Virus has taken over my computer, I need help

Mke,

It will not allow me to connect to live update. The link does not do me any good as I mentioned numerous times already it will not let me open any new links.

Nothing personal meant as I do appreciate you trying to be of help to me, but my satisfaction with Norton has gone down hill for the last 2 years, esecially the last year. I've had nothing but problems with Norton IS 07 and XP compatibility. I wish I never installed it. So am seriously thinking once I get this virus taken care of, uninstalling Norton completely and going to another antivirus software. I've been a Norton guy for 8 years, but time for a change.

 

Try this link, again clicking Run on the file download dialog.

>> link removed <<

If successful, ComboFix will run automatically.

 

BTW, I keep getting every minute a MS EI error message, gives you the std send report, debug, don't send report.


Just for in case it helps, here is a new HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49: VIRUS ALERT!, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refugeforums.com/refuge/forumdisplay.php?f=33
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: fdkowvbp - {4BFE09E6-C0C4-4F43-9972-EF6747259D82} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098788063468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/KimberlyClark/Coupons.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12077 bytes

 

Did you see my last post?

If still no go, can you receive email? If so, PM me your addy.

 

No I did not, I was typing when you posted up.

Ok so it saved to the desk top. I tried to open it, it would not open. Or is it supposed run as soon as it hit the desktop? At any rate, nothing has changed thus far.

 

It should have run automatically. Just to be sure, is the ComboFix file approximately 2.53 MB in size? If not I'll send you an email.

Please copy the contents of the code box below to a blank notepad.

Code:

; VArestorepolicies.inf 
; Created by: miekiemoes
; http://miekiemoes.blogspot.com/

[Version]
Signature =  "$CHICAGO$ "

[DefaultInstall]
DelReg=Removepolicies

[Removepolicies]
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowControlPanel
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",StartMenuAdminTools
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowRun
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowSearch
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowHelp
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",StartMenuFavorites
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowRecentDocs
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowMyDocs
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowMyPics
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowMyComputer
HKCU, "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ",Start_ShowMyMusic
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ",NoToolbarCustomize
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ",NoDrives
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ",StartMenuLogoff
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ",NoStartMenuMorePrograms
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ",NoSetFolders
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System ",DisableRegistryTools
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System ",DisableTaskMgr
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System ",DisableCMD
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System ",NoDispCPL
HKCU, "Software\Policies\Microsoft\Windows\System ",DisableCMD
HKCU, "Software\Policies\Microsoft\Internet Explorer\Restrictions ",NoBrowserOptions

Save it to the desktop as;

Filename: policies.inf
Save as type: All Files (*.*)

Reboot to safe mode, right click policies.inf and select Install, then immediately double click ComboFix.exe

 

It did save the 2.5M file to desktop. It does nt appear that it ran. I rebooted t see if it made a difference, no it did not. I tried to open it, and it will not open.

I can not save anything to desktop via notepad as it wll not stick, the virurus deletes right away.

 

Just uploaded a new Fix.exe
Go back to post 22 and click the link again.
Again, click Run on the file download dialog.
It should place a renamed copy of ComboFix on the desktop as well as the inf file.
The renamed ComboFix should run when the download is complete. If not, install the inf then immediately try running it.

 

Guess I should have mentioned ........ try to ensure Norton is disabled. It may be blocking CF from running.

 

Hallelujah!!!! It worked!



I have run spybot too. Oh BTW, as a point of reference also mention to turn off Spybot, as every system change it flagged it.

So is there anything else that should be done?

Here is the DSS:

Deckard's System Scanner v20071014.68
Run by Alan on 2008-07-25 23:28:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Alan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:28, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Alan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Alan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refugeforums.com/refuge/forumdisplay.php?f=33
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63C69312-5811-4773-BEAA-236A35CCCDD9} - C:\WINDOWS\system32\ljJYQKcA.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098788063468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12085 bytes

-- Files created between 2008-06-25 and 2008-07-25 -----------------------------

2008-07-25 22:24:45 68096 --a------ C:\WINDOWS\zip.exe
2008-07-25 22:24:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-25 22:24:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-25 22:24:45 98816 --a------ C:\WINDOWS\sed.exe
2008-07-25 22:24:45 80412 --a------ C:\WINDOWS\grep.exe
2008-07-25 22:24:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 22:24:44 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-25 22:24:44 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-25 20:47:58 94848 --a------ C:\WINDOWS\system32\iobygsck.dll
2008-07-24 20:48:59 94848 --a------ C:\WINDOWS\system32\yydufopt.dll
2008-07-24 14:46:43 94848 --a------ C:\WINDOWS\system32\nrrxaavi.dll
2008-07-24 14:45:39 323584 --a------ C:\WINDOWS\system32\ljJYQKcA.dll
2008-07-24 13:15:31 94208 --a------ C:\WINDOWS\grswptdl.exe
2008-07-09 16:21:02 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-09 16:21:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 16:09:01 17176 -----n--- C:\WINDOWS\hpomdl04.dat
2008-07-09 16:09:01 104638 --a------ C:\WINDOWS\hpoins04.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-25 22:46:59 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-25 22:37:32 0 d-------- C:\Program Files\Common Files
2008-07-23 18:25:06 0 d-------- C:\Program Files\Coupons
2008-07-09 16:21:01 0 d-------- C:\Program Files\HP
2008-06-09 16:07:43 0 d-------- C:\Program Files\Symantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63C69312-5811-4773-BEAA-236A35CCCDD9}]
07/24/2008 14:45 323584 --a------ C:\WINDOWS\system32\ljJYQKcA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2 "= "S3Tray2.exe" [10/12/2001 01:32 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/19/2003 11:56]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/19/2003 11:56]
"BluetoothAuthenticationAgent "= "irprops.cpl" [08/04/2004 02:56 C:\WINDOWS\system32\irprops.cpl]
"TPKMAPHELPER "= "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [10/24/2003 01:39]
"TpShocks "= "TpShocks.exe" [12/17/2003 13:12 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [03/10/2004 12:10]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [12/25/2003 03:36]
"BMMMONWND "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [12/25/2003 03:36]
"TP4EX "= "tp4ex.exe" [09/04/2002 03:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [12/25/2003 04:04]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02/10/2004 23:10]
"UC_Start "= "C:\Program Files\IBM\Updater\\ucstartup.exe" [09/30/2003 17:39]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [01/20/2004 16:28]
"UpdateManager "= "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 03:01]
"IBMPRC "= "C:\IBMTOOLS\UTILS\ibmprc.exe" [03/19/2004 14:12]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [12/25/2003 03:36]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [09/02/2004 01:05]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [12/20/2005 21:54]
"QUICKCARE "= "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [05/09/2007 18:15]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 00:59]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 02:11]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 20:51]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 13:38]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 15:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 21:05]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [01/20/2004 16:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/4/2004 4:12:18 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/15/2004 10:11:14 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winae83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbf83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windh50.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk27.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim72.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlp04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winos48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot26.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu26.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxc61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

*Newly Created Service* - COMHOST
*Newly Created Service* - EGATHDRV



-- End of Deckard's System Scanner: finished at 2008-07-25 23:28:55 ------------

 

Glad to hear it!

Please post the ComboFix log located at C:\ComboFix.txt

Geri will continue on from here.

 

Not so fast... The damned thing came back about 1/2 hr a ago. Got that fatal blue background screen and unlugged the DSL jack. This time it only took 20 minutesr to run, last time was a good 45 minutes. Hopefully it does not come back. I deleted the desktop icon that it left and the program fle shadow in the program listing too.

Geri, I am running MBAM 12:42Am CDT


ComboFix 08-07-25.4 - Alan 2008-07-25 23:40:27.2 - NTFSx86
Running from: C:\Documents and Settings\Alan\Desktop\FomboCix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alan\Application Data\rhc1h1j0e38c
C:\Program Files\rhc1h1j0e38c
C:\WINDOWS\system32\AcKQYJjl.ini
C:\WINDOWS\system32\AcKQYJjl.ini2
C:\WINDOWS\system32\blphc5h1j0e38c.scr
C:\WINDOWS\system32\lphc5h1j0e38c.exe
C:\WINDOWS\system32\phc5h1j0e38c.bmp
C:\WINDOWS\system32\pphc5h1j0e38c.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 20:47 . 2008-07-25 20:47 94,848 --a------ C:\WINDOWS\system32\iobygsck.dll
2008-07-24 20:48 . 2008-07-24 20:48 94,848 --a------ C:\WINDOWS\system32\yydufopt.dll
2008-07-24 14:46 . 2008-07-24 14:46 94,848 --a------ C:\WINDOWS\system32\nrrxaavi.dll
2008-07-24 14:45 . 2008-07-24 14:45 323,584 --a------ C:\WINDOWS\system32\ljJYQKcA.dll
2008-07-24 13:20 . 2008-07-24 13:41 94,208 --a------ C:\WINDOWS\system32\10.tmp
2008-07-24 13:16 . 2001-08-18 04:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 13:15 . 2008-07-24 12:30 94,208 --a------ C:\WINDOWS\grswptdl.exe
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 16:09 . 2008-07-09 16:23 104,638 --a------ C:\WINDOWS\hpoins04.dat
2008-07-09 16:09 . 2004-06-21 05:40 17,176 --------- C:\WINDOWS\hpomdl04.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 03:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 23:25 --------- d-----w C:\Program Files\Coupons
2008-07-09 21:21 --------- d-----w C:\Program Files\HP
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 21:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-09 21:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-09 21:07 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-09 21:07 --------- d-----w C:\Program Files\Symantec
2008-06-09 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2003-05-22 18:26 1,226,132 -c--a-w C:\Documents and Settings\Alan\MN_Refuge_Dawgs.scr
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_23.08.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-26 04:50:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_810.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99B4B85-C779-43A9-8A00-5EE2CA492DE9}]
2008-07-24 14:45 323584 --a------ C:\WINDOWS\system32\ljJYQKcA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 16:28 581632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 11:56 110592]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 11:56 512000]
"TPKMAPHELPER "= "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-24 01:39 897024]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 12:10 94208]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-12-25 03:36 20480]
"BMMMONWND "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 03:36 394752]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 04:04 208896]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-10 23:10 335872]
"UC_Start "= "C:\Program Files\IBM\Updater\\ucstartup.exe" [2003-09-30 17:39 36864]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 16:28 581632]
"UpdateManager "= "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01 110592]
"IBMPRC "= "C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 14:12 90112]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 03:36 106496]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 01:05 127035]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 21:54 278528]
"QUICKCARE "= "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15 198800]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11 771704]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"S3TRAY2 "= "S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"BluetoothAuthenticationAgent "= "irprops.cpl" [2004-08-04 02:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TpShocks "= "TpShocks.exe" [2003-12-17 13:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX "= "tp4ex.exe" [2002-09-04 03:05 53248 C:\WINDOWS\system32\TP4EX.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 04:12:18 110592]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-10-15 22:11:14 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winae83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbf83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windh50.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk27.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim72.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlp04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winos48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot26.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu26.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxc61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe "=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 15:50]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 03:36]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 07:47]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 14:05]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 06:40]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 19:29]
S0 Winae83;Winae83;C:\WINDOWS\system32\Drivers\Winae83.sys []
S0 Winbf83;Winbf83;C:\WINDOWS\system32\Drivers\Winbf83.sys []
S0 Windh50;Windh50;C:\WINDOWS\system32\Drivers\Windh50.sys []
S0 Winei61;Winei61;C:\WINDOWS\system32\Drivers\Winei61.sys []
S0 Wingk61;Wingk61;C:\WINDOWS\system32\Drivers\Wingk61.sys []
S0 Wingk83;Wingk83;C:\WINDOWS\system32\Drivers\Wingk83.sys []
S0 Winim72;Winim72;C:\WINDOWS\system32\Drivers\Winim72.sys []
S0 Winlp04;Winlp04;C:\WINDOWS\system32\Drivers\Winlp04.sys []
S0 Winos48;Winos48;C:\WINDOWS\system32\Drivers\Winos48.sys []
S0 Winot26;Winot26;C:\WINDOWS\system32\Drivers\Winot26.sys []
S0 Winqu26;Winqu26;C:\WINDOWS\system32\Drivers\Winqu26.sys []
S0 Winqu83;Winqu83;C:\WINDOWS\system32\Drivers\Winqu83.sys []
S0 Winqv48;Winqv48;C:\WINDOWS\system32\Drivers\Winqv48.sys []
S0 Winrw61;Winrw61;C:\WINDOWS\system32\Drivers\Winrw61.sys []
S0 Winsx04;Winsx04;C:\WINDOWS\system32\Drivers\Winsx04.sys []
S0 Winty04;Winty04;C:\WINDOWS\system32\Drivers\Winty04.sys []
S0 Winuy04;Winuy04;C:\WINDOWS\system32\Drivers\Winuy04.sys []
S0 Winwc48;Winwc48;C:\WINDOWS\system32\Drivers\Winwc48.sys []
S0 Winxc61;Winxc61;C:\WINDOWS\system32\Drivers\Winxc61.sys []

*Newly Created Service* - COMHOST
*Newly Created Service* - EGATHDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 22:17:23 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Alan.job "
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.refugeforums.com/refuge/forumdisplay.php?f=33
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:50:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [304] 0x82B98B78

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EGATHDRV]
"ImagePath "= "\??\C:\WINDOWS\GATHER.KM "
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-26 0:02:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 05:02:30
ComboFix2.txt 2008-07-26 04:09:16

Pre-Run: 5,878,980,608 bytes free
Post-Run: 5,882,937,344 bytes free

235 --- E O F --- 2008-07-12 18:20:28

 

Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

12:50:01 AM 7/26/2008
mbam-log-7-26-2008 (00-50-01).txt

Scan type: Quick Scan
Objects scanned: 42627
Time elapsed: 11 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ljJYQKcA.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44dfae07-9c83-4a81-8ce1-e3e9e4eb39d0} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{44dfae07-9c83-4a81-8ce1-e3e9e4eb39d0} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc1h1j0e38c (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bgrv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjyqkca -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjyqkca -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ljJYQKcA.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\AcKQYJjl.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\AcKQYJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iobygsck.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nrrxaavi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yydufopt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

 

We gotta kill this right now else you'll be in deep again in no time.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident ".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Open Task Manager and make sure TeaTimer.exe is not running. End Process on it if necessary.

Shut down Norton processes as well.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
Extra::
File::
C:\WINDOWS\system32\AcKQYJjl.ini2
C:\WINDOWS\system32\ljJYQKcA.dll
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\Drivers\Winae83.sys
C:\WINDOWS\system32\Drivers\Winbf83.sys
C:\WINDOWS\system32\Drivers\Windh50.sys
C:\WINDOWS\system32\Drivers\Winei61.sys
C:\WINDOWS\system32\Drivers\Wingk61.sys
C:\WINDOWS\system32\Drivers\Wingk83.sys
C:\WINDOWS\system32\Drivers\Winim72.sys
C:\WINDOWS\system32\Drivers\Winlp04.sys
C:\WINDOWS\system32\Drivers\Winos48.sys
C:\WINDOWS\system32\Drivers\Winot26.sys
C:\WINDOWS\system32\Drivers\Winqu26.sys
C:\WINDOWS\system32\Drivers\Winqu83.sys
C:\WINDOWS\system32\Drivers\Winqv48.sys
C:\WINDOWS\system32\Drivers\Winrw61.sys
C:\WINDOWS\system32\Drivers\Winsx04.sys
C:\WINDOWS\system32\Drivers\Winty04.sys
C:\WINDOWS\system32\Drivers\Winuy04.sys
C:\WINDOWS\system32\Drivers\Winwc48.sys
C:\WINDOWS\system32\Drivers\Winxc61.sys
Driver::
Winae83
Winbf83
Windh50
Winei61
Wingk61
Wingk83
Winim72
Winlp04
Winos48
Winot26
Winqu26
Winqu83
Winqv48
Winrw61
Winsx04
Winty04
Winuy04
Winwc48
Winxc61
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99B4B85-C779-43A9-8A00-5EE2CA492DE9}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winae83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbf83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windh50.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk27.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim72.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlp04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winos48.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot26.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu26.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv48.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw61.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc48.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxc61.sys]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Deckard's System Scanner v20071014.68
Run by Alan on 2008-07-26 01:05:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Alan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:05, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Documents and Settings\Alan\Desktop\Decker System Scanner.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Alan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refugeforums.com/refuge/forumdisplay.php?f=33
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {165369DD-5D6B-4F38-B088-6A05B2C3A0E6} - C:\WINDOWS\system32\ljJYQKcA.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {44DFAE07-9C83-4A81-8CE1-E3E9E4EB39D0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098788063468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12295 bytes

-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 01:00:16 815 --ahs---- C:\WINDOWS\system32\AcKQYJjl.ini2
2008-07-26 00:33:35 0 d-------- C:\Documents and Settings\Alan\Application Data\Malwarebytes <MALWAR~1>
2008-07-26 00:33:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:33:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes <MALWAR~1>
2008-07-25 22:24:45 68096 --a------ C:\WINDOWS\zip.exe
2008-07-25 22:24:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-25 22:24:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-25 22:24:45 98816 --a------ C:\WINDOWS\sed.exe
2008-07-25 22:24:45 80412 --a------ C:\WINDOWS\grep.exe
2008-07-25 22:24:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 22:24:44 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-25 22:24:44 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-24 14:45:39 323584 -----n--- C:\WINDOWS\system32\ljJYQKcA.dll
2008-07-09 16:21:02 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-09 16:21:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 16:09:01 17176 -----n--- C:\WINDOWS\hpomdl04.dat
2008-07-09 16:09:01 104638 --a------ C:\WINDOWS\hpoins04.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-26 01:06:19 94848 --a------ C:\WINDOWS\system32\tvympwpt.dll
2008-07-26 01:06:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-25 23:44:49 0 d-------- C:\Program Files\Common Files
2008-07-23 18:25:06 0 d-------- C:\Program Files\Coupons
2008-07-09 16:21:01 0 d-------- C:\Program Files\HP
2008-06-09 16:07:43 0 d-------- C:\Program Files\Symantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{165369DD-5D6B-4F38-B088-6A05B2C3A0E6}]
07/24/2008 14:45 323584 --------- C:\WINDOWS\system32\ljJYQKcA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44DFAE07-9C83-4A81-8CE1-E3E9E4EB39D0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2 "= "S3Tray2.exe" [10/12/2001 01:32 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/19/2003 11:56]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/19/2003 11:56]
"BluetoothAuthenticationAgent "= "irprops.cpl" [08/04/2004 02:56 C:\WINDOWS\system32\irprops.cpl]
"TPKMAPHELPER "= "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [10/24/2003 01:39]
"TpShocks "= "TpShocks.exe" [12/17/2003 13:12 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [03/10/2004 12:10]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [12/25/2003 03:36]
"BMMMONWND "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [12/25/2003 03:36]
"TP4EX "= "tp4ex.exe" [09/04/2002 03:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [12/25/2003 04:04]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02/10/2004 23:10]
"UC_Start "= "C:\Program Files\IBM\Updater\\ucstartup.exe" [09/30/2003 17:39]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [01/20/2004 16:28]
"UpdateManager "= "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 03:01]
"IBMPRC "= "C:\IBMTOOLS\UTILS\ibmprc.exe" [03/19/2004 14:12]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [12/25/2003 03:36]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [09/02/2004 01:05]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [12/20/2005 21:54]
"QUICKCARE "= "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [05/09/2007 18:15]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 00:59]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 02:11]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 20:51]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 13:38]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 15:18]
"187101bc "= "C:\WINDOWS\system32\tvympwpt.dll" [07/26/2008 01:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 21:05]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [01/20/2004 16:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/4/2004 4:12:18 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/15/2004 10:11:14 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\ljJYQKcA

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winae83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbf83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windh50.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk27.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingk83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winim72.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlp04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winos48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot26.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu26.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqu83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrv61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrw61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsx04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuy04.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc48.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxc61.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-26 01:07:35 ------------

 

Please see my last post above.

 

I'll check back in the AM, need to get some Zzzzzzzzz

With the aditional definitions:

ComboFix 08-07-25.4 - Alan 2008-07-26 1:21:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.407 [GMT -5:00]
Running from: C:\Documents and Settings\Alan\Desktop\FomboCix.exe
Command switches used :: C:\Documents and Settings\Alan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\Drivers\Winae83.sys
C:\WINDOWS\system32\Drivers\Winbf83.sys
C:\WINDOWS\system32\Drivers\Windh50.sys
C:\WINDOWS\system32\Drivers\Winei61.sys
C:\WINDOWS\system32\Drivers\Wingk61.sys
C:\WINDOWS\system32\Drivers\Wingk83.sys
C:\WINDOWS\system32\Drivers\Winim72.sys
C:\WINDOWS\system32\Drivers\Winlp04.sys
C:\WINDOWS\system32\Drivers\Winos48.sys
C:\WINDOWS\system32\Drivers\Winot26.sys
C:\WINDOWS\system32\Drivers\Winqu26.sys
C:\WINDOWS\system32\Drivers\Winqu83.sys
C:\WINDOWS\system32\Drivers\Winqv48.sys
C:\WINDOWS\system32\Drivers\Winrw61.sys
C:\WINDOWS\system32\Drivers\Winsx04.sys
C:\WINDOWS\system32\Drivers\Winty04.sys
C:\WINDOWS\system32\Drivers\Winuy04.sys
C:\WINDOWS\system32\Drivers\Winwc48.sys
C:\WINDOWS\system32\Drivers\Winxc61.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\AcKQYJjl.ini
C:\WINDOWS\system32\AcKQYJjl.ini2
C:\WINDOWS\system32\ncbfdk.dll
C:\WINDOWS\system32\tpwpmyvt.ini
C:\WINDOWS\system32\xbjafjvt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Winae83
-------\Service_Winbf83
-------\Service_Windh50
-------\Service_Winei61
-------\Service_Wingk61
-------\Service_Wingk83
-------\Service_Winim72
-------\Service_Winlp04
-------\Service_Winos48
-------\Service_Winot26
-------\Service_Winqu26
-------\Service_Winqu83
-------\Service_Winqv48
-------\Service_Winrw61
-------\Service_Winsx04
-------\Service_Winty04
-------\Service_Winuy04
-------\Service_Winwc48
-------\Service_Winxc61


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-26 01:06 . 2008-07-26 01:06 94,848 --a------ C:\WINDOWS\system32\tvympwpt.dll
2008-07-26 00:33 . 2008-07-26 00:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:33 . 2008-07-26 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:33 . 2008-07-26 00:33 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Malwarebytes
2008-07-26 00:33 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 00:33 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 14:45 . 2008-07-24 14:45 323,584 --------- C:\WINDOWS\system32\ljJYQKcA.dll
2008-07-24 13:16 . 2001-08-18 04:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 16:09 . 2008-07-09 16:23 104,638 --a------ C:\WINDOWS\hpoins04.dat
2008-07-09 16:09 . 2004-06-21 05:40 17,176 --------- C:\WINDOWS\hpomdl04.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 06:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 23:25 --------- d-----w C:\Program Files\Coupons
2008-07-09 21:21 --------- d-----w C:\Program Files\HP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 21:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-09 21:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-09 21:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-09 21:07 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-09 21:07 --------- d-----w C:\Program Files\Symantec
2008-06-09 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2003-05-22 18:26 1,226,132 -c--a-w C:\Documents and Settings\Alan\MN_Refuge_Dawgs.scr
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_23.08.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-26 06:31:29 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_664.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{165369DD-5D6B-4F38-B088-6A05B2C3A0E6}]
2008-07-24 14:45 323584 --------- C:\WINDOWS\system32\ljJYQKcA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 16:28 581632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 11:56 110592]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 11:56 512000]
"TPKMAPHELPER "= "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-24 01:39 897024]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 12:10 94208]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-12-25 03:36 20480]
"BMMMONWND "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 03:36 394752]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 04:04 208896]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-10 23:10 335872]
"UC_Start "= "C:\Program Files\IBM\Updater\\ucstartup.exe" [2003-09-30 17:39 36864]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 16:28 581632]
"UpdateManager "= "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01 110592]
"IBMPRC "= "C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 14:12 90112]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 03:36 106496]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 01:05 127035]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 21:54 278528]
"QUICKCARE "= "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 18:15 198800]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11 771704]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"S3TRAY2 "= "S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"BluetoothAuthenticationAgent "= "irprops.cpl" [2004-08-04 02:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TpShocks "= "TpShocks.exe" [2003-12-17 13:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX "= "tp4ex.exe" [2002-09-04 03:05 53248 C:\WINDOWS\system32\TP4EX.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 04:12:18 110592]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-10-15 22:11:14 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe "=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 15:50]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 03:36]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 07:47]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 14:05]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 06:40]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 19:29]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 22:17:23 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Alan.job "
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.refugeforums.com/refuge/forumdisplay.php?f=33
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 01:32:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-26 1:41:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 06:40:59
ComboFix2.txt 2008-07-26 05:02:49
ComboFix3.txt 2008-07-26 04:09:16

Pre-Run: 5,776,310,272 bytes free
Post-Run: 5,778,051,072 bytes free

224 --- E O F --- 2008-07-12 18:20:28

 

Will check back tomorrow as well. Here's your next task.

Once again, please make sure Norton is shut down. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
Extra::
File::
C:\WINDOWS\system32\tvympwpt.dll
C:\WINDOWS\system32\ljJYQKcA.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{165369DD-5D6B-4F38-B088-6A05B2C3A0E6}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Please post the contents of C:\QooBox\ComboFix-quarantined-files.txt in separate post.

 

OK, Well I guess you had an expiration date on the Combo Fix from last night, as I was looking in my calendar this AM on Aug dates for a meeting, and forget to swith back to July. Well it was deleted off of my screen. And then I noticed you removed the link from last bight. So I downloaded the link from #18. So pulled the last groups of things to that software, hope that was OK. Reslts are below.

And I am not sure if I turned off NIS edequately, meaning I manually turned off the various processes in the settings area to disable it. Not sure if there is a "master" turn off switch or not. But thought I should mention it just for in case.

BTW, on the desktop icon after it downloads, it comes up as FomboCix on its title VS ComboFix (both versions). May want to alert was programmer of that.


2008-02-08 11:30 139 --a--c--- C:\Qoobox\Quarantine\C\Documents and Settings\Alan\Application Data\Macromedia\Flash Player\#SharedObjects\47Y5AP3F\interclick.com\ud.sol.vir
2008-02-08 11:30 84 --a--c--- C:\Qoobox\Quarantine\C\Documents and Settings\Alan\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol.vir
2008-07-24 12:30 163840 --a------ C:\Qoobox\Quarantine\C\WINDOWS\eskx.exe.vir
2008-07-24 12:30 204800 --a------ C:\Qoobox\Quarantine\C\WINDOWS\fdkowvbp.dll.vir
2008-07-24 12:30 258048 --a------ C:\Qoobox\Quarantine\C\WINDOWS\eqvwamkl.dll.vir
2008-07-24 12:30 286720 --a------ C:\Qoobox\Quarantine\C\WINDOWS\wnslvxtf.dll.vir
2008-07-24 12:30 344064 --a------ C:\Qoobox\Quarantine\C\WINDOWS\nfavxwdbgfw.dll.vir
2008-07-24 13:15 278 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Alan\Desktop\Error Cleaner.url.vir
2008-07-24 13:15 278 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Alan\Desktop\Privacy Protector.url.vir
2008-07-24 13:15 278 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Alan\Desktop\Spyware&Malware Protection.url.vir
2008-07-24 13:16 32640 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqNDvtt.dll.vir
2008-07-24 13:16 32640 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvWnnOF.dll.vir
2008-07-24 13:16 34816 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\clbdll.dll.vir
2008-07-24 13:31 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\B.tmp.vir
2008-07-24 13:31 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\C.tmp.vir
2008-07-24 13:31 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\D.tmp.vir
2008-07-24 13:31 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\E.tmp.vir
2008-07-24 13:31 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\F.tmp.vir
2008-07-24 13:41 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\10.tmp.vir
2008-07-24 14:45 323584 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJYQKcA.dll.vir
2008-07-24 14:46 116864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\shjguxtf.dll.vir
2008-07-24 14:46 116864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uejyjg.dll.vir
2008-07-24 14:47 617529 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ivaaxrrn.ini.vir
2008-07-24 20:49 116864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ovxlycaw.dll.vir
2008-07-24 20:49 116864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tooaen.dll.vir
2008-07-24 20:49 617529 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tpofudyy.ini.vir
2008-07-25 16:10 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-07-25 20:32 16384 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\WinCtrl32.dll.vir
2008-07-25 20:53 116352 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lqtzcy.dll.vir
2008-07-25 20:53 116352 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wnirxamm.dll.vir
2008-07-25 20:54 1536197 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kcsgyboi.ini.vir
2008-07-25 20:54 69 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-07-25 21:09 16384 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\WinCtrl32.dl_.vir
2008-07-25 22:37 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\clbdll.old.vir
2008-07-25 22:37 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\clbinit.dll.vir
2008-07-25 22:37 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\clbdriver.sys.vir
2008-07-25 22:40 1290 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_CLBDRIVER.reg.dat
2008-07-25 22:45 28915 --a------ C:\Qoobox\Quarantine\catchme2008-07-25_224558.89.zip
2008-07-25 23:08 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-07-25 23:08 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-07-25 23:08 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-07-25 23:08 1301 --a------ C:\Qoobox\Quarantine\Registry_backups\Toolbar-{4BFE09E6-C0C4-4F43-9972-EF6747259D82}.reg.dat
2008-07-25 23:08 157 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{7E156AAE-FA60-44A1-8E69-2E0E0030F1F6}.reg.dat
2008-07-25 23:08 157 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-QuickTime Task.reg.dat
2008-07-25 23:08 93 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-UC_SMB.reg.dat
2008-07-25 23:37 110080 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lphc5h1j0e38c.exe.vir
2008-07-25 23:37 60928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\blphc5h1j0e38c.scr.vir
2008-07-25 23:37 90838 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\phc5h1j0e38c.bmp.vir
2008-07-25 23:47 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pphc5h1j0e38c.exe.vir
2008-07-26 01:06 1536188 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tpwpmyvt.ini.vir
2008-07-26 01:06 94848 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tvympwpt.dll.vir
2008-07-26 01:09 116352 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ncbfdk.dll.vir
2008-07-26 01:09 116352 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xbjafjvt.dll.vir
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winae83.reg.dat
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winbf83.reg.dat
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Windh50.reg.dat
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winei61.reg.dat
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Wingk61.reg.dat
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Wingk83.reg.dat
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winim72.reg.dat
2008-07-26 01:26 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winlp04.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winos48.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winot26.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winqu26.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winqu83.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winqv48.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winrw61.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winsx04.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winty04.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winuy04.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winwc48.reg.dat
2008-07-26 01:27 1748 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_Winxc61.reg.dat
2008-07-26 08:11 632097 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\AcKQYJjl.ini2.vir
2008-07-26 08:12 632167 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\AcKQYJjl.ini.vir
2008-07-26 08:14 1076 --a------ C:\Qoobox\Quarantine\catchme.log
2008-07-26 08:33 294 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\auyantjj.ini.vir

 

The discrepency in the name was my doing. One of the infections you had was blocking ComboFix from running, by monitoring for it's name in processes.