Inactive [InActive] Desktop Infected

The file I need to see is named ComboFix-quarantined-files.txt

 

2007-02-05 16:59:46 A------- 4,639 C:\Qoobox\Quarantine\C\Program Files\Windows Media Player\mplayer2.exe.vir
2007-12-27 12:48:45 A------- 136 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job.vir
2008-06-18 12:15:40 A------- 25,600 C:\Qoobox\Quarantine\C\WINDOWS\system32\WS2Fix.exe.vir
2008-06-18 12:15:40 A------- 51,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\dumphive.exe.vir
2008-06-18 12:15:40 A------- 53,248 C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir
2008-06-18 12:15:40 A------- 81,920 C:\Qoobox\Quarantine\C\WINDOWS\system32\IEDFix.exe.vir
2008-06-18 12:15:40 A------- 85,504 C:\Qoobox\Quarantine\C\WINDOWS\system32\VACFix.exe.vir
2008-06-18 12:15:40 A------- 288,417 C:\Qoobox\Quarantine\C\WINDOWS\system32\SrchSTS.exe.vir
2008-06-18 12:15:40 A------- 289,144 C:\Qoobox\Quarantine\C\WINDOWS\system32\VCCLSID.exe.vir
2008-06-18 12:17:18 A------- 81,920 C:\Qoobox\Quarantine\C\WINDOWS\system32\404Fix.exe.vir
2008-06-18 12:17:18 A------- 81,920 C:\Qoobox\Quarantine\C\WINDOWS\system32\IEDFix.C.exe.vir
2008-06-18 12:30:53 A------- 1,700 C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir
2009-01-06 07:20:11 A------- 1,927 C:\Qoobox\Quarantine\catchme.log
2009-01-06 07:27:32 A------- 7,764 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-01-06 07:28:36 A------- 236 C:\Qoobox\Quarantine\Registry_backups\Toolbar-8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2.reg.dat
2009-01-06 07:28:39 A------- 147 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SiteAdvisor.reg.dat
2009-01-08 23:27:29 A------- 118,276 C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir
2009-01-08 23:27:31 A------- 0 C:\Qoobox\Quarantine\C\WINDOWS\system32\BUBHE6PH.exe.a_a.vir
2009-01-08 23:27:31 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At1.job.vir
2009-01-08 23:27:31 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At2.job.vir
2009-01-08 23:27:31 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At3.job.vir
2009-01-08 23:27:31 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At4.job.vir
2009-01-08 23:27:31 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At5.job.vir
2009-01-08 23:27:31 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At6.job.vir
2009-01-08 23:27:31 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At7.job.vir
2009-01-08 23:27:31 A------- 73,728 C:\Qoobox\Quarantine\C\WINDOWS\system32\BUBHE6PH.exe.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At10.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At11.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At12.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At13.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At14.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At15.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At16.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At17.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At18.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At19.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At8.job.vir
2009-01-08 23:27:32 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At9.job.vir
2009-01-08 23:27:33 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At20.job.vir
2009-01-08 23:27:33 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At21.job.vir
2009-01-08 23:27:33 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At22.job.vir
2009-01-08 23:27:33 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At23.job.vir
2009-01-08 23:27:33 A------- 350 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At24.job.vir
2009-01-08 23:40:47 A------- 5,219 C:\Qoobox\Quarantine\C\Program Files\Windows Media Player\_mplayer2_.exe.zip
2009-01-09 05:34:38 A------- 142 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Weather.reg.dat
2009-01-09 05:34:38 A------- 157 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-AROReminder.reg.dat
2009-01-09 05:34:38 A------- 179 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-updateMgr.reg.dat
2009-01-10 05:04:39 A------- 48,578 C:\Qoobox\Quarantine\[22]-Submit_2009-01-10@5.04.zip
2009-01-10 05:07:38 A------- 1,184 C:\Qoobox\Quarantine\Registry_backups\Legacy_FXDRV.reg.dat
2009-01-10 05:07:39 A------- 2,216 C:\Qoobox\Quarantine\Registry_backups\Service_FXDRV.reg.dat
2009-01-10 05:51:10 A------- 1,624 C:\Qoobox\Quarantine\[22]-Submit_2009-01-10@5.50.zip

 

Please upload the following file to this submission channel.

C:\Qoobox\Quarantine\[22]-Submit_2009-01-10@5.50.zip


Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

 

I don't have a clue what I am doing here, I ended up downloading Stopzilla. Need some help please. Thanks,
Deester

 

Click on the link above labled this submission channel
When the page loads, click the Browse button.
Navigate to C:\Qoobox\Quarantine in the Browse window then select the file named [22]-Submit_2009-01-10@5.50.zip
Click Open
Click Send File


Then proceed to the Kaspersky Online Scanner via the link provided above and do a full system scan.

 

I was doing it right even though I thought I was doing I was doing it wrong. When I open the file, the browser closes, I cannot open the submit file. This one is not working for me.
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 15, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 15, 2009 03:39:48
Records in database: 1623387


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 55677
Threat name 27
Infected objects 47
Suspicious objects 0
Duration of the scan 01:47:11

File name Threat name Threats count
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1

C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0EDA3F9B.exe Infected: Trojan.Win32.FraudPack.gtv 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\108C3417 Infected: Trojan-Downloader.Win32.Agent.anru 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18DA241D.htm Infected: Packed.JS.Agent.a 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19590991.htm Infected: Packed.JS.Agent.a 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A543F95.exe Infected: Trojan-Downloader.Win32.Agent.avyb 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1B122DAC.htm Infected: Packed.JS.Agent.a 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1B2750F6.exe Infected: Trojan.Win32.Agent.avox 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C271A77 Infected: Trojan.Win32.Agent.apyg 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C2A4473 Infected: Trojan.Win32.Agent.apyg 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\211969B5.htm Infected: Packed.JS.Agent.a 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\21A7408E Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\22590FE4 Infected: not-a-virus:AdWare.Win32.Agent.fzp 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\22C02ECE Infected: Trojan.Win32.Agent.amji 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27B3326B Infected: Trojan-Dropper.Win32.Agent.xpq 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\29283C47 Infected: Trojan-Dropper.Win32.Agent.zvf 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\292C6643 Infected: Trojan-Dropper.Win32.Agent.zvf 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32C31FD5 Infected: Trojan.Win32.Agent.aqyx 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F3A4C8D Infected: Trojan-Dropper.Win32.Agent.zvf 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\411C1E44 Infected: Trojan-Dropper.Win32.Agent.zvf 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\444E7AF4 Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\445349DA Infected: Trojan.Win32.Agent.amji 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\48322690 Infected: Trojan.Win32.Agent.aqyx 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\496B1F93.exe Infected: Trojan-Downloader.Win32.Agent.asmc 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\497F1B7E.exe Infected: Trojan.Win32.FraudPack.gvz 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\518C4D91.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\569A5610 Infected: Trojan.Win32.Agent.azsj 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B4E4AA7 Infected: Trojan-Downloader.Win32.FraudLoad.vetd 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5BBD23BD.htm Infected: Packed.JS.Agent.a 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F0F0E87.exe Infected: Hoax.Win32.Renos.vark 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\613F7A3F Infected: Trojan-Downloader.Win32.FraudLoad.vetd 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A0F0F5C.htm Infected: Packed.JS.Agent.a 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A26252D.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6CD0264D.exe Infected: Trojan.Win32.FraudPack.gtv 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D0B7CA2 Infected: Trojan.Win32.FraudPack.gvz 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D1B4E90 Infected: Trojan.Win32.BHO.iex 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D2F4A7A Infected: Trojan.Win32.Agent.apps 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D6B5729 Infected: Trojan-Dropper.Win32.Agent.yye 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\718B4B33.dll Infected: Trojan.Win32.Agent.anlc 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71955242.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77892E66.exe Infected: Trojan.Win32.FraudPack.gtv 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79206C9A Infected: Trojan-Downloader.Win32.FraudLoad.veog 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79231696 Infected: Trojan.Win32.Agent.axzq 1

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79264092 Infected: Trojan.Win32.Agent.axzq 1

C:\Qoobox\Quarantine\[22]-Submit_2009-01-10@5.04.zip Infected: Trojan-Downloader.Win32.Agent.bbvy 1

The selected area was scanned.

 

See if you can attach that zip file to an email and send it to me please.
Then we'll finish cleaning up.

BTW, how's the computer behaving now?

 

The computer is doing fine, I cannot pick that 1 file out even to email. I even tried the flash drive, I can copy the file name only. What am I doing wrong?

 

I don't know. What happens if you right click on the file and select Send To>Mail Recipient

 

That's one of the problems, when I right click, I don't get the send to prompt. This has prevented me from doing anything with the file except copy and paste.

 

This should work, since ComboFix now uses a different routine to upload files.

Disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Collect::[22]
C:\Qoobox\Quarantine\[22]-Submit_2009-01-10@5.04.zip

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

When ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the file I need. If the upload fails you will be be presented with instructions for uploading it manually. Please do so.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted. <------Make sure you allow ComboFix to update!!

 

It is submitting file for analysis, is this what you wanted? Here is the log.ComboFix 09-01-13.04 - ted 2009-01-15 23:16:38.15 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.182 [GMT -5:00]
Running from: c:\documents and settings\ted\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ted\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 20:31 . 2009-01-13 20:31 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-13 13:11 . 2009-01-14 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-13 13:09 . 2009-01-13 13:09 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-13 13:09 . 2009-01-14 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-13 04:35 . 2009-01-13 04:35 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-13 04:24 . 2009-01-13 09:00 <DIR> d-------- c:\program files\NOS
2009-01-13 04:24 . 2009-01-13 09:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-10 05:35 . 2009-01-10 05:34 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-10 05:03 . 2009-01-10 05:03 244 --ah----- C:\sqmnoopt19.sqm
2009-01-10 05:03 . 2009-01-10 05:03 232 --ah----- C:\sqmdata19.sqm
2009-01-09 06:08 . 2009-01-09 06:08 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-01-08 19:25 . 2009-01-08 19:26 <DIR> d-------- C:\fixcombo
2009-01-05 18:35 . 2009-01-05 18:35 <DIR> d-------- C:\rsit
2008-12-25 18:02 . 2009-01-05 10:13 <DIR> d-------- c:\documents and settings\Dee\Contacts
2008-12-18 03:06 . 2008-12-18 03:06 268 --ah----- C:\sqmdata18.sqm
2008-12-18 03:06 . 2008-12-18 03:06 244 --ah----- C:\sqmnoopt18.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 21:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-13 09:33 --------- d-----w c:\program files\Common Files\Adobe
2009-01-13 09:25 --------- d-----w c:\program files\Google
2009-01-10 10:34 --------- d-----w c:\program files\Java
2009-01-09 16:11 --------- d-----w c:\program files\DX Enterprises CB. Antenna Guide
2008-12-12 23:42 --------- d-----w c:\program files\Pure Networks
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-20 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-06-19 17:04 32 --sha-w c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
2008-06-19 17:05 32 --sha-w c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
2008-06-19 17:05 32 --sha-w c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
2008-06-19 17:04 32 --sha-w c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat
2008-10-04 19:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_ 7.28.33.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2009-01-13 09:21:38 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-2448-0000-800000000003}\ARPPRODUCTICON.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-10-04 19:59:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-13 09:24:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-04 19:59:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-13 09:24:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-04 19:59:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-13 09:24:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 00:12:19 1,033,728 -c--a-w c:\windows\system32\dllcache\explorer.exe
+ 2008-04-14 00:12:20 27,136 -c--a-w c:\windows\system32\dllcache\findstr.exe
+ 2008-04-14 00:11:54 144,384 -c--a-w c:\windows\system32\dllcache\imagehlp.dll
+ 2008-04-14 00:12:24 13,312 -c--a-w c:\windows\system32\dllcache\lsass.exe
+ 2008-04-14 00:11:58 71,680 -c--a-w c:\windows\system32\dllcache\msacm32.dll
+ 2008-04-14 00:12:29 69,120 -c--a-w c:\windows\system32\dllcache\notepad.exe
+ 2008-04-14 00:12:02 551,936 -c--a-w c:\windows\system32\dllcache\oleaut32.dll
+ 2008-04-14 00:12:02 34,816 -c--a-w c:\windows\system32\dllcache\perfproc.dll
+ 2008-04-14 00:12:05 25,088 -c--a-w c:\windows\system32\dllcache\shfolder.dll
+ 2008-04-14 00:12:36 50,688 -c--a-w c:\windows\system32\dllcache\smss.exe
+ 2008-04-14 00:12:06 18,944 -c--a-w c:\windows\system32\dllcache\snmpapi.dll
+ 2008-04-14 00:12:36 57,856 -c--a-w c:\windows\system32\dllcache\spoolsv.exe
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-04-14 00:12:36 14,336 -c--a-w c:\windows\system32\dllcache\svchost.exe
+ 2008-04-14 00:12:08 26,112 -c--a-w c:\windows\system32\dllcache\vdmdbg.dll
+ 2008-04-14 00:12:39 507,904 -c--a-w c:\windows\system32\dllcache\winlogon.exe
- 2008-06-10 05:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-10 10:34:43 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 05:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-10 10:34:43 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 06:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-10 10:34:43 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-16 01:58:56 16,384 ----atw c:\windows\temp\Perflib_Perfdata_650.dat
+ 2006-12-02 03:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PhotoShow Deluxe Media Manager "= "c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"IW_Drop_Icon "= "c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2004-04-20 1122816]
"InstantTray "= "c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-05-06 772096]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy "= "c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"HostManager "= "c:\program files\Common Files\AOL\1211853138\ee\AOLSoftware.exe" [2007-10-08 41824]
"VX3000 "= "c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-05 98304]
"Lexmark X6100 Series "= "c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-05-16 57344]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiS Windows KeyHook "= "c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"AOLDialer "= "c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-10 136600]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan "= "SOUNDMAN.EXE" [2004-02-26 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert "= "c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\ted\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2007-04-12 42032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-02-05 335872]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-02-05 18:09 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\aolsoftware.exe "=
"c:\\Program Files\\AOL 9.1\\waol.exe "=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\AOLDesktop.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-08-01 29239]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-07-06 188416]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-06-01 64000]
R4 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [2008-02-25 126976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db5100c3-b5e5-11db-a6fb-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2002-11-14 18:31]

2009-01-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2002-08-29 20:30]

2009-01-15 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-18 23:55]

2009-01-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]

2009-01-16 c:\windows\Tasks\WSSHelper.job
- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2007-07-26 12:49]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mapquest.com
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\documents and settings\ted\Application Data\Mozilla\Firefox\Profiles\ks0ev2j3.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 23:19:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-15 23:21:34
ComboFix-quarantined-files.txt 2009-01-16 04:21:22
ComboFix2.txt 2009-01-10 10:56:38
ComboFix3.txt 2009-01-09 10:35:58
ComboFix4.txt 2009-01-06 12:30:06
ComboFix5.txt 2009-01-16 04:15:00

Pre-Run: 45,508,481,024 bytes free
Post-Run: 45,611,720,704 bytes free

230 --- E O F --- 2009-01-14 08:03:50

 

File received. Thank you!

This should be the last task, then we can cleanup. Disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

ComboFix 09-01-15.01 - ted 2009-01-16 11:00:34.16 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.211 [GMT -5:00]
Running from: c:\documents and settings\ted\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ted\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\{907E937B-59BD-46EB-8C00-170EA0FF8DE4}.dat
c:\windows\{BE0F15FE-3B90-4612-95E9-E497C6D4CEB1}.dat
c:\windows\system32\{809E1F85-AA19-4CE1-A8FA-0A36AE60E149}.dat
c:\windows\system32\{F8D91BE1-CE2B-45BE-A911-032EFD33BE03}.dat

.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 20:31 . 2009-01-13 20:31 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-13 13:11 . 2009-01-14 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-13 13:09 . 2009-01-13 13:09 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-13 13:09 . 2009-01-14 18:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-13 04:35 . 2009-01-13 04:35 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-13 04:24 . 2009-01-13 09:00 <DIR> d-------- c:\program files\NOS
2009-01-13 04:24 . 2009-01-13 09:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-10 05:35 . 2009-01-10 05:34 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-10 05:03 . 2009-01-10 05:03 244 --ah----- C:\sqmnoopt19.sqm
2009-01-10 05:03 . 2009-01-10 05:03 232 --ah----- C:\sqmdata19.sqm
2009-01-09 06:08 . 2009-01-09 06:08 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-01-08 19:25 . 2009-01-08 19:26 <DIR> d-------- C:\fixcombo
2009-01-05 18:35 . 2009-01-05 18:35 <DIR> d-------- C:\rsit
2008-12-25 18:02 . 2009-01-05 10:13 <DIR> d-------- c:\documents and settings\Dee\Contacts
2008-12-18 03:06 . 2008-12-18 03:06 268 --ah----- C:\sqmdata18.sqm
2008-12-18 03:06 . 2008-12-18 03:06 244 --ah----- C:\sqmnoopt18.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 21:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-13 09:33 --------- d-----w c:\program files\Common Files\Adobe
2009-01-13 09:25 --------- d-----w c:\program files\Google
2009-01-10 10:34 --------- d-----w c:\program files\Java
2009-01-09 16:11 --------- d-----w c:\program files\DX Enterprises CB. Antenna Guide
2008-12-12 23:42 --------- d-----w c:\program files\Pure Networks
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-20 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2008-10-04 19:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PhotoShow Deluxe Media Manager "= "c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"IW_Drop_Icon "= "c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2004-04-20 1122816]
"InstantTray "= "c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-05-06 772096]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy "= "c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"HostManager "= "c:\program files\Common Files\AOL\1211853138\ee\AOLSoftware.exe" [2007-10-08 41824]
"VX3000 "= "c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-05 98304]
"Lexmark X6100 Series "= "c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-05-16 57344]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiS Windows KeyHook "= "c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"AOLDialer "= "c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-10 136600]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan "= "SOUNDMAN.EXE" [2004-02-26 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert "= "c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\ted\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2007-04-12 42032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-02-05 335872]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-02-05 18:09 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\aolsoftware.exe "=
"c:\\Program Files\\AOL 9.1\\waol.exe "=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"c:\\Program Files\\Common Files\\AOL\\1211853138\\ee\\AOLDesktop.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-08-01 29239]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-07-06 188416]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-06-01 64000]
R4 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [2008-02-25 126976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db5100c3-b5e5-11db-a6fb-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2002-11-14 18:31]

2009-01-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2002-08-29 20:30]

2009-01-16 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-18 23:55]

2009-01-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]

2009-01-16 c:\windows\Tasks\WSSHelper.job
- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2007-07-26 12:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mapquest.com
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\documents and settings\ted\Application Data\Mozilla\Firefox\Profiles\ks0ev2j3.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 11:03:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-16 11:05:14
ComboFix-quarantined-files.txt 2009-01-16 16:05:08
ComboFix2.txt 2009-01-16 04:21:35
ComboFix3.txt 2009-01-10 10:56:38
ComboFix4.txt 2009-01-09 10:35:58
ComboFix5.txt 2009-01-16 15:59:14

Pre-Run: 45,569,232,896 bytes free
Post-Run: 45,580,341,248 bytes free

191 --- E O F --- 2009-01-14 08:03:50

 

Good job deester! Lets finish up.

Open the Norton Antivirus interface and remove the items in quarantine.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. Believe you also have some renamed combofix files and folders. Remove all copies.

Delete RSIT.exe and the C:\rsit folder.
You can delete any other logs that were created/saved too.
Empty the recycle bin when done.


That should be it.

 

All done, Will you take a look at my Slow Computer thread, I posted a few days ago and no one has relied. I think I'm OK but I;m transferring to a new computer and just want to make sure. It has been a pleasure working with you because you are so patient, thanks for all your help.
Deester