http://www.dslreports.com/forum/r21059839 en Wed, 11 Nov 2009 07:32:16 EDT Wed, 11 Nov 2009 07:32:16 EDT http://www.dslreports.com/forum/remark,21078026 Annmarie : Looks like we have a mean clean machine here !!! Thank you so very much. It took a few days but I learned a lot.

Unfortunately, right at this moment I do not have the laptop at home. It needed to stay at the office and I will not have access to it until Wednesday if you need me to post anything further.

Before I left I was able to follow your instructions in your last post and then run several programs - mainly MS Office products and not one issue popped up.

Thank you Bill. :) You're my hero.]]> http://www.dslreports.com/forum/remark,21078026 Mon, 08 Sep 2008 18:55:19 EDT http://www.dslreports.com/forum/remark,21076653 bcastner : I am a happy with your last results. Thank you, you did a very nice job. Lets wrap this up.

Please download to your Desktop OT_MOVEIT2:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt2.exe to run the utility.

Copy the file paths below to the clipboard by using your mouse and highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\gbuvidsp.exeC:\WINDOWS\system32\bak 
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the left input panel.
Right-click and choose Paste.

Click the red Moveit button.
When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results.
Save your Clipboard contents in a new Notepad file, as we will want to review these results later.
Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 9 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Update your Version of Java. The current version is 1.6.07: go to »www.java.com/en/download/manual.jsp and download and install the newest Java JRE release.

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)


• Please double-click OTMoveIt.exe to run it again.
• Click on the green CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
• After the list has been download you'll be asked if you want to Begin cleanup process? Select "Yes".
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

• Suggestion: Download and install Comodo BOClean (free):
http://www.comodo.com/boclean/CBO_download.html
• Suggestion: Download, install, and keep updated Spyware Blaster (free):
http://www.javacoolsoftware.com/spywareblaster.html
• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21076653 Mon, 08 Sep 2008 14:17:31 EDT http://www.dslreports.com/forum/remark,21075533 Annmarie : Hurray! I left the laptop on battery with the box open that asked for the XP CDs, plugged her in and was able to "borrow" the original Windows CD from the exact same laptop another employee was using.

Popped it in and the scan continued without a hitch.

Per this post I will run HJT and post the log here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:59 AM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.giants.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5429 bytes

Once you give me the all clear I need to reinstall Symantec client. Please tell me that will not be a problem - useless but not a problem. Ocassionally the bosses do a walk by and may notice the icon missing from the systray plus I do not want to leave this machine completely vulnerable.

C:\WINDOWS\system32\gbuvidsp.exe

ia still showing on the machine.]]> http://www.dslreports.com/forum/remark,21075533 Mon, 08 Sep 2008 10:43:07 EDT http://www.dslreports.com/forum/remark,21075139 Annmarie : I will hopefully have the full CDs within the hour once I am at the office and maybe the computer will like them and all will be well. I will wait until I have them, finish the scan and post back before I try to delete that file.

If you are referring to this post in regard to the HJT edit »Re: HJT Log - fake alerts I absolutely did that.

And I did post the CFScript.txt file -
ComboFix 08-09-05.04 - STravis 2008-09-07 21:42:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.549 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 19:12 . 2008-09-07 19:12 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 19:12 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-07 19:12 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-07 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2006-11-02 09:46:05 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
+ 2006-11-02 09:46:11 251,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2006-11-02 09:46:05 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2006-11-02 09:46:11 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
+ 2006-11-02 09:46:05 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2006-11-02 09:46:11 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
+ 2006-09-18 21:44:24 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
+ 2006-09-18 21:44:24 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
+ 2006-11-02 09:46:11 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
- 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-11-02 09:46:13 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll
+ 2006-11-02 09:46:11 740,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-11-02 09:41:12 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.giants.com/index2.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/

O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-07 21:44:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-07 21:46:16
ComboFix-quarantined-files.txt 2008-09-08 01:45:52
ComboFix2.txt 2008-09-07 23:08:34
ComboFix3.txt 2008-09-06 14:49:19
ComboFix4.txt 2008-09-05 03:48:56
ComboFix5.txt 2008-09-08 01:42:05

Pre-Run: 40,253,759,488 bytes free
Post-Run: 40,240,181,248 bytes free

182 --- E O F --- 2008-09-06 13:16:35]]> http://www.dslreports.com/forum/remark,21075139 Mon, 08 Sep 2008 09:22:10 EDT http://www.dslreports.com/forum/remark,21074277 bcastner : If you:

1. Did the HijackThis edit I requested earlier.
2. Since you did not create the CFScript.txt file for Combofix, just use Explorer and try to delete this file:

\C:\WINDOWS\system32\gbuvidsp.exe

3. Please see my link about what to do if you do not have an XP "Full" CD to make SFC /Scannow happy. You likely have everything you need to make it happy. Let me know only if you cannot make it happy. We can use your second PC to resolve the issue.

Bill
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21074277 Mon, 08 Sep 2008 00:47:36 EDT http://www.dslreports.com/forum/remark,21074216 Annmarie : It asked for the CD so I popped it in - the one with the file I copied from another computer but .... "The CD you provided is the wrong CD. Please insert the Windows XP Pro CD ROM ...."

C:\WINDOWS\system32\gbuvidsp.exe is still there.

EDIT: That's it for me for tonight. I will leave the laptop on with the scan box open.]]> http://www.dslreports.com/forum/remark,21074216 Mon, 08 Sep 2008 00:24:40 EDT http://www.dslreports.com/forum/remark,21074158 Annmarie : Scanning now.

While it does I have a quick question: is there a way to determine when or how this infection happened? It is important that I know what employee caused this if I can?
Apparently the paltry AV app we were provided with at the office, Symantec client, did not prevent this.

I was able to install several spyware apps but that was as much as I was allowed.

Still scanning.]]> http://www.dslreports.com/forum/remark,21074158 Mon, 08 Sep 2008 00:06:25 EDT http://www.dslreports.com/forum/remark,21074110 bcastner : OTMOVEIT2 can seem to stop responding. Do not worry about this at the moment.

I want only that his file is gone:

C:\WINDOWS\system32\gbuvidsp.exe

It likely did that no matter what.

Now, see if you can do the SFC /Scannow.

Bill
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21074110 Sun, 07 Sep 2008 23:55:01 EDT http://www.dslreports.com/forum/remark,21074067 Annmarie : MoveIt freezes up after I paste the list of files. Not responding. I have no other programs running.

EDIT: same happens with a fresh copy]]> http://www.dslreports.com/forum/remark,21074067 Sun, 07 Sep 2008 23:44:26 EDT http://www.dslreports.com/forum/remark,21073972 Annmarie : C:\windows\system32\userinit.exe has just been copied to a CD. I was taken from a laptop with the exact same level OS as the infected laptop.

Before I start the procedure I would just like to clarify where or when I will be using this CD?]]> http://www.dslreports.com/forum/remark,21073972 Sun, 07 Sep 2008 23:24:19 EDT http://www.dslreports.com/forum/remark,21073914 Annmarie : I have 5 computers here at home - all running various flavors of Vista.

The infected machine is XP Pro SP2 - a co workers laptop.

My husbands laptop is XP Pro SP2. Can I simply copy that file to a CD? Is that what you are saying? The link you provided, while very informative, was a bit confusing to me.]]> http://www.dslreports.com/forum/remark,21073914 Sun, 07 Sep 2008 23:08:35 EDT http://www.dslreports.com/forum/remark,21073858 bcastner : No, you cannot use the old CDs of XP.

But, look carefully at the article I linked. You likely have everything you need already in place. If not, you likely have everything you need with a very easy registry change.

I am fairly, not 100%, but fairly convinced that a core file for XP has been replaced with a malware version. Since this computer is at Service Pack 2 level, if you have another machine with XP SP2, I can, if the original advice above cannot resolve matters, use a copy of:

C:\windows\system32\userinit.exe

from a known "clean" XP computer, and let use conclude this malware removal session.

Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21073858 Sun, 07 Sep 2008 22:57:18 EDT http://www.dslreports.com/forum/remark,21073781 Annmarie : I do not have the CDs for this particular laptop - they are at the office and actually might not be available to me.

I do have a very old version of XP Professional here at home.
It is not installed on any computers. Can I use that CD if it comes down to it?

If this machine goes down it will be bad, very bad so I am very worried. As it is right now it is infected but functional. The wrong CD thing scares me.

How possible is it that the laptop becomes a paperweight?

EDIT: This laptop has SP2 but looking into the old CD I have I see no reference to SP2]]> http://www.dslreports.com/forum/remark,21073781 Sun, 07 Sep 2008 22:39:51 EDT http://www.dslreports.com/forum/remark,21073617 bcastner : We are almost done. This one is a little tricky, as if I screw up here your compute may not be able to restart normally. I do not want that to happen.

We used HijackThis to remove the startup entry for this file, but it is still around.

2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe

We need to sort this issue, and the concern I have with userinit.exe

Please download to your Desktop OT_MOVEIT:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt2.exe to run the utility.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[Kill Explorer]C:\WINDOWS\system32\gbuvidsp.exe[EmptyTemps][Start Explorer]
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the left input panel.
Right-click and choose Paste.

Click the red Moveit button.
When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results.
Save your Clipboard contents in a new Notepad file, as we will want to review these results later.
Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Whether you had to reboot or not, when back at the Desktop, click Start, Click Run, and enter into the Command Line that opens:

SFC /Scannow

This may well prompt for your XP CD. Please insert the CD when prompted. If there are issues, or you cannot find the CD, please visit this site for instructions: »www.pcug.org.au/boesen/SFC/SFC.htm

Finally, run HijackThis one last time and post the log file. I think we should be finished.

Best,
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21073617 Sun, 07 Sep 2008 22:10:33 EDT http://www.dslreports.com/forum/remark,21073498 Annmarie : I forgot to disconnect from the Internet - did I screw it all up?

ComboFix 08-09-05.04 - STravis 2008-09-07 21:42:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.549 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 19:12 . 2008-09-07 19:12 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 19:12 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-07 19:12 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-07 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2006-11-02 09:46:05 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
+ 2006-11-02 09:46:11 251,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2006-11-02 09:46:05 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2006-11-02 09:46:11 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
+ 2006-11-02 09:46:05 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2006-11-02 09:46:11 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
+ 2006-09-18 21:44:24 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
+ 2006-09-18 21:44:24 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
+ 2006-11-02 09:46:11 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
- 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-11-02 09:46:13 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll
+ 2006-11-02 09:46:11 740,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-11-02 09:41:12 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.giants.com/index2.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/

O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-07 21:44:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-07 21:46:16
ComboFix-quarantined-files.txt 2008-09-08 01:45:52
ComboFix2.txt 2008-09-07 23:08:34
ComboFix3.txt 2008-09-06 14:49:19
ComboFix4.txt 2008-09-05 03:48:56
ComboFix5.txt 2008-09-08 01:42:05

Pre-Run: 40,253,759,488 bytes free
Post-Run: 40,240,181,248 bytes free

182 --- E O F --- 2008-09-06 13:16:35]]> http://www.dslreports.com/forum/remark,21073498 Sun, 07 Sep 2008 21:49:03 EDT http://www.dslreports.com/forum/remark,21073427 bcastner : I was afraid that might be the result. Userinit.exe is, and where it is being referenced from the Registry, a core file.

The one in place has been compromised.

sUBs, the Author of Combofix, has a detection routine for this replacement I would like to use to make sure things are as they should (or must) be.

1. Delete Combofix.exe from your Desktop. I need the newest version.

2. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:
http://download.bleepingcomputer.com/sUBs/ComboFix.exehttp://www.forospyware.com/sUBs/ComboFix.exehttp://subs.geekstogo.com/ComboFix.exe
• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

Post back the results of C:\Combofix.txt If there are suitable replacements that Combofix can find, we are nearly done.

Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21073427 Sun, 07 Sep 2008 21:35:52 EDT http://www.dslreports.com/forum/remark,21073249 Annmarie : File userinit.exe received on 09.08.2008 03:01:29 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.07 -
AntiVir 7.8.1.28 2008.09.07 PHISH/FraudTool.Agent.BW
Authentium 5.1.0.4 2008.09.07 W32/FakeAV2008.BW
Avast 4.8.1195.0 2008.09.07 -
AVG 8.0.0.161 2008.09.07 Win32/Heur
BitDefender 7.2 2008.09.08 -
CAT-QuickHeal 9.50 2008.09.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.09.07 -
DrWeb 4.44.0.09170 2008.09.07 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6072 2008.09.05 -
Ewido 4.0 2008.09.07 -
F-Prot 4.4.4.56 2008.09.07 W32/FakeAV2008.BW
F-Secure 8.0.14332.0 2008.09.07 FraudTool.Win32.Agent.bw
Fortinet 3.112.0.0 2008.09.07 W32/Tibs.WA!tr.dldr
GData 19 2008.09.08 -
Ikarus T3.1.1.34.0 2008.09.08 Win32.SuspectCrc
K7AntiVirus 7.10.443 2008.09.05 -
Kaspersky 7.0.0.125 2008.09.08 not-a-virus:FraudTool.Win32.Agent.bw
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.08 -
NOD32v2 3424 2008.09.07 -
Norman 5.80.02 2008.09.05 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.07 -
Prevx1 V2 2008.09.08 Malicious Software
Rising 20.60.62.00 2008.09.07 -
Sophos 4.33.0 2008.09.07 Mal/EncPk-CO
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.08 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.05 -
VBA32 3.12.8.5 2008.09.07 suspected of Malware-Cryptor.Win32.General.2
ViRobot 2008.9.5.1365 2008.09.06 -
VirusBuster 4.5.11.0 2008.09.07 -
Webwasher-Gateway 6.6.2 2008.09.07 -

Additional information
File size: 57344 bytes
MD5...: b5bfcf3c4dfe120d2bb0f9736a17c065
SHA1..: b51211e9a221c066674a21a33546b8776f09c4a2
SHA256: fade41dd65341422f062aa046b58b7c5d3e3c49a24b0daa2eb6f8a8eea8cd7ee
SHA512: 932efdfa2e62f37d30b8c09bc9192c9c67f2b7c2cb0ad62c7eb0445012f54941
f24e5e57f2997a16006dae399791c8e9d02e92b29479b54cd8f9aaf192e20b75
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4019b0
timedatestamp.....: 0x46cfb54a (Sat Aug 25 04:51:22 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1000 0x1000 4.76 cd14a3572e7c34722c0f663d7b14a38f
.rdata 0x2000 0x1000 0x1000 2.69 0d83fb166d20fbaadfbf7ac107d94153
.data 0x3000 0xa000 0x9000 6.22 28f26301a650cb6b9006659579cb407a
.rsrc 0xd000 0x2000 0x2000 2.50 b3205ebb5f7eeb261eee2f87120c0243

( 1 imports )
> kernel32.dll: GetLastError

( 0 exports )

Prevx info: »info.prevx.com/aboutprogramtext.···B873B577

]]> http://www.dslreports.com/forum/remark,21073249 Sun, 07 Sep 2008 21:07:58 EDT http://www.dslreports.com/forum/remark,21073202 Annmarie : Service load: 0% 100%

File: userinit.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b5bfcf3c4dfe120d2bb0f9736a17c065
Packers detected: -

Scanner results
Scan taken on 08 Sep 2008 00:20:25 (GMT)
A-Squared Found Win32.SuspectCrc
AntiVir Found PHISH/FraudTool.Agent.BW
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/FakeAV2008.BW
F-Secure Anti-Virus Found not-a-virus:FraudTool.Win32.Agent.bw (6, 2, 616)
Ikarus Found Win32.SuspectCrc
Kaspersky Anti-Virus Found not-a-virus:FraudTool.Win32.Agent.bw
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-CO
VirusBuster Found nothing
VBA32 Found Malware-Cryptor.Win32.General.2 (probable variant)

Statistics
Last file scanned at least one scanner reported something about: Website_Ripper_Copier_3.2.zip (MD5: 6d56ab0c38aa016c924051a44246ba80, size: 2717787 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Win32/Themida
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Downloader.Win32.Bagle.aaw
Ikarus X
Kaspersky Anti-Virus Trojan-Downloader.Win32.Bagle.aaw
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

]]> http://www.dslreports.com/forum/remark,21073202 Sun, 07 Sep 2008 21:00:06 EDT http://www.dslreports.com/forum/remark,21072999 Annmarie : (1) MBAM Log results:
Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

9/7/2008 8:12:06 PM
mbam-log-2008-09-07 (20-12-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92797
Time elapsed: 41 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2. Contents of Combofix.txt
ComboFix 08-09-04.08 - STravis 2008-09-07 19:00:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.606 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STravis\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-06 22:53 . 2008-09-06 22:53 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 22:53 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-06 22:53 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-07 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2006-11-02 09:46:05 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
+ 2006-11-02 09:46:11 251,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2006-11-02 09:46:05 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2006-11-02 09:46:11 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
+ 2006-11-02 09:46:05 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2006-11-02 09:46:11 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
+ 2006-09-18 21:44:24 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
+ 2006-09-18 21:44:24 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
+ 2006-11-02 09:46:11 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
- 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-11-02 09:46:13 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll
+ 2006-11-02 09:46:11 740,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-11-02 09:41:12 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-07 19:03:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-09-07 19:08:33
ComboFix-quarantined-files.txt 2008-09-07 23:07:30
ComboFix2.txt 2008-09-06 14:49:19
ComboFix3.txt 2008-09-05 03:48:56
ComboFix4.txt 2008-09-04 03:30:40

Pre-Run: 40,295,854,080 bytes free
Post-Run: 40,281,223,168 bytes free

171 --- E O F --- 2008-09-06 13:16:35

3.new HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:51 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.giants.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5379 bytes

Will submit the previously mentioned file right now and post back on that.]]> http://www.dslreports.com/forum/remark,21072999 Sun, 07 Sep 2008 20:18:27 EDT http://www.dslreports.com/forum/remark,21071850 bcastner : If MBAM or Combofix request or force a reboot, allow them to do so. Some malware infectors can only be removed during the reboot process, as they are then in an inactive state.

1. Open HijackThis again, System scan only. Checkmark these items:

O4 - HKCU\..\Run: [AdmApiCmd] C:\WINDOWS\system32\gbuvidsp.exe

Click "Fix checked" and when the log panel clears exit HijackThis.

2. We need to run Combofix again.

Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" or as above use your Mouse to do a Copy/Paste:
File::C:\WINDOWS\system32\gbuvidsp.exe 
Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

3. Run MBAM again, just as instructed earlier above. It should report a clean result.

4. Run HijackThis again, and save the log file.

Submit to the Forum:
• You new MBAM log result;
• The contents of C:\Combofix.txt;
• The new HijackThis log.

Now, a favor. I want you to submit for anlysis this file:

c:\windows\system32\userinit.exe

I regularly submit (on-line) files to be scanned for malware. These two sites are my favorites, and use multiple AV programs for their scans -- up to 32 different major AV products are used to scan the file:

• Jotti's Virus Scan
»virusscan.jotti.org/

• VirusTotal
»www.virustotal.com/

These servers can be busy, but the whole process is surprisingly fast for such extensive AV testing. There is the added "Good Citizenship" factor -- if the file is found suspicious it automatically alerts the antivirus vendors of a new malware to include in their definition files.

Submit to both, and report the results back to the Forum. I appreciate this extra step on your part.

Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21071850 Sun, 07 Sep 2008 16:23:15 EDT http://www.dslreports.com/forum/remark,21069135 Annmarie : (1)
MBAM log results after uninstall old and reinstall new:
Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

9/6/2008 11:42:01 PM
mbam-log-2008-09-06 (23-42-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92965
Time elapsed: 41 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(2)
Combofix.txt:
ComboFix 08-09-04.08 - STravis 2008-09-06 10:40:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.476 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STravis\Desktop\CFscript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\zehchwhk
C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
C:\WINDOWS\system32\fozixwjc.exe
C:\WINDOWS\system32\ujyhuhgd.exe
C:\WINDOWS\system32\xcxebazm.exe
C:\WINDOWS\system32\ynejmroz.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-06 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 13:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"AdmApiCmd"="C:\WINDOWS\system32\gbuvidsp.exe" [2008-09-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - ERASERUTILDRV10822
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - SAVRT
*Newly Created Service* - SAVRTPEL
*Newly Created Service* - SPBBCDRV
*Newly Created Service* - SYMEVENT
*Newly Created Service* - SYMREDRV
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-06 10:43:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-09-06 10:49:18
ComboFix-quarantined-files.txt 2008-09-06 14:48:15
ComboFix2.txt 2008-09-05 03:48:56
ComboFix3.txt 2008-09-04 03:30:40

Pre-Run: 40,361,709,568 bytes free
Post-Run: 40,347,242,496 bytes free

179 --- E O F --- 2008-09-06 13:16:35

(3)
New HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:26 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\gbuvidsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.giants.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdmApiCmd] C:\WINDOWS\system32\gbuvidsp.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5575 bytes

FYI: as I clicked spell check before hitting post now the security alert graphic popped up like in my first post. Oy!]]> http://www.dslreports.com/forum/remark,21069135 Sat, 06 Sep 2008 23:54:20 EDT http://www.dslreports.com/forum/remark,21068174 Annmarie : I found the combofix.txt file so I am OK on that but am still concerned on the reboot. Have stopped at that part. Did not reboor or download a fresh copy of malwarebytes yet.]]> http://www.dslreports.com/forum/remark,21068174 Sat, 06 Sep 2008 13:12:35 EDT http://www.dslreports.com/forum/remark,21067663 Annmarie : ISSUE!

Procedure went fine up to this point:

Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:

When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

!! When the CF scan completed I did File and Exit but did NOT get a the "save changes" question. The log simply blinked away. There is a log.txt file in My Documents but it is dated 9/4/08 and I can only assume it is from the pre-cleanup procedures.

Might that log.txt be somewhere else? I will look but I am not going to perform any more scans until I hear back.

EDIT: no current log.txt and Malwarebytes asks for a reboot to finish the uninstall of current installation. Will a reboot be OK?

Also, since the AV is managed by the main corporate office there is no disable feature so I simply uninstalled it and will reinstall once the machine is clean. It found no issues when this all began so I am less than thrilled with it to begin with. ]]> http://www.dslreports.com/forum/remark,21067663 Sat, 06 Sep 2008 11:02:44 EDT http://www.dslreports.com/forum/remark,21062367 bcastner : #1. We should be able to clean this completely without major trauma (or surgery).

#2. This malware infection does not spread through network shares. Your home network machines will be fine.

Best regards,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21062367 Fri, 05 Sep 2008 12:37:17 EDT http://www.dslreports.com/forum/remark,21061924 Annmarie : Thank you so much for responding. I have printed out your instructions and will follow them exactly as written.

1. I have to do this tonight since we are at work now and prying eyes won't allow this to happen just yet.

2. This is a vital office laptop - what are the chances, even if I follow the steps explicitly - that it will die a sorry death. A format will effect both my co workers and my job status. As it is, the employee who caused this to happen ( used the computer and stopped all virus/malware protection) will be fired. Before that happens I need to ascertain a date if possible.

3. Once I bring this laptop home I need to allow it access to my wireless network. Should I be worried about my home machines which have virus protection as well as several malware protection apps in real time.

FYI - our work computers came with the Symantec client which we are not allowed to uninstall. I prefer AVG but that is not going to happen. We all run SpyBot on a daily schedule as well as AdAware on a daily basis. I insist on it or I will not clean the computers. I will now be running ESET also as recommended by lilhurricane. CCleaner is run before shutdown each night.

I will post back once I have completed your instructions.]]> http://www.dslreports.com/forum/remark,21061924 Fri, 05 Sep 2008 11:16:32 EDT http://www.dslreports.com/forum/remark,21061477 bcastner : First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Please download ATF Cleaner
http://www.atribune.org/ccount/click.php?id=1It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.

First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Malware Removal Steps
1. Open HijackThis again, System scan only. Checkmark these items:

O4 - HKCU\..\Run: [ApiSrv] C:\WINDOWS\system32\fozixwjc.exe
O4 - HKCU\..\Run: [cmdinfo] C:\WINDOWS\system32\ujyhuhgd.exe
O4 - HKCU\..\Run: [setsh] C:\WINDOWS\system32\xcxebazm.exe
O4 - HKLM\..\Policies\Explorer\Run: [iQkkP4fm85] C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Download -- but do not yet run -- ComboFix©

Download this file -- to your Desktop -- from any of these sources:
http://download.bleepingcomputer.com/sUBs/ComboFix.exehttp://www.forospyware.com/sUBs/ComboFix.exehttp://subs.geekstogo.com/ComboFix.exe
Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" or use your Mouse to do a Copy/Paste:
Registry::[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]"iQkkP4fm85"=- Folder::C:\Documents and Settings\All Users\Application Data\zehchwhk File::C:\WINDOWS\system32\ynejmroz.exeC:\WINDOWS\system32\xcxebazm.exeC:\WINDOWS\system32\ujyhuhgd.exeC:\WINDOWS\system32\fozixwjc.exe 
Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Be sure your Notepad document now matches what you see in the Code Box. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

3. Use Add or Remove Programs and Uninstall your current installation of Malwarebyte's Anti-malware. Then please download MalwareBytes Anti-malware (MBAM) again from one of the following links:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.htmlhttp://www.besttechie.net/tools/mbam-setup.exe
Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

On the Scanner tab, make sure the the Perform quick scan option is Un-selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

4. Run HijackThis again, and save the log file.

Submit to the Forum:
• The MBAM log results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,21061477 Fri, 05 Sep 2008 09:42:34 EDT http://www.dslreports.com/forum/remark,21060277 Annmarie : Fresh combofix log ran in Safe Mode:

ComboFix 08-09-04.08 - STravis 2008-09-04 23:38:46.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.784 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-04 18:07 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-04 18:07 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-04 18:06 . 2008-09-04 18:07 d-------- C:\Program Files\Symantec
2008-09-04 18:04 . 2008-09-04 18:04 94,208 --a------ C:\WINDOWS\system32\ynejmroz.exe
2008-09-04 10:12 . 2008-09-04 10:12 94,208 --a------ C:\WINDOWS\system32\xcxebazm.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 21:44 . 2008-09-03 21:44 86,016 --a------ C:\WINDOWS\system32\ujyhuhgd.exe
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 23:06 . 2008-09-02 23:06 d-------- C:\Documents and Settings\All Users\Application Data\zehchwhk
2008-09-02 23:06 . 2008-09-02 23:06 81,920 --a------ C:\WINDOWS\system32\fozixwjc.exe
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 03:34 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-05 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-05 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 22:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-04 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

------- Sigcheck -------

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-03_23.29.04.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-04 21:11:41 25,214 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\ARPPRODUCTICON.exe
+ 2008-09-04 22:07:58 25,214 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\ARPPRODUCTICON.exe
- 2008-03-04 21:11:39 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-03-04 21:11:40 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2006-09-28 01:35:04 34,600 ----a-w C:\WINDOWS\system32\cba.dll
+ 2006-09-28 00:35:04 34,600 ----a-w C:\WINDOWS\system32\cba.dll
- 2006-08-07 21:01:56 12,992 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
+ 2006-08-07 20:01:56 12,992 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
- 2006-08-07 21:02:02 110,784 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
+ 2006-08-07 20:02:02 110,784 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
- 2006-08-07 21:02:18 31,936 ----a-w C:\WINDOWS\system32\drivers\symids.sys
+ 2006-08-07 20:02:18 31,936 ----a-w C:\WINDOWS\system32\drivers\symids.sys
- 2006-08-07 21:02:14 28,352 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
+ 2006-08-07 20:02:14 28,352 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
- 2006-08-07 21:02:22 24,768 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
+ 2006-08-07 20:02:22 24,768 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
- 2006-08-07 21:02:26 195,776 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
+ 2006-08-07 20:02:26 195,776 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
+ 2004-08-04 10:00:00 24,576 ----a-w C:\WINDOWS\system32\init32.exe
- 2007-03-15 22:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
- 2006-09-28 01:35:04 83,696 ----a-w C:\WINDOWS\system32\loc32vc0.dll
+ 2006-09-28 00:35:04 83,696 ----a-w C:\WINDOWS\system32\loc32vc0.dll
- 2003-03-19 03:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
+ 2003-03-19 02:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
- 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-09-28 01:35:06 46,896 ----a-w C:\WINDOWS\system32\msgsys.dll
+ 2006-09-28 00:35:06 46,896 ----a-w C:\WINDOWS\system32\msgsys.dll
- 2006-09-28 01:33:54 43,760 ----a-w C:\WINDOWS\system32\NavLogon.dll
+ 2006-09-28 00:33:54 43,760 ----a-w C:\WINDOWS\system32\NavLogon.dll
- 2006-09-28 01:35:06 83,752 ----a-w C:\WINDOWS\system32\nts.dll
+ 2006-09-28 00:35:06 83,752 ----a-w C:\WINDOWS\system32\nts.dll
- 2006-09-28 01:35:08 83,752 ----a-w C:\WINDOWS\system32\pds.dll
+ 2006-09-28 00:35:08 83,752 ----a-w C:\WINDOWS\system32\pds.dll
- 2006-08-07 21:02:32 534,208 ----a-w C:\WINDOWS\system32\SymNeti.dll
+ 2006-08-07 20:02:32 534,208 ----a-w C:\WINDOWS\system32\SymNeti.dll
- 2006-08-07 21:02:30 161,472 ----a-w C:\WINDOWS\system32\SymRedir.dll
+ 2006-08-07 20:02:30 161,472 ----a-w C:\WINDOWS\system32\SymRedir.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,896 2006-07-19 23:26:04 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,168 2006-09-28 00:33:44 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ApiSrv"="C:\WINDOWS\system32\fozixwjc.exe" [2008-09-02 81920]
"cmdinfo"="C:\WINDOWS\system32\ujyhuhgd.exe" [2008-09-03 86016]
"setsh"="C:\WINDOWS\system32\xcxebazm.exe" [2008-09-04 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"iQkkP4fm85"="C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe" [2008-09-02 65536]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
S2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/

O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-04 23:42:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-09-04 23:48:55
ComboFix-quarantined-files.txt 2008-09-05 03:47:52
ComboFix2.txt 2008-09-04 03:30:40

Pre-Run: 37,492,264,960 bytes free
Post-Run: 37,495,316,480 bytes free

219 --- E O F --- 2008-09-03 19:06:11]]> http://www.dslreports.com/forum/remark,21060277 Thu, 04 Sep 2008 23:59:04 EDT http://www.dslreports.com/forum/remark,21059839 Annmarie : Combofix log:

ComboFix 08-09-03.02 - STravis 2008-09-03 22:58:17.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\STravis\My Documents\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-03 21:44 . 2008-09-03 21:44 86,016 --a------ C:\WINDOWS\system32\ujyhuhgd.exe
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-03 19:54 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 23:06 . 2008-09-02 23:06 d-------- C:\Documents and Settings\All Users\Application Data\zehchwhk
2008-09-02 23:06 . 2008-09-02 23:06 81,920 --a------ C:\WINDOWS\system32\fozixwjc.exe
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 02:53 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-04 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-03 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ApiSrv"="C:\WINDOWS\system32\fozixwjc.exe" [2008-09-02 81920]
"cmdinfo"="C:\WINDOWS\system32\ujyhuhgd.exe" [2008-09-03 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"iQkkP4fm85"="C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe" [2008-09-02 65536]

C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 -: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-03 23:21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-09-03 23:30:39 - machine was rebooted [STravis]
ComboFix-quarantined-files.txt 2008-09-04 03:29:35

Pre-Run: 37,850,038,272 bytes free
Post-Run: 37,776,023,552 bytes free

152 --- E O F --- 2008-09-03 19:06:11]]> http://www.dslreports.com/forum/remark,21059839 Thu, 04 Sep 2008 22:35:37 EDT http://www.dslreports.com/forum/remark,21058811 Annmarie : I have very little time to clean this up so excuse me for being abrupt. Co workers laptop, Windows XP running Symantec client suddenly began getting nasty pop ups and what appeared to be Windows security alerts. Someone used his laptop while he was out of the office.
Between he and I we followed the FAQ procedure to the T. His words "found and cleaned tons of stuff but that one keeps showing up". That "one" is the .jpg I posted - it pops up with different trojan names.
I snuck (sneaked?) the laptop out of the office so I could clean it at home. I have to get it back tonight before the security cameras go back on.
Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:51 PM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\fozixwjc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\fozixwjc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ApiSrv] C:\WINDOWS\system32\fozixwjc.exe
O4 - HKCU\..\Run: [cmdinfo] C:\WINDOWS\system32\ujyhuhgd.exe
O4 - HKCU\..\Run: [setsh] C:\WINDOWS\system32\xcxebazm.exe
O4 - HKLM\..\Policies\Explorer\Run: [iQkkP4fm85] C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7563 bytes

]]> http://www.dslreports.com/forum/remark,21058811 Thu, 04 Sep 2008 19:36:03 EDT