2010-6-19 331640]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100622.003\NAVENG.SYS [2010-6-22 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100622.003\NAVEX15.SYS [2010-6-22 1347504]
R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [2006-12-17 7168]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-13 30192]

=============== Created Last 30 ================

2010-06-20 19:35:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-20 19:35:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 18:49:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-19 18:49:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 20:24:56 1213 ----a-w- C:\CF-Submit.htm
2010-06-18 20:19:23 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-18 14:47:00 98816 ----a-w- c:\windows\sed.exe
2010-06-18 14:47:00 77312 ----a-w- c:\windows\MBR.exe
2010-06-18 14:47:00 256512 ----a-w- c:\windows\PEV.exe
2010-06-18 14:47:00 161792 ----a-w- c:\windows\SWREG.exe
2010-06-14 17:21:08 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-14 17:21:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 18:19:05 0 d-----w- C:\VundoFix Backups
2010-06-11 16:01:04 0 d-----w- c:\docume~1\execut~1\applic~1\Malwarebytes
2010-06-11 15:56:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-11 15:56:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-10 16:34:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 11
2010-06-10 16:29:47 19 ----a-w- c:\windows\QBChanUtil_Trigger.ini
2010-06-10 16:28:50 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-06-10 16:06:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Nuance
2010-06-10 15:40:12 0 d-----w- c:\windows\system32\XPSViewer
2010-06-10 15:35:45 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-10 15:35:45 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-06-10 15:35:45 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-10 15:35:45 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-10 15:35:45 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-10 15:35:45 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-06-10 15:35:45 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-10 15:22:36 0 d-----w- c:\program files\MSXML 6.0
2010-06-10 14:08:45 0 d-----w- c:\windows\Intuit
2010-06-10 13:53:47 0 d-----w- c:\program files\Akamai
2010-06-10 13:39:22 14585856 ----a-w- C:\Greater Patchogue Foundation Inc (Backup Jun 10,2010 09 38 AM).QBB
2010-06-03 13:49:12 24391680 ----a-w- C:\Greater Patchogue Chamber of Commerce (Backup Jun 03,2010 09 48 AM).QBB
2010-06-03 13:47:40 24387584 ----a-w- C:\Greater Patchogue Chamber of Commerce (Backup Jun 03,2010 09 46 AM).QBB
2010-06-03 12:47:25 14540800 ----a-w- C:\Greater Patchogue Foundation Inc (Backup Jun 03,2010 08 46 AM).QBB
2010-05-27 14:20:09 24354816 ----a-w- C:\Greater Patchogue Chamber of Commerce (Backup May 27,2010 10 19 AM).QBB
2010-05-27 13:22:46 14491648 ----a-w- C:\Greater Patchogue Foundation Inc (Backup May 27,2010 09 22 AM).QBB

==================== Find3M ====================

2010-06-17 15:30:19 1418329 ----a-w- C:\BACKUP-MMS-GREATERPATCH-AUTOBACKUP-LAST.ZIP
2010-06-15 15:03:00 157068 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-LAST.ZIP
2010-06-02 17:17:02 157069 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLD.ZIP
2010-05-12 16:26:07 157014 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDER.ZIP
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-03 17:21:38 157043 ----a-w- C:\BACKUP-MMS-CONSTITUENTS-AUTOBACKUP-OLDEST.ZIP
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 10:39:36 2377576 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2010-03-26 14:27:59 237623 ----a-w- C:\BACKUP-MMS-FRIENDSOF-AUTOBACKUP-LAST.ZIP

============= FINISH: 16:19:55.37 ===============


The computer seems to be running good right now but I really haven't been able to use it like normal to see how it is running. I will send another post in a day or so with an update as to how it is really doing after I have had more time with it using it like I normally would.

Thank you for all your help and awaiting the next step.
 
Hello jjshodan20

Thank you for the log.

The computer seems to be running good right now
Click to expand...
Thats good to hear, but we still have a little more work to do.

The Kaspersky Online Scan has identified some malware files on your system that we must remove. Please do the following:


  1. Please work through the following steps

    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

      File::
      C:\Documents and Settings\Executive_Director2\Desktop\jZipV1c.exe
      C:\hp\bin\wbug\HPPavillion_Spring06.exe
      D:\I386\APPS\APP07748\src\CompaqPresario_Spring06.exe
      D:\I386\APPS\APP07748\src\HPPavillion_Spring06.exe
      Click to expand...

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      CFScriptB-4.gif



    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

  2. Infected e mails

    • You have an e mail that is listed as "suspicious" in your Outlook Express Inbox.
    • Unfortunately, the Kaspersky Online Scan does not tell us which e mail is infected, only that it is there.
    • You are therefore advised to delete all of your old and unwanted e mails, and all of those that have attachments, as the attachments may contain the infecting malware.

  3. Next

    • Do you recognise the following file:
    • C:\MMS6\mms6.exe
    • If you recognise this file, please let me know. If you do not recognise it, please do the following:

  4. Please make all files and folders VISIBLE:

    • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
    • Choose to "Show hidden files and folders."
    • Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
    • Close the window with "OK".

  5. Please scan the following files

    • Please visit Virus Total by clicking here.
    • Click the Browse button and search for the following file (if present): C:\MMS6\mms6.exe
    • Click Open.
    • Then click Send File.
    • Please be patient while the file is scanned.
    • If Virus Total tells you that the file has already been scanned, click "reanalyse now".
    • Once the scan results appear, copy and paste them into Notepad.

    Please provide the ComboFix log and the VirusTotal Scan result in your next reply.
 
JonTom

I ran the txt file in combofix. Unfortunately I recieved the following error message.

"Webserver appears to be temporarily inaccessibe. For your Convenience Combofix created a submission form located at C:\CF-Sumbit.htim

please use that to manually upload later."

I keep recieving the following error message when I try to post the Combofix file to the forum:

"The following errors occurred with your submission:
The text that you have entered is too long (90857 characters). Please shorten it to 64000 characters long."

so I have attached it to this forum entry as a zip file.

As far as C:\mms6\mms6.exe. yes I do recognize it. it runs the mms program.

Do you want me to still move on to steps 4 & 5 and post the scan log from virus total?
 
Hello jjshodan20

Thank you for the log.

I keep recieving the following error message when I try to post the Combofix file to the forum:

"The following errors occurred with your submission:
The text that you have entered is too long (90857 characters). Please shorten it to 64000 characters long."

so I have attached it to this forum entry as a zip file.
Click to expand...
My guess would be that there are restrictions on the size of log that can be posted. You did the right thing by attaching it.


As far as C:\mms6\mms6.exe. yes I do recognize it. it runs the mms program.
Do you want me to still move on to steps 4 & 5 and post the scan log from virus total?
Click to expand...
If you recognise the program it should be okay to leave where it is (Kaspersky did not flag it as infected - I was just being extra cautious - never a bad thing).


Your logs appear to be clean. Good job! Please work your way through the following cleanup and update steps (DO NOT miss step 1):


  1. Please Uninstall Combofix

    • Click on "Start" and then on "Run".
    • Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.

  2. Now to remove most of the tools that we have used in fixing your machine

    • Make sure you have an Internet Connection.
    • Download OTC to your desktop and run it.
    • A list of tool components used in the cleanup of malware will be downloaded.
    • If your Firewall or Real Time protection attempts to prevent OTC connecting to the Internet, please allow the application to do so.
    • Click "Yes" to begin the cleanup process and remove these components, including this application.
    • You may be asked to reboot your machine to finish the cleanup process. If you are asked to reboot the machine choose "Yes".


    including the use of the following tools: rkill.com Virtumundoegone
    Click to expand...
    You no longer need these. Please delete them from your machine.

  3. Your Adobe is out of date

    • You can obtain the latest version of Adobe Reader from here, and the latest version of Flash Player from here.
    • For more information and links to Adobe updates and downloads click here.

  4. Please install XP Service Pack 3

    • XP Service Pack 3 contains many more security features that are not present in Service Pack 2.
    • Instructions for downloading XP Service Pack 3 can be found here.


    Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.

  5. Finally, please take the time to read through the information provided below:

    Enhance your System Security
    • For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here.
    • IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
    • Once complete, remember to re-engage your resident security before going online.

    Web Browsers and Browser Security

    Firefox
    • Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here.

    No-Script
    • If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
    • You can download No-Script by clicking here.

    Internet Explorer
    • The newest version of Internet Explorer is available from here.

    SpywareBlaster
    • If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
    • SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
    • You can download SpywareBlaster by clicking here.

    Web of Trust
    • When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
    • Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
    • You can download Web of Trust by clicking here.

    Keep your Software Updated
    • Outdated software can sometimes have vulnerabilities that are exploitable by malware.
    • Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here.

    Passwords
    • Learn how to create strong passwords by clicking here and test the strength of the passwords you already use by clicking here.

    General Reading
    Learn How To Combat Malware
    • Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here.
 
JonTom,

Thank you for all your assistance. I can already see a difference. I appreicate all the time and effort you have put into helping me with this problem and as your post forum says, hopefully you will not see me back again any time soon.:laugh:

Thank you again for all your help
 
Status
Not open for further replies.
Back
Top