Virus has taken over my computer, I need help

**noahdfear** · 26th July 2008

Glad to hear it!

Please post the ComboFix log located at C:\ComboFix.txt

Geri will continue on from here.

h2ofwlr · 26th July 2008

Not so fast... The damned thing came back about 1/2 hr a ago. Got that fatal blue background screen and unlugged the DSL jack. This time it only took 20 minutesr to run, last time was a good 45 minutes. Hopefully it does not come back. I deleted the desktop icon that it left and the program fle shadow in the program listing too.

Geri, I am running MBAM 12:42Am CDT

ComboFix 08-07-25.4 - Alan 2008-07-25 23:40:27.2 - NTFSx86
Running from: C:\Documents and Settings\Alan\Desktop\FomboCix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alan\Application Data\rhc1h1j0e38c
C:\Program Files\rhc1h1j0e38c
C:\WINDOWS\system32\AcKQYJjl.ini
C:\WINDOWS\system32\AcKQYJjl.ini2
C:\WINDOWS\system32\blphc5h1j0e38c.scr
C:\WINDOWS\system32\lphc5h1j0e38c.exe
C:\WINDOWS\system32\phc5h1j0e38c.bmp
C:\WINDOWS\system32\pphc5h1j0e38c.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 20:47 . 2008-07-25 20:47 94,848 --a------ C:\WINDOWS\system32\iobygsck.dll
2008-07-24 20:48 . 2008-07-24 20:48 94,848 --a------ C:\WINDOWS\system32\yydufopt.dll
2008-07-24 14:46 . 2008-07-24 14:46 94,848 --a------ C:\WINDOWS\system32\nrrxaavi.dll
2008-07-24 14:45 . 2008-07-24 14:45 323,584 --a------ C:\WINDOWS\system32\ljJYQKcA.dll
2008-07-24 13:20 . 2008-07-24 13:41 94,208 --a------ C:\WINDOWS\system32\10.tmp
2008-07-24 13:16 . 2001-08-18 04:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 13:15 . 2008-07-24 12:30 94,208 --a------ C:\WINDOWS\grswptdl.exe
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 16:09 . 2008-07-09 16:23 104,638 --a------ C:\WINDOWS\hpoins04.dat
2008-07-09 16:09 . 2004-06-21 05:40 17,176 --------- C:\WINDOWS\hpomdl04.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 03:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 23:25 --------- d-----w C:\Program Files\Coupons
2008-07-09 21:21 --------- d-----w C:\Program Files\HP
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 21:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-09 21:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-09 21:07 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-09 21:07 --------- d-----w C:\Program Files\Symantec
2008-06-09 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2003-05-22 18:26 1,226,132 -c--a-w C:\Documents and Settings\Alan\MN_Refuge_Dawgs.scr
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_23.08.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-26 04:50:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_810.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99B4B85-C779-43A9-8A00-5EE2CA492DE9}]
2008-07-24 14:45 323584 --a------ C:\WINDOWS\system32\ljJYQKcA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 16:28 581632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 11:56 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 11:56 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-24 01:39 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 12:10 94208]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-12-25 03:36 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 03:36 394752]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 04:04 208896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-10 23:10 335872]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2003-09-30 17:39 36864]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 16:28 581632]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01 110592]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 14:12 90112]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 03:36 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 01:05 127035]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 21:54 278528]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15 198800]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 02:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TpShocks"="TpShocks.exe" [2003-12-17 13:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 03:05 53248 C:\WINDOWS\system32\TP4EX.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 04:12:18 110592]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-10-15 22:11:14 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winae8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbf8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windh5 0.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk2 7.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim7 2.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlp0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winos4 8.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot2 6.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu2 6.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv4 8.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc4 8.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxc6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 15:50]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 03:36]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 07:47]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 14:05]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 06:40]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 19:29]
S0 Winae83;Winae83;C:\WINDOWS\system32\Drivers\Winae83.sys []
S0 Winbf83;Winbf83;C:\WINDOWS\system32\Drivers\Winbf83.sys []
S0 Windh50;Windh50;C:\WINDOWS\system32\Drivers\Windh50.sys []
S0 Winei61;Winei61;C:\WINDOWS\system32\Drivers\Winei61.sys []
S0 Wingk61;Wingk61;C:\WINDOWS\system32\Drivers\Wingk61.sys []
S0 Wingk83;Wingk83;C:\WINDOWS\system32\Drivers\Wingk83.sys []
S0 Winim72;Winim72;C:\WINDOWS\system32\Drivers\Winim72.sys []
S0 Winlp04;Winlp04;C:\WINDOWS\system32\Drivers\Winlp04.sys []
S0 Winos48;Winos48;C:\WINDOWS\system32\Drivers\Winos48.sys []
S0 Winot26;Winot26;C:\WINDOWS\system32\Drivers\Winot26.sys []
S0 Winqu26;Winqu26;C:\WINDOWS\system32\Drivers\Winqu26.sys []
S0 Winqu83;Winqu83;C:\WINDOWS\system32\Drivers\Winqu83.sys []
S0 Winqv48;Winqv48;C:\WINDOWS\system32\Drivers\Winqv48.sys []
S0 Winrw61;Winrw61;C:\WINDOWS\system32\Drivers\Winrw61.sys []
S0 Winsx04;Winsx04;C:\WINDOWS\system32\Drivers\Winsx04.sys []
S0 Winty04;Winty04;C:\WINDOWS\system32\Drivers\Winty04.sys []
S0 Winuy04;Winuy04;C:\WINDOWS\system32\Drivers\Winuy04.sys []
S0 Winwc48;Winwc48;C:\WINDOWS\system32\Drivers\Winwc48.sys []
S0 Winxc61;Winxc61;C:\WINDOWS\system32\Drivers\Winxc61.sys []

*Newly Created Service* - COMHOST
*Newly Created Service* - EGATHDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 22:17:23 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Alan.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.refugeforums.com/refuge/forumdisplay.php?f=33
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:50:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [304] 0x82B98B78

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EGATHDRV]
"ImagePath"="\??\C:\WINDOWS\GATHER.KM"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-26 0:02:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 05:02:30
ComboFix2.txt 2008-07-26 04:09:16

Pre-Run: 5,878,980,608 bytes free
Post-Run: 5,882,937,344 bytes free

235 --- E O F --- 2008-07-12 18:20:28

h2ofwlr · 26th July 2008

Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

12:50:01 AM 7/26/2008
mbam-log-7-26-2008 (00-50-01).txt

Scan type: Quick Scan
Objects scanned: 42627
Time elapsed: 11 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ljJYQKcA.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{44dfae07-9c83-4a81-8ce1-e3e9e4eb39d0} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{44dfae07-9c83-4a81-8ce1-e3e9e4eb39d0} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc1h1j0e38c (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bgrv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjyqkca -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjyqkca -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ljJYQKcA.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\AcKQYJjl.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\AcKQYJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iobygsck.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nrrxaavi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yydufopt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

**noahdfear** · 26th July 2008

We gotta kill this right now else you'll be in deep again in no time.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Open Task Manager and make sure TeaTimer.exe is not running. End Process on it if necessary.

Shut down Norton processes as well.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
Extra::
File::
C:\WINDOWS\system32\AcKQYJjl.ini2
C:\WINDOWS\system32\ljJYQKcA.dll
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\Drivers\Winae83.sys
C:\WINDOWS\system32\Drivers\Winbf83.sys
C:\WINDOWS\system32\Drivers\Windh50.sys
C:\WINDOWS\system32\Drivers\Winei61.sys
C:\WINDOWS\system32\Drivers\Wingk61.sys
C:\WINDOWS\system32\Drivers\Wingk83.sys
C:\WINDOWS\system32\Drivers\Winim72.sys
C:\WINDOWS\system32\Drivers\Winlp04.sys
C:\WINDOWS\system32\Drivers\Winos48.sys
C:\WINDOWS\system32\Drivers\Winot26.sys
C:\WINDOWS\system32\Drivers\Winqu26.sys
C:\WINDOWS\system32\Drivers\Winqu83.sys
C:\WINDOWS\system32\Drivers\Winqv48.sys
C:\WINDOWS\system32\Drivers\Winrw61.sys
C:\WINDOWS\system32\Drivers\Winsx04.sys
C:\WINDOWS\system32\Drivers\Winty04.sys
C:\WINDOWS\system32\Drivers\Winuy04.sys
C:\WINDOWS\system32\Drivers\Winwc48.sys
C:\WINDOWS\system32\Drivers\Winxc61.sys
Driver::
Winae83
Winbf83
Windh50
Winei61
Wingk61
Wingk83
Winim72
Winlp04
Winos48
Winot26
Winqu26
Winqu83
Winqv48
Winrw61
Winsx04
Winty04
Winuy04
Winwc48
Winxc61
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99B4B85-C779-43A9-8A00-5EE2CA492DE9}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winae83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbf83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windh50.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk27.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim72.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlp04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winos48.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot26.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu26.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv48.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc48.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxc61.sys]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

h2ofwlr · 26th July 2008

Deckard's System Scanner v20071014.68
Run by Alan on 2008-07-26 01:05:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Alan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:05, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Documents and Settings\Alan\Desktop\Decker System Scanner.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Alan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refugeforums.com/refuge/f...splay.php?f=33
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {165369DD-5D6B-4F38-B088-6A05B2C3A0E6} - C:\WINDOWS\system32\ljJYQKcA.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {44DFAE07-9C83-4A81-8CE1-E3E9E4EB39D0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098788063468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12295 bytes

-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 01:00:16 815 --ahs---- C:\WINDOWS\system32\AcKQYJjl.ini2
2008-07-26 00:33:35 0 d-------- C:\Documents and Settings\Alan\Application Data\Malwarebytes <MALWAR~1>
2008-07-26 00:33:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:33:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes <MALWAR~1>
2008-07-25 22:24:45 68096 --a------ C:\WINDOWS\zip.exe
2008-07-25 22:24:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-25 22:24:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-25 22:24:45 98816 --a------ C:\WINDOWS\sed.exe
2008-07-25 22:24:45 80412 --a------ C:\WINDOWS\grep.exe
2008-07-25 22:24:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 22:24:44 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-25 22:24:44 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-24 14:45:39 323584 -----n--- C:\WINDOWS\system32\ljJYQKcA.dll
2008-07-09 16:21:02 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-09 16:21:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 16:09:01 17176 -----n--- C:\WINDOWS\hpomdl04.dat
2008-07-09 16:09:01 104638 --a------ C:\WINDOWS\hpoins04.dat

-- Find3M Report ---------------------------------------------------------------

2008-07-26 01:06:19 94848 --a------ C:\WINDOWS\system32\tvympwpt.dll
2008-07-26 01:06:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-25 23:44:49 0 d-------- C:\Program Files\Common Files
2008-07-23 18:25:06 0 d-------- C:\Program Files\Coupons
2008-07-09 16:21:01 0 d-------- C:\Program Files\HP
2008-06-09 16:07:43 0 d-------- C:\Program Files\Symantec

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{165369DD-5D6B-4F38-B088-6A05B2C3A0E6}]
07/24/2008 14:45 323584 --------- C:\WINDOWS\system32\ljJYQKcA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44DFAE07-9C83-4A81-8CE1-E3E9E4EB39D0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [10/12/2001 01:32 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/19/2003 11:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/19/2003 11:56]
"BluetoothAuthenticationAgent"="irprops.cpl" [08/04/2004 02:56 C:\WINDOWS\system32\irprops.cpl]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [10/24/2003 01:39]
"TpShocks"="TpShocks.exe" [12/17/2003 13:12 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [03/10/2004 12:10]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [12/25/2003 03:36]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [12/25/2003 03:36]
"TP4EX"="tp4ex.exe" [09/04/2002 03:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [12/25/2003 04:04]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02/10/2004 23:10]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [09/30/2003 17:39]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [01/20/2004 16:28]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 03:01]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [03/19/2004 14:12]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [12/25/2003 03:36]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [09/02/2004 01:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/20/2005 21:54]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [05/09/2007 18:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 00:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 02:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 20:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 15:18]
"187101bc"="C:\WINDOWS\system32\tvympwpt.dll" [07/26/2008 01:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 21:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [01/20/2004 16:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/4/2004 4:12:18 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/15/2004 10:11:14 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljJYQKcA

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winae8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbf8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windh5 0.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk2 7.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim7 2.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlp0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winos4 8.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot2 6.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu2 6.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu8 3.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv4 8.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy0 4.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc4 8.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxc6 1.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-07-26 01:07:35 ------------

**noahdfear** · 26th July 2008

Please see my last post above.

h2ofwlr · 26th July 2008

I'll check back in the AM, need to get some Zzzzzzzzz

With the aditional definitions:

ComboFix 08-07-25.4 - Alan 2008-07-26 1:21:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.407 [GMT -5:00]
Running from: C:\Documents and Settings\Alan\Desktop\FomboCix.exe
Command switches used :: C:\Documents and Settings\Alan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\Drivers\Winae83.sys
C:\WINDOWS\system32\Drivers\Winbf83.sys
C:\WINDOWS\system32\Drivers\Windh50.sys
C:\WINDOWS\system32\Drivers\Winei61.sys
C:\WINDOWS\system32\Drivers\Wingk61.sys
C:\WINDOWS\system32\Drivers\Wingk83.sys
C:\WINDOWS\system32\Drivers\Winim72.sys
C:\WINDOWS\system32\Drivers\Winlp04.sys
C:\WINDOWS\system32\Drivers\Winos48.sys
C:\WINDOWS\system32\Drivers\Winot26.sys
C:\WINDOWS\system32\Drivers\Winqu26.sys
C:\WINDOWS\system32\Drivers\Winqu83.sys
C:\WINDOWS\system32\Drivers\Winqv48.sys
C:\WINDOWS\system32\Drivers\Winrw61.sys
C:\WINDOWS\system32\Drivers\Winsx04.sys
C:\WINDOWS\system32\Drivers\Winty04.sys
C:\WINDOWS\system32\Drivers\Winuy04.sys
C:\WINDOWS\system32\Drivers\Winwc48.sys
C:\WINDOWS\system32\Drivers\Winxc61.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\AcKQYJjl.ini
C:\WINDOWS\system32\AcKQYJjl.ini2
C:\WINDOWS\system32\ncbfdk.dll
C:\WINDOWS\system32\tpwpmyvt.ini
C:\WINDOWS\system32\xbjafjvt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Winae83
-------\Service_Winbf83
-------\Service_Windh50
-------\Service_Winei61
-------\Service_Wingk61
-------\Service_Wingk83
-------\Service_Winim72
-------\Service_Winlp04
-------\Service_Winos48
-------\Service_Winot26
-------\Service_Winqu26
-------\Service_Winqu83
-------\Service_Winqv48
-------\Service_Winrw61
-------\Service_Winsx04
-------\Service_Winty04
-------\Service_Winuy04
-------\Service_Winwc48
-------\Service_Winxc61

((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-26 01:06 . 2008-07-26 01:06 94,848 --a------ C:\WINDOWS\system32\tvympwpt.dll
2008-07-26 00:33 . 2008-07-26 00:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:33 . 2008-07-26 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:33 . 2008-07-26 00:33 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Malwarebytes
2008-07-26 00:33 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 00:33 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 14:45 . 2008-07-24 14:45 323,584 --------- C:\WINDOWS\system32\ljJYQKcA.dll
2008-07-24 13:16 . 2001-08-18 04:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 16:09 . 2008-07-09 16:23 104,638 --a------ C:\WINDOWS\hpoins04.dat
2008-07-09 16:09 . 2004-06-21 05:40 17,176 --------- C:\WINDOWS\hpomdl04.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 06:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 23:25 --------- d-----w C:\Program Files\Coupons
2008-07-09 21:21 --------- d-----w C:\Program Files\HP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 21:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-09 21:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-09 21:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-09 21:07 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-09 21:07 --------- d-----w C:\Program Files\Symantec
2008-06-09 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2003-05-22 18:26 1,226,132 -c--a-w C:\Documents and Settings\Alan\MN_Refuge_Dawgs.scr
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_23.08.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-26 06:31:29 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_664.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{165369DD-5D6B-4F38-B088-6A05B2C3A0E6}]
2008-07-24 14:45 323584 --------- C:\WINDOWS\system32\ljJYQKcA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 16:28 581632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 11:56 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 11:56 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-24 01:39 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 12:10 94208]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-12-25 03:36 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 03:36 394752]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 04:04 208896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-10 23:10 335872]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2003-09-30 17:39 36864]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 16:28 581632]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01 110592]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 14:12 90112]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 03:36 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 01:05 127035]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 21:54 278528]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15 198800]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 02:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TpShocks"="TpShocks.exe" [2003-12-17 13:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 03:05 53248 C:\WINDOWS\system32\TP4EX.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 04:12:18 110592]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-10-15 22:11:14 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 15:50]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 03:36]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 07:47]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 14:05]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 06:40]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 19:29]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 22:17:23 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Alan.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.refugeforums.com/refuge/forumdisplay.php?f=33
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 01:32:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-26 1:41:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 06:40:59
ComboFix2.txt 2008-07-26 05:02:49
ComboFix3.txt 2008-07-26 04:09:16

Pre-Run: 5,776,310,272 bytes free
Post-Run: 5,778,051,072 bytes free

224 --- E O F --- 2008-07-12 18:20:28