Broadband Tech > Security > Security Cleanup > HJT Log - fake alerts

HJT Log - fake alerts

Combofix log:

ComboFix 08-09-03.02 - STravis 2008-09-03 22:58:17.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\STravis\My Documents\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-03 21:44 . 2008-09-03 21:44 86,016 --a------ C:\WINDOWS\system32\ujyhuhgd.exe
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-03 19:54 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 23:06 . 2008-09-02 23:06 d-------- C:\Documents and Settings\All Users\Application Data\zehchwhk
2008-09-02 23:06 . 2008-09-02 23:06 81,920 --a------ C:\WINDOWS\system32\fozixwjc.exe
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 02:53 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-04 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-03 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ApiSrv"="C:\WINDOWS\system32\fozixwjc.exe" [2008-09-02 81920]
"cmdinfo"="C:\WINDOWS\system32\ujyhuhgd.exe" [2008-09-03 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"iQkkP4fm85"="C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe" [2008-09-02 65536]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 -: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-03 23:21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-09-03 23:30:39 - machine was rebooted [STravis]
ComboFix-quarantined-files.txt 2008-09-04 03:29:35

Pre-Run: 37,850,038,272 bytes free
Post-Run: 37,776,023,552 bytes free

152 --- E O F --- 2008-09-03 19:06:11

reply to Annmarie
Fresh combofix log ran in Safe Mode:

ComboFix 08-09-04.08 - STravis 2008-09-04 23:38:46.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.784 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-04 18:07 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-04 18:07 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-04 18:06 . 2008-09-04 18:07 d-------- C:\Program Files\Symantec
2008-09-04 18:04 . 2008-09-04 18:04 94,208 --a------ C:\WINDOWS\system32\ynejmroz.exe
2008-09-04 10:12 . 2008-09-04 10:12 94,208 --a------ C:\WINDOWS\system32\xcxebazm.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 21:44 . 2008-09-03 21:44 86,016 --a------ C:\WINDOWS\system32\ujyhuhgd.exe
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 23:06 . 2008-09-02 23:06 d-------- C:\Documents and Settings\All Users\Application Data\zehchwhk
2008-09-02 23:06 . 2008-09-02 23:06 81,920 --a------ C:\WINDOWS\system32\fozixwjc.exe
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 03:34 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-05 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-05 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 22:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-04 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-03_23.29.04.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-04 21:11:41 25,214 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\ARPPRODUCTICON.exe
+ 2008-09-04 22:07:58 25,214 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\ARPPRODUCTICON.exe
- 2008-03-04 21:11:39 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-03-04 21:11:40 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2006-09-28 01:35:04 34,600 ----a-w C:\WINDOWS\system32\cba.dll
+ 2006-09-28 00:35:04 34,600 ----a-w C:\WINDOWS\system32\cba.dll
- 2006-08-07 21:01:56 12,992 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
+ 2006-08-07 20:01:56 12,992 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
- 2006-08-07 21:02:02 110,784 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
+ 2006-08-07 20:02:02 110,784 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
- 2006-08-07 21:02:18 31,936 ----a-w C:\WINDOWS\system32\drivers\symids.sys
+ 2006-08-07 20:02:18 31,936 ----a-w C:\WINDOWS\system32\drivers\symids.sys
- 2006-08-07 21:02:14 28,352 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
+ 2006-08-07 20:02:14 28,352 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
- 2006-08-07 21:02:22 24,768 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
+ 2006-08-07 20:02:22 24,768 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
- 2006-08-07 21:02:26 195,776 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
+ 2006-08-07 20:02:26 195,776 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
+ 2004-08-04 10:00:00 24,576 ----a-w C:\WINDOWS\system32\init32.exe
- 2007-03-15 22:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
- 2006-09-28 01:35:04 83,696 ----a-w C:\WINDOWS\system32\loc32vc0.dll
+ 2006-09-28 00:35:04 83,696 ----a-w C:\WINDOWS\system32\loc32vc0.dll
- 2003-03-19 03:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
+ 2003-03-19 02:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
- 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-09-28 01:35:06 46,896 ----a-w C:\WINDOWS\system32\msgsys.dll
+ 2006-09-28 00:35:06 46,896 ----a-w C:\WINDOWS\system32\msgsys.dll
- 2006-09-28 01:33:54 43,760 ----a-w C:\WINDOWS\system32\NavLogon.dll
+ 2006-09-28 00:33:54 43,760 ----a-w C:\WINDOWS\system32\NavLogon.dll
- 2006-09-28 01:35:06 83,752 ----a-w C:\WINDOWS\system32\nts.dll
+ 2006-09-28 00:35:06 83,752 ----a-w C:\WINDOWS\system32\nts.dll
- 2006-09-28 01:35:08 83,752 ----a-w C:\WINDOWS\system32\pds.dll
+ 2006-09-28 00:35:08 83,752 ----a-w C:\WINDOWS\system32\pds.dll
- 2006-08-07 21:02:32 534,208 ----a-w C:\WINDOWS\system32\SymNeti.dll
+ 2006-08-07 20:02:32 534,208 ----a-w C:\WINDOWS\system32\SymNeti.dll
- 2006-08-07 21:02:30 161,472 ----a-w C:\WINDOWS\system32\SymRedir.dll
+ 2006-08-07 20:02:30 161,472 ----a-w C:\WINDOWS\system32\SymRedir.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,896 2006-07-19 23:26:04 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,168 2006-09-28 00:33:44 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ApiSrv"="C:\WINDOWS\system32\fozixwjc.exe" [2008-09-02 81920]
"cmdinfo"="C:\WINDOWS\system32\ujyhuhgd.exe" [2008-09-03 86016]
"setsh"="C:\WINDOWS\system32\xcxebazm.exe" [2008-09-04 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"iQkkP4fm85"="C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe" [2008-09-02 65536]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
S2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/

O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-04 23:42:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-09-04 23:48:55
ComboFix-quarantined-files.txt 2008-09-05 03:47:52
ComboFix2.txt 2008-09-04 03:30:40

Pre-Run: 37,492,264,960 bytes free
Post-Run: 37,495,316,480 bytes free

219 --- E O F --- 2008-09-03 19:06:11

reply to Annmarie
First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Please download ATF Cleaner

http://www.atribune.org/ccount/click.php?id=1
 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"iQkkP4fm85"=-
 
Folder::
C:\Documents and Settings\All Users\Application Data\zehchwhk
 
File::
C:\WINDOWS\system32\ynejmroz.exe
C:\WINDOWS\system32\xcxebazm.exe
C:\WINDOWS\system32\ujyhuhgd.exe
C:\WINDOWS\system32\fozixwjc.exe
 
 

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
 

Thank you so much for responding. I have printed out your instructions and will follow them exactly as written.

1. I have to do this tonight since we are at work now and prying eyes won't allow this to happen just yet.

2. This is a vital office laptop - what are the chances, even if I follow the steps explicitly - that it will die a sorry death. A format will effect both my co workers and my job status. As it is, the employee who caused this to happen ( used the computer and stopped all virus/malware protection) will be fired. Before that happens I need to ascertain a date if possible.

3. Once I bring this laptop home I need to allow it access to my wireless network. Should I be worried about my home machines which have virus protection as well as several malware protection apps in real time.

FYI - our work computers came with the Symantec client which we are not allowed to uninstall. I prefer AVG but that is not going to happen. We all run SpyBot on a daily schedule as well as AdAware on a daily basis. I insist on it or I will not clean the computers. I will now be running ESET also as recommended by lilhurricane. CCleaner is run before shutdown each night.

I will post back once I have completed your instructions.

reply to Annmarie
#1. We should be able to clean this completely without major trauma (or surgery).

#2. This malware infection does not spread through network shares. Your home network machines will be fine.

Best regards,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

ISSUE!

Procedure went fine up to this point:

Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:

When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

!! When the CF scan completed I did File and Exit but did NOT get a the "save changes" question. The log simply blinked away. There is a log.txt file in My Documents but it is dated 9/4/08 and I can only assume it is from the pre-cleanup procedures.

Might that log.txt be somewhere else? I will look but I am not going to perform any more scans until I hear back.

EDIT: no current log.txt and Malwarebytes asks for a reboot to finish the uninstall of current installation. Will a reboot be OK?

Also, since the AV is managed by the main corporate office there is no disable feature so I simply uninstalled it and will reinstall once the machine is clean. It found no issues when this all began so I am less than thrilled with it to begin with.

I found the combofix.txt file so I am OK on that but am still concerned on the reboot. Have stopped at that part. Did not reboor or download a fresh copy of malwarebytes yet.

reply to Annmarie
(1)
MBAM log results after uninstall old and reinstall new:
Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

9/6/2008 11:42:01 PM
mbam-log-2008-09-06 (23-42-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92965
Time elapsed: 41 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(2)
Combofix.txt:
ComboFix 08-09-04.08 - STravis 2008-09-06 10:40:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.476 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STravis\Desktop\CFscript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\zehchwhk
C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
C:\WINDOWS\system32\fozixwjc.exe
C:\WINDOWS\system32\ujyhuhgd.exe
C:\WINDOWS\system32\xcxebazm.exe
C:\WINDOWS\system32\ynejmroz.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-06 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 13:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"AdmApiCmd"="C:\WINDOWS\system32\gbuvidsp.exe" [2008-09-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - ERASERUTILDRV10822
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - SAVRT
*Newly Created Service* - SAVRTPEL
*Newly Created Service* - SPBBCDRV
*Newly Created Service* - SYMEVENT
*Newly Created Service* - SYMREDRV
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-06 10:43:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-09-06 10:49:18
ComboFix-quarantined-files.txt 2008-09-06 14:48:15
ComboFix2.txt 2008-09-05 03:48:56
ComboFix3.txt 2008-09-04 03:30:40

Pre-Run: 40,361,709,568 bytes free
Post-Run: 40,347,242,496 bytes free

179 --- E O F --- 2008-09-06 13:16:35

(3)
New HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:26 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\gbuvidsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.giants.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdmApiCmd] C:\WINDOWS\system32\gbuvidsp.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5575 bytes

FYI: as I clicked spell check before hitting post now the security alert graphic popped up like in my first post. Oy!

reply to Annmarie
If MBAM or Combofix request or force a reboot, allow them to do so. Some malware infectors can only be removed during the reboot process, as they are then in an inactive state.

1. Open HijackThis again, System scan only. Checkmark these items:

O4 - HKCU\..\Run: [AdmApiCmd] C:\WINDOWS\system32\gbuvidsp.exe

Click "Fix checked" and when the log panel clears exit HijackThis.

2. We need to run Combofix again.

Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" or as above use your Mouse to do a Copy/Paste:

File::
C:\WINDOWS\system32\gbuvidsp.exe
 
 

reply to Annmarie
(1) MBAM Log results:
Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

9/7/2008 8:12:06 PM
mbam-log-2008-09-07 (20-12-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92797
Time elapsed: 41 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2. Contents of Combofix.txt
ComboFix 08-09-04.08 - STravis 2008-09-07 19:00:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.606 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STravis\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-06 22:53 . 2008-09-06 22:53 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 22:53 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-06 22:53 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-07 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2006-11-02 09:46:05 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
+ 2006-11-02 09:46:11 251,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2006-11-02 09:46:05 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2006-11-02 09:46:11 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
+ 2006-11-02 09:46:05 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2006-11-02 09:46:11 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
+ 2006-09-18 21:44:24 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
+ 2006-09-18 21:44:24 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
+ 2006-11-02 09:46:11 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
- 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-11-02 09:46:13 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll
+ 2006-11-02 09:46:11 740,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-11-02 09:41:12 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-07 19:03:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-09-07 19:08:33
ComboFix-quarantined-files.txt 2008-09-07 23:07:30
ComboFix2.txt 2008-09-06 14:49:19
ComboFix3.txt 2008-09-05 03:48:56
ComboFix4.txt 2008-09-04 03:30:40

Pre-Run: 40,295,854,080 bytes free
Post-Run: 40,281,223,168 bytes free

171 --- E O F --- 2008-09-06 13:16:35

3.new HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:51 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.giants.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5379 bytes

Will submit the previously mentioned file right now and post back on that.

reply to Annmarie
Service load: 0% 100%

File: userinit.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b5bfcf3c4dfe120d2bb0f9736a17c065
Packers detected: -

Scanner results
Scan taken on 08 Sep 2008 00:20:25 (GMT)
A-Squared Found Win32.SuspectCrc
AntiVir Found PHISH/FraudTool.Agent.BW
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/FakeAV2008.BW
F-Secure Anti-Virus Found not-a-virus:FraudTool.Win32.Agent.bw (6, 2, 616)
Ikarus Found Win32.SuspectCrc
Kaspersky Anti-Virus Found not-a-virus:FraudTool.Win32.Agent.bw
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-CO
VirusBuster Found nothing
VBA32 Found Malware-Cryptor.Win32.General.2 (probable variant)

Statistics
Last file scanned at least one scanner reported something about: Website_Ripper_Copier_3.2.zip (MD5: 6d56ab0c38aa016c924051a44246ba80, size: 2717787 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Win32/Themida
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Downloader.Win32.Bagle.aaw
Ikarus X
Kaspersky Anti-Virus Trojan-Downloader.Win32.Bagle.aaw
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

reply to Annmarie
File userinit.exe received on 09.08.2008 03:01:29 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.07 -
AntiVir 7.8.1.28 2008.09.07 PHISH/FraudTool.Agent.BW
Authentium 5.1.0.4 2008.09.07 W32/FakeAV2008.BW
Avast 4.8.1195.0 2008.09.07 -
AVG 8.0.0.161 2008.09.07 Win32/Heur
BitDefender 7.2 2008.09.08 -
CAT-QuickHeal 9.50 2008.09.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.09.07 -
DrWeb 4.44.0.09170 2008.09.07 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6072 2008.09.05 -
Ewido 4.0 2008.09.07 -
F-Prot 4.4.4.56 2008.09.07 W32/FakeAV2008.BW
F-Secure 8.0.14332.0 2008.09.07 FraudTool.Win32.Agent.bw
Fortinet 3.112.0.0 2008.09.07 W32/Tibs.WA!tr.dldr
GData 19 2008.09.08 -
Ikarus T3.1.1.34.0 2008.09.08 Win32.SuspectCrc
K7AntiVirus 7.10.443 2008.09.05 -
Kaspersky 7.0.0.125 2008.09.08 not-a-virus:FraudTool.Win32.Agent.bw
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.08 -
NOD32v2 3424 2008.09.07 -
Norman 5.80.02 2008.09.05 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.07 -
Prevx1 V2 2008.09.08 Malicious Software
Rising 20.60.62.00 2008.09.07 -
Sophos 4.33.0 2008.09.07 Mal/EncPk-CO
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.08 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.05 -
VBA32 3.12.8.5 2008.09.07 suspected of Malware-Cryptor.Win32.General.2
ViRobot 2008.9.5.1365 2008.09.06 -
VirusBuster 4.5.11.0 2008.09.07 -
Webwasher-Gateway 6.6.2 2008.09.07 -

Additional information
File size: 57344 bytes
MD5...: b5bfcf3c4dfe120d2bb0f9736a17c065
SHA1..: b51211e9a221c066674a21a33546b8776f09c4a2
SHA256: fade41dd65341422f062aa046b58b7c5d3e3c49a24b0daa2eb6f8a8eea8cd7ee
SHA512: 932efdfa2e62f37d30b8c09bc9192c9c67f2b7c2cb0ad62c7eb0445012f54941
f24e5e57f2997a16006dae399791c8e9d02e92b29479b54cd8f9aaf192e20b75
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4019b0
timedatestamp.....: 0x46cfb54a (Sat Aug 25 04:51:22 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1000 0x1000 4.76 cd14a3572e7c34722c0f663d7b14a38f
.rdata 0x2000 0x1000 0x1000 2.69 0d83fb166d20fbaadfbf7ac107d94153
.data 0x3000 0xa000 0x9000 6.22 28f26301a650cb6b9006659579cb407a
.rsrc 0xd000 0x2000 0x2000 2.50 b3205ebb5f7eeb261eee2f87120c0243

( 1 imports )
> kernel32.dll: GetLastError

( 0 exports )

Prevx info: »info.prevx.com/aboutprogramtext.···B873B577

reply to Annmarie
I was afraid that might be the result. Userinit.exe is, and where it is being referenced from the Registry, a core file.

The one in place has been compromised.

sUBs, the Author of Combofix, has a detection routine for this replacement I would like to use to make sure things are as they should (or must) be.

1. Delete Combofix.exe from your Desktop. I need the newest version.

2. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
 

reply to Annmarie
I forgot to disconnect from the Internet - did I screw it all up?

ComboFix 08-09-05.04 - STravis 2008-09-07 21:42:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.549 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 19:12 . 2008-09-07 19:12 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 19:12 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-07 19:12 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-07 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2006-11-02 09:46:05 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
+ 2006-11-02 09:46:11 251,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2006-11-02 09:46:05 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2006-11-02 09:46:11 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
+ 2006-11-02 09:46:05 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2006-11-02 09:46:11 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
+ 2006-09-18 21:44:24 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
+ 2006-09-18 21:44:24 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
+ 2006-11-02 09:46:11 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
- 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-11-02 09:46:13 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll
+ 2006-11-02 09:46:11 740,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-11-02 09:41:12 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.giants.com/index2.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/

O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-07 21:44:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-07 21:46:16
ComboFix-quarantined-files.txt 2008-09-08 01:45:52
ComboFix2.txt 2008-09-07 23:08:34
ComboFix3.txt 2008-09-06 14:49:19
ComboFix4.txt 2008-09-05 03:48:56
ComboFix5.txt 2008-09-08 01:42:05

Pre-Run: 40,253,759,488 bytes free
Post-Run: 40,240,181,248 bytes free

182 --- E O F --- 2008-09-06 13:16:35

reply to Annmarie
We are almost done. This one is a little tricky, as if I screw up here your compute may not be able to restart normally. I do not want that to happen.

We used HijackThis to remove the startup entry for this file, but it is still around.

2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe

We need to sort this issue, and the concern I have with userinit.exe

Please download to your Desktop OT_MOVEIT:

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
 

[Kill Explorer]
C:\WINDOWS\system32\gbuvidsp.exe
[EmptyTemps]
[Start Explorer]
 

reply to Annmarie
I do not have the CDs for this particular laptop - they are at the office and actually might not be available to me.

I do have a very old version of XP Professional here at home.
It is not installed on any computers. Can I use that CD if it comes down to it?

If this machine goes down it will be bad, very bad so I am very worried. As it is right now it is infected but functional. The wrong CD thing scares me.

How possible is it that the laptop becomes a paperweight?

EDIT: This laptop has SP2 but looking into the old CD I have I see no reference to SP2

No, you cannot use the old CDs of XP.

But, look carefully at the article I linked. You likely have everything you need already in place. If not, you likely have everything you need with a very easy registry change.

I am fairly, not 100%, but fairly convinced that a core file for XP has been replaced with a malware version. Since this computer is at Service Pack 2 level, if you have another machine with XP SP2, I can, if the original advice above cannot resolve matters, use a copy of:

C:\windows\system32\userinit.exe

from a known "clean" XP computer, and let use conclude this malware removal session.

Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

I have 5 computers here at home - all running various flavors of Vista.

The infected machine is XP Pro SP2 - a co workers laptop.

My husbands laptop is XP Pro SP2. Can I simply copy that file to a CD? Is that what you are saying? The link you provided, while very informative, was a bit confusing to me.

reply to bcastner
C:\windows\system32\userinit.exe has just been copied to a CD. I was taken from a laptop with the exact same level OS as the infected laptop.

Before I start the procedure I would just like to clarify where or when I will be using this CD?