Inactive Trojan Issue with Windows XP

[Inactive] Trojan Issue with Windows XP

Hi,

I'm at work so I am not on the actual computer with the problem.

We have Norton 360 running on our computer. Last night it showed a file called trojan.inf (I think that is the right name, but I'm not sure. I didn't write it down like I usually do.) Norton 360 wasn't really doing anything with it, but our System Tray time was a different font than usual. Anyway, I had to restart for some reason or other, but it started back up fine.
This morning I turned the monitor on and Norton 360 was shwing this file again, like it had fixed it and needed to restart. So, I restarted. The Windows XP screen showed up and then the screen went blank. Windows didn't open. My mouse pointer showed up and I could move it around, but nothing else.
I tried to restart and the computer gave me options like "Last Good Setting," "Start Windows Normally," "Safe Mode," etc. I tried all of them and got the same thing. Even safe mode did it. I had "Safe Mode" in all the corners and the pointer, but nothing else.

I don't know what else to do, and not being able to get into windows limits me a little.
Any help would be greatly appreciated.

I'm currently at work, but in searching online a followed the instructions to create a Microsoft Diagnostics and Repair Toolset. I will try it when I get home to see if I can at least get into windows, and maybe try a Restore Point.

Ryan

 

Welcome to WindowsBBS Ryan

I'm guessing the Recovery Toolset which you mention is the ERD Commander disc, and attempting to connect to the system to do a system restore? If so, good find ........ that should get you going again. If successful, come back here and read this post then post the recommended logs for analysis.

If unsuccessful, post back and I will try to suggest some other options.

 

More Trojan Stuff With Logs

Hi,

Yes it was the ERD Commander disk. I am home now, and windows is up.

I will place the 2 logs into the text of this message. I don't know how to attach in this forum. So I will place them in this post. I apologize for this, but I can't find an attach button.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Julie at 17:26:34.15 on Fri 01/23/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.87 [GMT -6:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Julie\My Documents\RCA Detective\RCADetective.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\Documents and Settings\Julie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://desmoines.mediacomtoday.com/community/
uWindow Title = Microsoft Internet Explorer provided by Mediacom Online
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar BHO: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe "
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe "
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe "
mRun: [Easy Dock]
StartupFolder: c:\docume~1\julie\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\julie\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Winamp Toolbar Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138397489593
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\julie\applic~1\mozilla\firefox\profiles\azbgn8ni.default\
FF - prefs.js: browser.startup.homepage - hxxp://desmoines.mediacomtoday.com/community/
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090123.003\NAVENG.SYS [2009-1-23 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090123.003\NAVEX15.SYS [2009-1-23 876112]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-21 1245064]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 ICAM3NT5;Intel(r) PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2008-1-19 145184]
S3 oUltraf;oUltraf;\??\c:\docume~1\julie\locals~1\temp\oultraf.sys --> c:\docume~1\julie\locals~1\temp\oUltraf.sys [?]
S3 sysrest.sys;sysrest.sys;\??\c:\windows\system32\sysrest.sys --> c:\windows\system32\sysrest.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile= "%1" %*
vbefile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1
vbsfile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1
jsefile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1

=============== Created Last 30 ================

2009-01-23 17:19 1,036,288 a------- c:\windows\OLDB6.tmp
2009-01-23 17:19 58,880 a------- c:\windows\system32\OLDB3.tmp
2009-01-23 17:18 111,104 a------- c:\windows\system32\OLDB0.tmp
2009-01-23 17:04 14,848 a------- c:\windows\system32\OLD8E.tmp
2009-01-23 17:01 17,408 a------- c:\windows\system32\OLD89.tmp
2009-01-23 16:51 512,000 a------- c:\windows\system32\OLD4.tmp
2009-01-23 16:42 <DIR> --d----- C:\~ErdUserProfile.$$$
2009-01-09 17:24 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-09 17:24 1,409 a------- c:\windows\QTFont.for
2009-01-02 18:47 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-01-02 18:47 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2008-12-26 14:32 <DIR> --dsh--- c:\windows\ftpcache
2008-12-25 13:56 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-25 13:56 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-25 13:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-25 13:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-25 13:34 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-25 13:34 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2008-12-25 13:28 62,976 -c------ c:\windows\system32\dllcache\cdrom.sys
2008-12-25 13:28 465,920 -c------ c:\windows\system32\dllcache\imapi2fs.dll
2008-12-25 13:28 465,920 -------- c:\windows\system32\imapi2fs.dll
2008-12-25 13:28 317,952 -c------ c:\windows\system32\dllcache\imapi2.dll
2008-12-25 13:28 317,952 -------- c:\windows\system32\imapi2.dll

==================== Find3M ====================

2009-01-08 20:43 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 20:43 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 20:43 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 20:43 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-12 12:41 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-12-12 12:41 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-11-10 12:09 70,656 a------- c:\windows\system32\ZuneIPTransport.dll
2006-05-29 18:47 0 ac--h--- c:\documents and settings\julie\hpothb07.dat
2008-08-25 16:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 17:28:04.34 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-19.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/7/2005 10:14:29 AM
System Uptime: 1/23/2009 4:46:57 PM (1 hours ago)

Motherboard: | | SiS-741
Processor: AMD Sempron(tm) 2200+ | Socket A | 1496/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 17.112 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP54: 10/26/2008 4:12:04 AM - System Checkpoint
RP55: 10/27/2008 5:10:02 AM - System Checkpoint
RP56: 10/28/2008 6:10:00 AM - System Checkpoint
RP57: 10/29/2008 6:48:20 AM - System Checkpoint
RP58: 10/30/2008 7:48:18 AM - System Checkpoint
RP59: 10/31/2008 8:11:38 AM - System Checkpoint
RP60: 11/1/2008 4:03:31 AM - Norton 360 Registry Clean
RP61: 11/2/2008 3:11:37 AM - System Checkpoint
RP62: 11/3/2008 4:11:38 AM - System Checkpoint
RP63: 11/4/2008 5:11:37 AM - System Checkpoint
RP64: 11/5/2008 6:11:37 AM - System Checkpoint
RP65: 11/6/2008 7:11:39 AM - System Checkpoint
RP66: 11/7/2008 7:16:01 AM - System Checkpoint
RP67: 11/8/2008 10:30:28 AM - System Checkpoint
RP68: 11/9/2008 8:42:12 PM - System Checkpoint
RP69: 11/10/2008 9:35:53 PM - System Checkpoint
RP70: 11/11/2008 10:35:50 PM - System Checkpoint
RP71: 11/12/2008 3:00:16 AM - Software Distribution Service 3.0
RP72: 11/13/2008 3:15:59 AM - System Checkpoint
RP73: 11/14/2008 4:15:58 AM - System Checkpoint
RP74: 11/15/2008 5:16:03 AM - System Checkpoint
RP75: 11/16/2008 6:15:57 AM - System Checkpoint
RP76: 11/17/2008 7:15:26 AM - System Checkpoint
RP77: 11/18/2008 8:15:25 AM - System Checkpoint
RP78: 11/19/2008 9:15:25 AM - System Checkpoint
RP79: 11/20/2008 10:15:24 AM - System Checkpoint
RP80: 11/21/2008 11:15:27 AM - System Checkpoint
RP81: 11/22/2008 12:15:25 PM - System Checkpoint
RP82: 11/23/2008 1:15:27 PM - System Checkpoint
RP83: 11/24/2008 2:15:27 PM - System Checkpoint
RP84: 11/25/2008 3:15:24 PM - System Checkpoint
RP85: 11/26/2008 4:15:27 PM - System Checkpoint
RP86: 11/29/2008 3:34:14 PM - System Checkpoint
RP87: 11/30/2008 5:18:13 PM - System Checkpoint
RP88: 12/1/2008 4:03:30 AM - Norton 360 Registry Clean
RP89: 12/2/2008 4:27:01 AM - System Checkpoint
RP90: 12/3/2008 5:27:03 AM - System Checkpoint
RP91: 12/4/2008 6:27:05 AM - System Checkpoint
RP92: 12/5/2008 7:27:04 AM - System Checkpoint
RP93: 12/6/2008 8:27:05 AM - System Checkpoint
RP94: 12/7/2008 9:27:02 AM - System Checkpoint
RP95: 12/8/2008 10:27:02 AM - System Checkpoint
RP96: 12/9/2008 11:27:03 AM - System Checkpoint
RP97: 12/10/2008 12:27:00 PM - System Checkpoint
RP98: 12/11/2008 3:00:26 AM - Software Distribution Service 3.0
RP99: 12/12/2008 3:15:41 AM - System Checkpoint
RP100: 12/13/2008 5:00:08 AM - System Checkpoint
RP101: 12/14/2008 5:33:13 AM - System Checkpoint
RP102: 12/15/2008 6:33:12 AM - System Checkpoint
RP103: 12/16/2008 7:33:11 AM - System Checkpoint
RP104: 12/17/2008 7:59:27 AM - System Checkpoint
RP105: 12/18/2008 3:00:15 AM - Software Distribution Service 3.0
RP106: 12/19/2008 3:06:52 AM - System Checkpoint
RP107: 12/20/2008 4:06:53 AM - System Checkpoint
RP108: 12/21/2008 5:06:51 AM - System Checkpoint
RP109: 12/22/2008 6:06:51 AM - System Checkpoint
RP110: 12/23/2008 7:06:50 AM - System Checkpoint
RP111: 12/24/2008 8:06:53 AM - System Checkpoint
RP112: 12/25/2008 8:11:37 AM - System Checkpoint
RP113: 12/25/2008 1:28:18 PM - Software Distribution Service 3.0
RP114: 12/25/2008 1:31:29 PM - Installed Zune 3.1
RP115: 12/25/2008 1:53:57 PM - Installed Windows XP Wudf01007.
RP116: 12/25/2008 1:56:35 PM - Installed Windows XP winusb0100.
RP117: 12/26/2008 3:17:51 PM - System Checkpoint
RP118: 12/27/2008 3:56:01 PM - System Checkpoint
RP119: 12/28/2008 4:57:45 PM - System Checkpoint
RP120: 12/29/2008 5:24:22 PM - System Checkpoint
RP121: 12/30/2008 6:54:59 PM - System Checkpoint
RP122: 12/31/2008 7:43:48 PM - System Checkpoint
RP123: 1/1/2009 4:03:03 AM - Norton 360 Registry Clean
RP124: 1/2/2009 4:32:46 AM - System Checkpoint
RP125: 1/3/2009 5:32:47 AM - System Checkpoint
RP126: 1/4/2009 6:32:49 AM - System Checkpoint
RP127: 1/5/2009 6:59:34 AM - System Checkpoint
RP128: 1/6/2009 7:22:09 AM - System Checkpoint
RP129: 1/7/2009 7:40:44 AM - System Checkpoint
RP130: 1/8/2009 8:40:08 AM - System Checkpoint
RP131: 1/9/2009 9:26:54 AM - System Checkpoint
RP132: 1/10/2009 9:44:38 AM - System Checkpoint
RP133: 1/11/2009 10:26:53 AM - System Checkpoint
RP134: 1/12/2009 11:26:55 AM - System Checkpoint
RP135: 1/13/2009 12:00:50 PM - System Checkpoint
RP136: 1/14/2009 3:00:21 AM - Software Distribution Service 3.0
RP137: 1/15/2009 3:15:08 AM - System Checkpoint
RP138: 1/16/2009 4:15:07 AM - System Checkpoint
RP139: 1/17/2009 5:22:50 AM - System Checkpoint
RP140: 1/18/2009 6:41:56 AM - System Checkpoint
RP141: 1/19/2009 7:15:10 AM - System Checkpoint
RP142: 1/20/2009 8:15:09 AM - System Checkpoint
RP143: 1/21/2009 9:15:10 AM - System Checkpoint
RP144: 1/22/2009 10:15:06 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe PageMaker 7.0
Adobe Photoshop 7.0
Adobe Reader 7.1.0
Adobe Shockwave Player
Agere Systems PCI Soft Modem
Ahead NeroMediaPlayer
AlienGUIse
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Toolbar
AOL Uninstaller
AOL You've Got Pictures Screensaver
AppCore
Apple Mobile Device Support
Apple Software Update
Audioblast
Avery Wizard 3.1
Backup
BlackBerry Desktop Software 4.1
BlackBerry v4.1.0 for the 7520 Wireless Handheld
Caere Scan Manager 5.1
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon i860
Canon PhotoRecord
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
ccCommon
ClickArt 950,000
Corel Applications
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Micro
Data Access Objects (DAO) 3.5
Diablo II
DigitImg
DivX 4.12 Codec
DivX 5.0 Bundle
Donald Trump´s Real Estate Tycoon
Drivers Install For Linksys Easylink Advisor
Final Draft 7
FinePixViewer Ver.4.2
FUJIFILM USB Driver
GdiplusUpgrade
GearDrvs
Google Toolbar for Internet Explorer
Hemera GraphicsDesk for HP
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
HP Memories Disc
HP OfficeJet K Series
HP PrecisionScan Pro
HP Scan-to-Web Wizard
HP Update
ImageMixer VCD2 for FinePix
Intel® Create & Share® Software
Internet Design Shop Gold
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Linksys EasyLink Advisor 1.6 (0032)
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Mediacom Online QIC Service Activator
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync 4.0
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft WinUsb 1.0
MicroStaff WINASPI
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
Nero - Burning Rom
Neverwinter Nights
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
PageKeeper Standard 3.0
PDFCreator
Photosmart 140,240,7200,7600,7700,7900 Series
PhotoStitch
PowerDVD
Preparing Couples for Marriage Electronic Edition
PS7700
PSShortcuts
PSUsage
Pure Networks Port Magic
QFolder
QuickTime
RAW FILE CONVERTER LE
RCA Detective 1.0.0.96
RCA EasyRipâ„¢ 1.4.2.0
RealPlayer Basic
Realtek AC'97 Audio
Roll
RollerCoaster Tycoon 2
SeaWorld Adventure Park Tycoon
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
SPBBC 32bit
SPY KIDS Mega Mission Zone
Super Collapse II
SUPERAntiSpyware Free Edition
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
The Sims Superstar
Theme Manager
TomTom HOME
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VC_MergeModuleToMSI
Viewpoint Media Player
Wal-Mart Music Downloads Store
WebFldrs XP
Winamp
Winamp Remote
Winamp Toolbar
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XoftSpySE
XviD MPEG-4 Codec
Zoo Tycoon 2
Zoo Tycoon: Complete Collection
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

==== Event Viewer Messages From Past Week ========

1/22/2009 6:10:13 PM, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
1/22/2009 7:21:39 PM, error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: Access is denied.
1/22/2009 7:21:39 PM, error: Service Control Manager [7000] - The DNS Client service failed to start due to the following error: Access is denied.
1/22/2009 7:40:27 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
1/23/2009 4:48:44 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/23/2009 5:17:54 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/22/2009 7:16:00 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file explorer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
1/22/2009 7:18:50 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file winlogon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/22/2009 7:21:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file svchost.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/22/2009 8:14:12 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file lsass.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/23/2009 1:05:22 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file services.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/23/2009 1:05:41 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/23/2009 1:10:11 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\services.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/23/2009 1:10:11 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\lsass.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/23/2009 1:10:12 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

==== End Of File ===========================

 

More Trojan Stuff(Trojan.Peacomm)

Norton 360 is also showing that Trojan.Peacomm is also infecting the system. Norton 360 tells me I need to reboot for the files to be fixed, but that's what happened this morning that led to Windows not starting up.

I just wanted to add this information as well. Thanks.

Ryan

 

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.


Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Driver::
oUltraf
sysrest.sys
DDS::
TB: {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - No File
mRun: [Easy Dock] 
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.


If Norton is still prompting you about an infection, please provide name and location of what is being reported as infected, if possible.

 

Sorry, I just got this post this morning. I am at work again, so I will have to do it when I get home.

I couldn't get online this weekend so I had to restart the system. The Trojans was still there. This time when I restarted, I would get the Windows XP splash screen and then the computer would reset. So, I used the ERD Commander disk again and went back further to another restore point, and I haven't see Norton mention the Trojans yet. With my luck they are probably just hiding.

Anyway, I will post again with the information you requested.

Thanks.

 

ComboFix Log

Below are the contents of the ComboFix Log.


ComboFix 09-01-21.04 - Julie 2009-01-26 17:19:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.140 [GMT -6:00]
Running from: c:\documents and settings\Julie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Julie\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\MabryObj.dll
c:\windows\system32\sysprep.exe
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OULTRAF
-------\Service_oUltraf
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

2418-11-11 20:48 . 2418-11-11 20:48 3,120 --a--c--- c:\windows\MF_C421.lfa
2418-11-11 20:48 . 2418-11-11 20:48 3,120 --a--c--- c:\windows\MF_C420.lfa
2009-01-24 11:00 . <DIR> c:\windows\LastGood.Tmp
2009-01-24 09:43 . 2009-01-24 09:43 <DIR> d-------- C:\5e51750ced233bf2204cba0cec6789
2009-01-24 09:40 . 2009-01-24 09:40 <DIR> d-------- C:\~ErdUserProfile.$$$
2009-01-09 17:24 . 2009-01-09 17:24 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-09 17:24 . 2009-01-09 17:24 1,409 --a------ c:\windows\QTFont.for
2009-01-02 18:47 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-02 18:47 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-26 14:32 . 2008-12-26 14:32 <DIR> d--hs---- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 23:30 --------- d-----w c:\program files\Winamp Remote
2009-01-26 23:27 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-24 16:21 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-24 02:19 --------- d-----w c:\program files\Norton 360
2009-01-09 02:43 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 02:43 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 02:43 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 02:43 --------- d-----w c:\program files\Symantec
2008-12-25 19:56 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-25 19:56 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-25 19:54 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-25 19:36 --------- d-----w c:\program files\Zune
2008-12-25 19:34 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-25 19:34 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-13 15:35 --------- d-----w c:\program files\Warcraft III
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-05 21:18 --------- d-----w c:\program files\PamperedPartnerPlus
2008-12-01 02:52 --------- d-----w c:\program files\Audioblast
2008-11-30 09:21 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-30 01:39 --------- d-----w c:\documents and settings\Matt Matt\Application Data\Apple Computer
2006-05-30 00:47 0 -c-ha-w c:\documents and settings\Julie\hpothb07.dat
2008-06-30 18:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-25 22:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082520080826\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@= "{4433A54A-1AC8-432F-90FC-85F045CF383C} "
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@= "{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} "
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@= "{476D0EA3-80F9-48B5-B70B-05E677C9C148} "
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector "= "c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 98304]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-24 1830128]
"Orb "= "c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"EasyLinkAdvisor "= "c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"TomTomHOME.exe "= "c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck "= "c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Zune Launcher "= "c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]

c:\documents and settings\Julie\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\Julie\My Documents\RCA Detective\RCADetective.exe [2008-12-27 1070080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-01 23:28 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i263_32.drv
"MSACM.CEGSM "= mobilev.acm
"vidc.xvid "= xvid.dll
"MSACM.G723 "= g723.acm
"vidc.I263 "= I263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=c:\windows\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 11:07 496752 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-10-17 14:52 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2005-12-15 19:38 50792 c:\program files\Common Files\AOL\1127955509\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2003-12-22 07:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2004-05-04 01:21 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a--c--- 2004-05-04 16:17 491520 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a--c--- 2004-03-31 22:34 49152 c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpppta]
--a--c--- 2000-10-05 01:00 86016 c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-02-16 16:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2004-11-04 12:26 53248 c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 05:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a------ 2004-05-07 15:54 99480 c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-04-09 19:56 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 21:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2003-10-31 18:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAClient]
-ra--c--- 2003-05-05 19:42 176128 c:\program files\Mediacom\BBClient\Programs\RegCon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a--c--- 2004-05-12 15:22 249856 c:\windows\system32\Keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
--a--c--- 2002-07-12 04:15 106496 c:\windows\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-09 17:57 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-02-09 02:54 65024 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service "=3 (0x3)
"AOL ACS "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\America Online 9.0\\waol.exe "=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\StubInstaller.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe "=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe "=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe "=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 ICAM3NT5;Intel(r) PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2008-01-19 145184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - SASDIFSV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3416347d-d42e-11dd-bf8b-000e9bad74cd}]
\Shell\AutoRun\command - E:\rcaeasyrip_setup.exe
\Shell\install\command - E:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - E:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - E:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - E:\rcaeasyrip_setup.exe /pdf_Spanish

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ef1e506-d38d-11dc-beed-000e9bad74cd}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb63f301-f550-11d9-bd10-00038a000015}]
\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd020010-b8a6-11dc-bed7-000e9bad74cd}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HPAIO_PrintFolderMgr - c:\windows\System32\spool\DRIVERS\W32X86\hpoopm07.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://desmoines.mediacomtoday.com/community/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\www
FF - ProfilePath - c:\documents and settings\Julie\Application Data\Mozilla\Firefox\Profiles\azbgn8ni.default\
FF - prefs.js: browser.startup.homepage - hxxp://desmoines.mediacomtoday.com/community/
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 17:28:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Winamp Remote\bin\Orb.exe
.
**************************************************************************
.
Completion time: 2009-01-26 17:36:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-26 23:36:52

Pre-Run: 18,048,737,280 bytes free
Post-Run: 18,073,653,248 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

296 --- E O F --- 2009-01-14 09:03:54

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\MF_C421.lfa
c:\windows\MF_C420.lfa
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
 "c:\\StubInstaller.exe "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.


Next, this tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I only want to see a Report of what it finds.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click 'Start' to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

• Once the short scan has finished, we need to change the default settings.
• In the Menu Bar at the top, click 'Setting'>Change Settings.
• Click on the Actions tab
• Using the drop down menus, change each item under Objects and Malware to [color= "Blue"] Report[/color]
• Next, 'tick' Complete Scan.
• Click the green arrow at the right, and the scan will start.
• Click 'No to All' if it asks if you want to cure/move the file.
• After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Post the contents of the log from Dr.Web you saved previously in your next reply.

 

ComboFix Log 1-27-09

Below are the contents of the next ComboFix Log. I will Post the Dr. Web CureIt log in the next post.


ComboFix 09-01-21.04 - Julie 2009-01-27 18:09:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.190 [GMT -6:00]
Running from: c:\documents and settings\Julie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Julie\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point

FILE ::
c:\windows\MF_C420.lfa
c:\windows\MF_C421.lfa
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\MF_C420.lfa
c:\windows\MF_C421.lfa

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-24 09:43 . 2009-01-24 09:43 <DIR> d-------- C:\5e51750ced233bf2204cba0cec6789
2009-01-24 09:40 . 2009-01-24 09:40 <DIR> d-------- C:\~ErdUserProfile.$$$
2009-01-09 17:24 . 2009-01-09 17:24 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-09 17:24 . 2009-01-09 17:24 1,409 --a------ c:\windows\QTFont.for
2009-01-02 18:47 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-02 18:47 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 23:51 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-26 23:30 --------- d-----w c:\program files\Winamp Remote
2009-01-24 16:21 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-24 02:19 --------- d-----w c:\program files\Norton 360
2009-01-09 02:43 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 02:43 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-09 02:43 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 02:43 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 02:43 --------- d-----w c:\program files\Symantec
2008-12-25 19:56 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-25 19:56 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-25 19:54 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-25 19:36 --------- d-----w c:\program files\Zune
2008-12-25 19:34 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-25 19:34 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-13 15:35 --------- d-----w c:\program files\Warcraft III
2008-12-12 18:41 60,032 ----a-w c:\windows\system32\ZuneBusEnum.exe
2008-12-12 18:41 243,840 ----a-w c:\windows\system32\ZuneWlanCfgSvc.exe
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-05 21:18 --------- d-----w c:\program files\PamperedPartnerPlus
2008-12-01 02:52 --------- d-----w c:\program files\Audioblast
2008-11-30 09:21 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-30 01:39 --------- d-----w c:\documents and settings\Matt Matt\Application Data\Apple Computer
2008-11-10 18:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 18:09 70,656 ----a-w c:\windows\system32\ZuneIPTransport.dll
2008-11-10 18:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 18:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 18:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 18:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 18:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2006-05-30 00:47 0 -c-ha-w c:\documents and settings\Julie\hpothb07.dat
2008-06-30 18:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-25 22:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082520080826\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@= "{4433A54A-1AC8-432F-90FC-85F045CF383C} "
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@= "{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} "
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@= "{476D0EA3-80F9-48B5-B70B-05E677C9C148} "
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector "= "c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 98304]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-24 1830128]
"Orb "= "c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 495616]
"EasyLinkAdvisor "= "c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"TomTomHOME.exe "= "c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck "= "c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Zune Launcher "= "c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]

c:\documents and settings\Julie\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\Julie\My Documents\RCA Detective\RCADetective.exe [2008-12-27 1070080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-01 23:28 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i263_32.drv
"MSACM.CEGSM "= mobilev.acm
"vidc.xvid "= xvid.dll
"MSACM.G723 "= g723.acm
"vidc.I263 "= I263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=c:\windows\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 11:07 496752 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-10-17 14:52 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2005-12-15 19:38 50792 c:\program files\Common Files\AOL\1127955509\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2003-12-22 07:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2004-05-04 01:21 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a--c--- 2004-05-04 16:17 491520 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a--c--- 2004-03-31 22:34 49152 c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpppta]
--a--c--- 2000-10-05 01:00 86016 c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-02-16 16:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2004-11-04 12:26 53248 c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 05:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a------ 2004-05-07 15:54 99480 c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-04-09 19:56 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 21:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2003-10-31 18:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAClient]
-ra--c--- 2003-05-05 19:42 176128 c:\program files\Mediacom\BBClient\Programs\RegCon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a--c--- 2004-05-12 15:22 249856 c:\windows\system32\Keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
--a--c--- 2002-07-12 04:15 106496 c:\windows\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-09 17:57 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-02-09 02:54 65024 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service "=3 (0x3)
"AOL ACS "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\America Online 9.0\\waol.exe "=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe "=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe "=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe "=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 ICAM3NT5;Intel(r) PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2008-01-19 145184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - SASDIFSV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3416347d-d42e-11dd-bf8b-000e9bad74cd}]
\Shell\AutoRun\command - E:\rcaeasyrip_setup.exe
\Shell\install\command - E:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - E:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - E:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - E:\rcaeasyrip_setup.exe /pdf_Spanish

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ef1e506-d38d-11dc-beed-000e9bad74cd}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb63f301-f550-11d9-bd10-00038a000015}]
\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd020010-b8a6-11dc-bed7-000e9bad74cd}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://desmoines.mediacomtoday.com/community/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\www
FF - ProfilePath - c:\documents and settings\Julie\Application Data\Mozilla\Firefox\Profiles\azbgn8ni.default\
FF - prefs.js: browser.startup.homepage - hxxp://desmoines.mediacomtoday.com/community/
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 18:14:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2009-01-27 18:18:01
ComboFix-quarantined-files.txt 2009-01-28 00:17:42
ComboFix2.txt 2009-01-26 23:37:02

Pre-Run: 17,966,354,432 bytes free
Post-Run: 17,947,664,384 bytes free

275 --- E O F --- 2009-01-14 09:03:54

 

Dr.CureIt Log 1-28-09

Wow, that took a most of last night. Below is the log for Dr.CureIt.


setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp;Probably BACKDOOR.Trojan;;
Process.exe;C:\Documents and Settings\Julie\Desktop\Tech Guy Stuff\SmitfraudFix\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Julie\Desktop\Tech Guy Stuff\SmitfraudFix\SmitfraudFix;Tool.ShutDown.14;;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;;
data049\data002;C:\Program Files\Common Files\AOL\AOL Spyware Protection\Update\aspupdate_us.exe\data005\data049;Trojan.StartPage.20338;;
data049;C:\Program Files\Common Files\AOL\AOL Spyware Protection\Update\aspupdate_us.exe\data005;Archive contains infected objects;;
data005;C:\Program Files\Common Files\AOL\AOL Spyware Protection\Update\aspupdate_us.exe;Archive contains infected objects;;
aspupdate_us.exe\data017;C:\Program Files\Common Files\AOL\AOL Spyware Protection\Update\aspupdate_us.exe;Probably BACKDOOR.Trojan;;
aspupdate_us.exe;C:\Program Files\Common Files\AOL\AOL Spyware Protection\Update;Archive contains infected objects;;
A0006313.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0006342.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0006375.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0006414.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0006455.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0006484.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0008759.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0008788.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0008817.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0008846.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0008875.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0008876.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP144;Trojan.Starter.384;;
A0010264.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010293.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010326.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010356.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010397.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010426.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010689.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010737.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010738.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010739.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010740.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0010741.exe;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP146;Trojan.Starter.384;;
A0011100.bat;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP150;Probably BATCH.Virus;;
A0011114.bat;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP150;Probably BATCH.Virus;;
A0011122.EXE;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP150;Program.PsExec.170;;
A0011175.bat;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP152;Probably BATCH.Virus;;
A0011177.bat;C:\System Volume Information\_restore{41C71061-9E0F-40FE-B62B-C21F68ECC6FC}\RP152;Probably BATCH.Virus;;

 

Looks good. Only one thing to remove, and not because it's a threat but because it's a specialized tool that is updated regularly and not to be run just for the sake of running it. Please delete the C:\Documents and Settings\Julie\Desktop\Tech Guy Stuff\SmitfraudFix folder.

If you're satisfied things are working normally again, lets cleanup now.
Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Delete dds.scr from the desktop.
You can delete any other logs that were created/saved too.
Empty the recycle bin when done.

Uninstall the following Java components via Add/Remove Programs.

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1

Then, install the latest version from here

That should finish things up. Let me know if any problems persist.

 

Good I Think

I think I am good on this end. Mozilla seems to start a little slow, but that probably isn't anything major.

As long as the System Restore I had to do near the beginning of this process didn't mess anything up, I think I'm fine. I wish I knew how whatever it was got on here in the first place.

Thanks so much for all your help.

Ryan

 

Please start FireFox in Safe Mode as described here to see if it loads and responds more quickly.