19 replies to this topic

[dmol]

HELP!!! I've got some kind of virus and nothing has helped, I mean nothing has been able to get rid of it, INCLUDING Malwarebytes! I downloaded it from a "clean" PC on a flash disk, installed it to the infected PC and it will not run, won't start up/open. The "bug" will not allow me to use any software I've tried nor will it allow me access to any website which might have an online scanner.

Please help. Thanks

David M.

[dmol]

________________________________________________________________________________
_____________________

Here is the log from running Win32kDiag.exe. I downloaded Fr33.exe and dragged the mbam.exe and it didnt work, not even after renaming.

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\m
scorlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\Sys
tem
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Dra
wing\System.Drawing
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Win
dows.Forms\System.Windows.Forms
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P1AC.tmp\ZAP1AC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P203.tmp\ZAP203.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P9.tmp\ZAP9.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\inf\IEM\0409\0409
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F2
31838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C6
48A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3
D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporar
y ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ms\sms\sms
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoi
nt
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKU
s
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Do
wnloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Def
ault
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\
Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1025\1025
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1028\1028
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1031\1031
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1037\1037
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1041\1041
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1042\1042
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1054\1054
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\2052\2052
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3076\3076
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-117609710-1580436
667-839522115-500\S-1-5-21-117609710-1580436667-839522115-500
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-3123560112-828541
007-3928990100-7110\S-1-5-21-3123560112-828541007-3928990100-7110
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CCM\Inventory\idmifs\badmifs\badmi
fs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CCM\Inventory\noidmifs\badmifs\bad
mifs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CCM\Inventory\Temp\FileColl\FileCo
ll
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CCM\Metering\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CCM\ServiceData\LocalPayload\Local
Payload
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CCM\ServiceData\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CCM\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D
ata\Adobe\Flash Player\AssetCache\HATBDN56\HATBDN56
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D
ata\Microsoft\Media Player\Media Player
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D
ata\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D
ata\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D
ata\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Deskt
op
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Fav
orites
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting
s\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHo
od
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\Pri
ntHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\dhcp\dhcp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 01:00:00 63488 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-04 01:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corpor
ation)

Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\Macromed\update\update
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\sample\sample
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\RsFx\RsFx
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\good\good
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wins\wins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\x64\x64
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\xircom\xircom
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WBEM\WBEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^

[Maurice Naggar]

@ dmol
Hello David,

I will be assisting you in searching for malwares. For the duration, follow my guidance.

Advise me of your Windows version/edition, as well as the antivirus program installed on this system.
If you must, continue to use another system to do download of tools, and then transfer to the Desktop of problem pc.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not dmol and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Go >> here <<
and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.
Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Hidden Services
Stealth Objects


You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
=

Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

• When done, DDS will open two (2) logs:
  
• DDS.txt
  
• Attach.txt
  
• Save both reports to your desktop.

Please include the following logs in your next reply:
RootRepeal.txt
DDS.txt
Attach.txt

[dmol]

I tried running RootRepeal but after aprox. 10 secs it closed the window and no report was generated. Tried running it again and it says: "Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item". I tried renaming the file and run it and it tries to run but gives me an error saying: "Could not load driver (0xc0000035)!".
Also tried running DDS but as soon as the window opens it closes immediately.

I'm running Windows XP Professional SP2
Version: 2002

I also wanted to mention that Windows Firewall keeps popping up with the following different suspicious software on my computer but it will obviously not let me block it:


Name: Net-Worm.Win32.Mytob.t
Risk Level: High Risk
Description: This network worm infects computers running Windows.
the worm itself is a Windows PE EXE file, written in Visual C++.
The file may be packed with one of a range of packers, and the
size of the infected file may therefore vary. The packed file is
aprox. 47KB or greater, and the unpacked file is aprox. 150 KB to
260 KB in size.

Windows Firewall has deteceted unauthorized activity, but unfortunately it cannot
help you to remove viruses, keyloggers and other spyware threats that steal your
personal information from your computer.



Name: Virus.Win32.Gpcode.ak
Risk level: High Risk
Description: This malicious program encrypts files on the victim machine. It
is a Windows PE EXE file 8030, bytes in size.

Name: Net-Worm.Win32.DipNet.d
Risk Level: Middle Risk
Description: DipNet.d infects computers running under Windows. The worm itself
is a Windows PE EXE file approx. 91KB in size, packed using UPX.
The unpacked file is apprx. 264KB in size. The worm propagates by
exploiting a vulnerability in Microsoft Windows LSASS (MS04-011).

Name: Email-Worm.Win32.NetSky.q
Risk Level: High Risk
Description: This worm spreads via the internet as an attachment to infected
messaages. It is also able to propagate via P2P networks and
accessible http and ftp directories. The worm's main component
is a PE EXE file aprox. 29KB. The worm is packed using FSG;
the unpacked file is aprox. 40KB in size.

Name: Trojan.Win32.Agent.dcc
Risk Level: High Risk
Descrption: This Trojan has a malicious payload. It is a Windows PE EXE file.
It is 20480 bytes in size.


Name: Virus.Win32.Hala.a
Risk Level: Middle Risk
Descrption: This malicious program infects executable files on the victim
machine. It is a Windows DLL file. It is not packed in any way. It is
written in Visual C++.

Name: Trojan-Downloader.JS.Multi.ca
Risk Level: Middle Risk
Descrption: This Torjan downloads another program via the internet and launches
it on the victim machine without the user's knowledge or consent. It
is encrypted Java Script within an HTML document. It is 14147 bytes in size.

Thanks

[Maurice Naggar]

Hello David,
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

[dmol]

BTW I'm currently running in Safe Mode, is that OK?

[Maurice Naggar]

No. It is best to run the tools in Normal mode.
I need for you to get & save & rename Combo-fix.exe

and next, disconnect pc from the modem connection. After Combo-fix has all finished, reconnect to the modem.

[dmol]

PC keeps shutting down in normal mode. Is it ok if I run Combofix in safe mode?

[Maurice Naggar]

Restart system, tap F8 as it starts, select Safe Mode with Networking
then run the tools.

[dmol]

Here is the ComboFix log:

ComboFix 09-08-30.01 - dmol 08/30/2009 19:40.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.3024 [GMT -4:00]
Running from: c:\documents and settings\Dmol\Desktop\Combo-Fix.exe
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {1D4A90DD-E06A-4704-8FC3-5A9DDCDE66D9}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {8FFDAB97-0440-478D-B188-1F3F669971D6}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {AFBC8F94-7749-4F6B-9791-446AD5CCE6EA}
.
The following files were disabled during the run:
c:\windows\system32\jupozife.dll
c:\windows\system32\midogiru.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Dmol\LOCALS~1\Temp\services.exe
c:\docume~1\Dmol\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\11860784
c:\documents and settings\All Users\Application Data\11860784\11860784
c:\documents and settings\All Users\Application Data\11860784\11860784.exe
c:\documents and settings\All Users\Application Data\11860784\pc11860784ins
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Mozilla Firefox\extensions\{1B7BC266-9225-483E-A3FC-E8928838252E}
c:\program files\Mozilla Firefox\extensions\{1B7BC266-9225-483E-A3FC-E8928838252E}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{1B7BC266-9225-483E-A3FC-E8928838252E}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{1B7BC266-9225-483E-A3FC-E8928838252E}\install.rdf
c:\recycler\S-1-5-21-117609710-1580436667-839522115-500
c:\windows\run.log
c:\windows\system32\~.exe
c:\windows\system32\braviax.exe
c:\windows\system32\buwapite.dll
c:\windows\system32\drivers\ovfsthvjysfxlarpwasavltvbeibaqiweowjhc.sys
c:\windows\system32\drivers\smss.exe
c:\windows\system32\drivers\UACexdgvnfyfq.sys
c:\windows\system32\drivers\UACvkthgwgywo.sys
c:\windows\system32\feyavezi.dll
c:\windows\system32\kigomila.exe
c:\windows\system32\lds.exe
c:\windows\system32\lehevusa.dll
c:\windows\system32\logs
c:\windows\system32\logs\VersnLog1.log
c:\windows\system32\nnkeop.dll
c:\windows\system32\tusubiku.dll
c:\windows\system32\tuvujuka.dll
c:\windows\system32\UACbxcudxsdsi.dll
c:\windows\system32\UACdbowugtnig.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiwymglgbmi.dll
c:\windows\system32\UAClojqybwsuy.dll
c:\windows\system32\UACnjilaiwqme.dll
c:\windows\system32\wetidehu.dll
c:\windows\system32\wscsvc32.exe
c:\windows\system32\wutupile.exe

----- BITS: Possible infected sites -----

hxxp://NNE18:80
hxxp://NNEUS05:80
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthnpumpkluujwohejmukoqlpanqunlommc
-------\Legacy_ovfsthnpumpkluujwohejmukoqlpanqunlommc
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ed}
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-30 22:29 . 2009-08-30 23:07 3168 ----a-w- c:\windows\system32\drivers\jki;.sys
2009-08-30 22:29 . 2009-08-30 23:07 15969 ----a-w- c:\windows\system32\drivers\rr.sys
2009-08-29 22:13 . 2009-08-29 22:13 -------- d-----w- c:\program files\TT
2009-08-29 19:25 . 2009-08-29 19:25 -------- d-----w- c:\windows\ERUNT
2009-08-29 18:41 . 2009-08-30 20:37 -------- d-----w- C:\SDFix
2009-08-29 08:10 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 08:10 . 2009-08-30 20:30 -------- d-----w- c:\program files\vbnnnnnnnnnnnnnnnnn
2009-08-29 08:10 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 01:23 . 2009-08-29 01:24 -------- d-----w- c:\program files\Protection System
2009-08-29 00:49 . 2009-08-29 23:36 0 ----a-w- c:\windows\system32\drivers\94e4b305.sys
2009-08-29 00:49 . 2009-08-29 00:49 42496 ----a-w- C:\tujfbtrj.exe
2009-08-29 00:49 . 2009-08-29 00:49 705 ----a-w- C:\qbuf.exe
2009-08-29 00:49 . 2009-08-29 00:49 705 ----a-w- C:\enurmyv.exe
2009-08-29 00:49 . 2009-08-29 00:49 196602 ----a-w- C:\svfp.exe
2009-08-29 00:49 . 2009-08-29 00:49 49664 ----a-w- C:\blyuwrjl.exe
2009-08-26 17:18 . 2009-08-26 17:18 152576 ----a-w- c:\documents and settings\Dmol\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 20:13 . 2008-07-11 00:28 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-08-23 20:12 . 2008-07-11 00:28 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-08-23 20:11 . 2009-08-30 23:33 -------- d-----w- c:\windows\system32\RsFx
2009-08-23 19:35 . 2009-08-23 20:11 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-23 19:35 . 2009-08-23 19:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 19:35 . 2009-08-23 19:35 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-08-23 19:35 . 2009-08-23 19:35 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-23 19:34 . 2009-08-23 19:34 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-08-23 19:33 . 2009-08-23 19:33 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-08-23 19:33 . 2009-08-23 19:33 -------- d-----w- c:\documents and settings\Dmol\Local Settings\Application Data\Microsoft Help
2009-08-23 19:31 . 2009-08-24 14:17 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-23 19:31 . 2009-08-24 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-23 19:31 . 2009-08-23 19:31 -------- d-----w- c:\program files\Microsoft SDKs
2009-08-23 19:29 . 2009-08-24 14:24 153200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-23 19:29 . 2009-08-23 19:29 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-23 19:29 . 2009-08-23 19:29 -------- d-----w- c:\program files\MSBuild
2009-08-23 19:29 . 2009-08-23 19:29 -------- d-----w- c:\program files\Reference Assemblies
2009-08-23 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-23 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-23 19:28 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-23 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-23 19:28 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-23 19:28 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-23 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-23 19:24 . 2009-08-23 19:24 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 23:08 . 2009-08-21 15:47 -------- d-----w- C:\Maui 09

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 23:49 . 2009-03-19 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-08-30 23:49 . 2009-03-19 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-08-30 21:13 . 2009-05-30 21:13 209408 --sha-w- c:\windows\system32\depopuho.dll
2009-08-30 21:13 . 2009-05-30 21:13 209408 ----a-w- c:\windows\system32\midogiru.dll.vir
2009-08-30 20:32 . 2009-04-28 14:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 20:13 . 2009-05-30 20:13 209408 --sha-w- c:\windows\system32\wivekogu.dll
2009-08-30 20:13 . 2009-05-30 20:13 209408 --sha-w- c:\windows\system32\wifokuvi.dll
2009-08-29 22:14 . 2006-11-29 15:20 -------- d-----w- c:\program files\Trend Micro
2009-08-29 01:31 . 2009-06-06 21:42 -------- d-----w- c:\program files\Google
2009-08-28 10:38 . 2009-07-23 01:48 -------- d-----w- c:\documents and settings\Dmol\Application Data\Skype
2009-08-28 04:08 . 2009-07-23 01:49 -------- d-----w- c:\documents and settings\Dmol\Application Data\skypePM
2009-08-26 17:20 . 2009-06-24 19:38 -------- d-----w- c:\program files\Java
2009-08-25 16:32 . 2009-08-29 17:26 20089488 ----a-w- c:\program files\PROCESSLIST.DB
2009-08-25 16:32 . 2009-08-29 17:26 1218259 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2009-08-23 20:32 . 2009-01-15 04:40 69272 ----a-w- c:\documents and settings\Dmol\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 20:09 . 2006-11-29 15:59 -------- d-----w- c:\program files\Microsoft.NET
2009-07-25 09:23 . 2009-06-24 19:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 12:54 . 2009-07-24 12:54 -------- d-----w- c:\program files\MSECache
2009-07-23 02:37 . 2009-07-23 02:16 -------- d-----w- c:\program files\Creative
2009-07-23 02:26 . 2009-07-23 02:26 -------- d-----w- c:\documents and settings\Dmol\Application Data\Creative
2009-07-23 02:16 . 2006-11-29 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 02:15 . 2006-11-29 15:47 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-23 01:49 . 2009-07-23 01:49 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----r- c:\program files\Skype
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\program files\Common Files\Skype
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-16 04:03 . 2009-07-16 04:03 -------- d-----w- c:\documents and settings\Dmol\Application Data\ATT Connect
2009-07-15 13:17 . 2009-07-15 13:17 -------- d-----w- c:\documents and settings\Dmol\Application Data\Interwise
2009-07-15 13:17 . 2009-07-15 13:16 -------- d-----w- c:\program files\Interwise
2009-06-24 19:38 . 2009-06-24 19:38 152576 ----a-w- c:\documents and settings\Dmol\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-04 15:12 . 2009-06-04 15:12 61224 ----a-w- c:\windows\java\GoToAssistDownloadHelper.exe
2009-05-30 20:13 . 2009-05-30 20:13 592896 --sha-w- c:\windows\system32\pododome.exe
2009-05-30 21:13 . 2009-05-30 21:13 69632 --sha-w- c:\windows\system32\reboyuti.exe
2009-04-28 04:09 . 2009-04-28 04:09 383 --sha-w- c:\windows\system32\zajiheyo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Push Client"="c:\program files\Interwise\Participant\pull.exe" [2008-04-13 886000]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"Protection System"="c:\program files\Protection System\psystem.exe" [2009-08-29 2519040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SchedulingAgent_nDG"="c:\program files\ManageSoft\Schedule Agent\ndschedag.exe" [2009-01-19 1419528]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-29 96816]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-09-11 356429]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2009-1-14 25214]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2009-1-14 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3123560112-828541007-3928990100-1148\Scripts\Logon\0\0]
"Script"=GISPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3123560112-828541007-3928990100-7110\Scripts\Logon\0\0]
"Script"=GISPDetect.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 mgsdl;ManageSoft Peer-to-Peer Download Service;c:\program files\ManageSoft\Launcher\mgsdl.exe [1/19/2009 4:18 PM 1406464]
R2 mgssecsvc;ManageSoft Security Service;c:\program files\ManageSoft\Security Agent\mgssecsvc.exe [1/19/2009 4:43 PM 1078784]
R2 ndGlobalLauncher;ManageSoft installation agent;c:\program files\ManageSoft\Launcher\ndserv.exe [1/19/2009 5:28 PM 2901768]
R2 ndinit;ManageSoft managed device;c:\program files\ManageSoft\Schedule Agent\ndinit.exe [1/19/2009 5:27 PM 712456]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 11:08 PM 54960]
S1 94e4b305;94e4b305;c:\windows\system32\drivers\94e4b305.sys [8/28/2009 8:49 PM 0]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [7/22/2009 10:37 PM 91392]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\NNEMailRecipientLink]
c:\windows\MailRecipient.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8577AE8C-87A5-4366-8287-5ADD80E14952}]
"c:\windows\system32\msiexec.exe" /fu {8577AE8C-87A5-4366-8287-5ADD80E14952} /q
.
- - - - ORPHANS REMOVED - - - -

BHO-{9a1c3730-97b5-4c3b-b9f2-35d4d738acca} - c:\windows\system32\wetidehu.dll
HKLM-Run-11860784 - c:\documents and settings\All Users\Application Data\11860784\11860784.exe
HKLM-Run-begayobina - c:\windows\system32\feyavezi.dll
HKLM-Run-CPM133ab7df - c:\windows\system32\midogiru.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: Documentum Content Transfer 5.2.5 SP - hxxp://nneus03/nnedocs/wdk/contentXfer/ContentXfer.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} - hxxps://drawing.constructware.com/IGC/BravaClientX.cab
FF - ProfilePath - c:\documents and settings\Dmol\Application Data\Mozilla\Firefox\Profiles\muppxix4.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 19:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1960)
c:\windows\system32\msi.dll
c:\progra~1\MICROS~2\ACCESS~1\OFFICE11\MCPS.DLL
c:\windows\system32\browselc.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\Visio2003STD\OFFICE11\msohev.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\ManageSoft\Schedule Agent\ndtask.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\stacsv.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\Temp\DMF763.EXE
c:\program files\ManageSoft\Schedule Agent\ndtask.exe
c:\program files\ManageSoft\Tracker\ndtrack.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\windows\system32\net.exe
c:\windows\system32\net1.exe
.
**************************************************************************
.
Completion time: 2009-08-30 19:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 23:55

Pre-Run: 7,769,542,656 bytes free
Post-Run: 8,053,424,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=6 Default=6 Failed=5 LastKnownGood=2 Sets=1,2,3,4,5,6
317

[Maurice Naggar]

Right click the Spybot Icon (blue icon with lock ) in the system tray (notification area).

• If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  
• If you have Version 1.4, Click on Exit Spybot S&D Resident
  
  If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  Exit Spybot S&D when done and reboot the system so the changes are in effect.

Spybot's Tea Timer must be OFF while we remove malwares. Otherwise, our changes will be to no effect.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=

Next, do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=
I'm seeing malwares that date from late last April & May.
Keep in mind, there's a fair chance we'll conclude it would be to your best adavantage to wipe the system and load Windows as a fresh (new) install.

Even after the last Combofix run, which removed rootkit & more, there still appears to be at least 1 rogue and several pieces of Vundo.

=

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

KILLALL::

Driver::
Protection System

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Protection System"=-

File::
c:\windows\system32\jupozife.dll
c:\windows\system32\midogiru.dll
C:\tujfbtrj.exe
C:\qbuf.exe
C:\enurmyv.exe
C:\svfp.exe
C:\blyuwrjl.exe
c:\program files\Protection System
c:\windows\system32\depopuho.dll
c:\windows\system32\midogiru.dll.vir
c:\windows\system32\wivekogu.dll
c:\windows\system32\wifokuvi.dll
c:\windows\system32\pododome.exe
c:\windows\system32\reboyuti.exe
c:\windows\system32\zajiheyo.exe
c:\windows\system32\wetidehu.dll
c:\windows\system32\feyavezi.dll
c:\windows\system32\midogiru.dll

Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Now, Logoff and Restart the system fresh, in normal mode

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

• Make sure you read this document to understand how to use the program.
  Trend Micro Sysclean Package README 1st
  
• Basically there are 3 parts that need to be downloaded and SAVED from these links:
  
  • Sysclean Package
    
  • Virus Pattern Files that will be a LPTxxx.ZIP file
    
  • Spyware Pattern Files this is a SSAPIPTNxxx.ZIP
    It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware) – Ssapiptn.Da5"

• Create a brand new folder to copy these files to.
  
• As an example: C:\DCE
  
• Then open each of the zipped archive files and copy their contents to C:\DCE
  
• Copy the file sysclean.com to the new folder C:\DCE as well.
  
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=
Next, Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2718 or later. The latest program version is 1.40

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=
Reply with copy of the C:\Combofix.txt
the Sysclean.log
the MBAM scan log

[dmol]

A Spybot Icon is not displayed in the system tray

[Maurice Naggar]

OK, skip that part & go forward.

[dmol]

Reply with copy of the C:\Combofix.txt
the Sysclean.log
the MBAM scan log


Here is the ComboFix log:

ComboFix 09-08-30.01 - dmol 08/30/2009 21:28.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.2797 [GMT -4:00]
Running from: c:\documents and settings\Dmol\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dmol\Desktop\CFScript.txt
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {1D4A90DD-E06A-4704-8FC3-5A9DDCDE66D9}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {8FFDAB97-0440-478D-B188-1F3F669971D6}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {AFBC8F94-7749-4F6B-9791-446AD5CCE6EA}

FILE ::
"C:\blyuwrjl.exe"
"C:\enurmyv.exe"
"c:\program files\Protection System"
"C:\qbuf.exe"
"C:\svfp.exe"
"C:\tujfbtrj.exe"
"c:\windows\system32\depopuho.dll"
"c:\windows\system32\feyavezi.dll"
"c:\windows\system32\jupozife.dll"
"c:\windows\system32\midogiru.dll"
"c:\windows\system32\midogiru.dll.vir"
"c:\windows\system32\pododome.exe"
"c:\windows\system32\reboyuti.exe"
"c:\windows\system32\wetidehu.dll"
"c:\windows\system32\wifokuvi.dll"
"c:\windows\system32\wivekogu.dll"
"c:\windows\system32\zajiheyo.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\blyuwrjl.exe
C:\enurmyv.exe
C:\qbuf.exe
C:\svfp.exe
C:\tujfbtrj.exe
c:\windows\system32\depopuho.dll
c:\windows\system32\jupozife.dll
c:\windows\system32\midogiru.dll
c:\windows\system32\pododome.exe
c:\windows\system32\reboyuti.exe
c:\windows\system32\wifokuvi.dll
c:\windows\system32\wivekogu.dll
c:\windows\system32\zajiheyo.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 01:20 . 2009-08-31 01:21 -------- d-----w- c:\program files\ERUNT Backup Registry
2009-08-31 00:21 . 2009-08-31 01:04 -------- d-----w- c:\documents and settings\Dmol\Local Settings\Application Data\Temporary Projects
2009-08-30 22:29 . 2009-08-30 23:07 3168 ----a-w- c:\windows\system32\drivers\jki;.sys
2009-08-30 22:29 . 2009-08-30 23:07 15969 ----a-w- c:\windows\system32\drivers\rr.sys
2009-08-29 22:13 . 2009-08-29 22:13 -------- d-----w- c:\program files\TT
2009-08-29 19:25 . 2009-08-29 19:25 -------- d-----w- c:\windows\ERUNT
2009-08-29 18:41 . 2009-08-30 20:37 -------- d-----w- C:\SDFix
2009-08-29 08:10 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 08:10 . 2009-08-30 20:30 -------- d-----w- c:\program files\vbnnnnnnnnnnnnnnnnn
2009-08-29 08:10 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 01:23 . 2009-08-29 01:24 -------- d-----w- c:\program files\Protection System
2009-08-29 00:49 . 2009-08-29 23:36 0 ----a-w- c:\windows\system32\drivers\94e4b305.sys
2009-08-26 17:18 . 2009-08-26 17:18 152576 ----a-w- c:\documents and settings\Dmol\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 20:13 . 2008-07-11 00:28 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-08-23 20:12 . 2008-07-11 00:28 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-08-23 20:11 . 2009-08-30 23:33 -------- d-----w- c:\windows\system32\RsFx
2009-08-23 19:35 . 2009-08-23 20:11 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-23 19:35 . 2009-08-23 19:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 19:35 . 2009-08-23 19:35 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-08-23 19:35 . 2009-08-23 19:35 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-23 19:34 . 2009-08-23 19:34 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-08-23 19:33 . 2009-08-23 19:33 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-08-23 19:33 . 2009-08-23 19:33 -------- d-----w- c:\documents and settings\Dmol\Local Settings\Application Data\Microsoft Help
2009-08-23 19:31 . 2009-08-24 14:17 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-23 19:31 . 2009-08-24 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-23 19:31 . 2009-08-23 19:31 -------- d-----w- c:\program files\Microsoft SDKs
2009-08-23 19:29 . 2009-08-24 14:24 153200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-23 19:29 . 2009-08-23 19:29 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-23 19:29 . 2009-08-23 19:29 -------- d-----w- c:\program files\MSBuild
2009-08-23 19:29 . 2009-08-23 19:29 -------- d-----w- c:\program files\Reference Assemblies
2009-08-23 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-23 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-23 19:28 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-23 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-23 19:28 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-23 19:28 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-23 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-23 19:24 . 2009-08-23 19:24 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 23:08 . 2009-08-21 15:47 -------- d-----w- C:\Maui 09

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 01:32 . 2009-03-19 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-08-31 00:34 . 2009-04-28 14:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 23:49 . 2009-03-19 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-08-29 22:14 . 2006-11-29 15:20 -------- d-----w- c:\program files\Trend Micro
2009-08-29 01:31 . 2009-06-06 21:42 -------- d-----w- c:\program files\Google
2009-08-28 10:38 . 2009-07-23 01:48 -------- d-----w- c:\documents and settings\Dmol\Application Data\Skype
2009-08-28 04:08 . 2009-07-23 01:49 -------- d-----w- c:\documents and settings\Dmol\Application Data\skypePM
2009-08-26 17:20 . 2009-06-24 19:38 -------- d-----w- c:\program files\Java
2009-08-25 16:32 . 2009-08-29 17:26 20089488 ----a-w- c:\program files\PROCESSLIST.DB
2009-08-25 16:32 . 2009-08-29 17:26 1218259 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2009-08-23 20:32 . 2009-01-15 04:40 69272 ----a-w- c:\documents and settings\Dmol\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 20:09 . 2006-11-29 15:59 -------- d-----w- c:\program files\Microsoft.NET
2009-07-25 09:23 . 2009-06-24 19:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 12:54 . 2009-07-24 12:54 -------- d-----w- c:\program files\MSECache
2009-07-23 02:37 . 2009-07-23 02:16 -------- d-----w- c:\program files\Creative
2009-07-23 02:26 . 2009-07-23 02:26 -------- d-----w- c:\documents and settings\Dmol\Application Data\Creative
2009-07-23 02:16 . 2006-11-29 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 02:15 . 2006-11-29 15:47 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-23 01:49 . 2009-07-23 01:49 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----r- c:\program files\Skype
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\program files\Common Files\Skype
2009-07-23 01:47 . 2009-07-23 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-16 04:03 . 2009-07-16 04:03 -------- d-----w- c:\documents and settings\Dmol\Application Data\ATT Connect
2009-07-15 13:17 . 2009-07-15 13:17 -------- d-----w- c:\documents and settings\Dmol\Application Data\Interwise
2009-07-15 13:17 . 2009-07-15 13:16 -------- d-----w- c:\program files\Interwise
2009-06-24 19:38 . 2009-06-24 19:38 152576 ----a-w- c:\documents and settings\Dmol\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-04 15:12 . 2009-06-04 15:12 61224 ----a-w- c:\windows\java\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-30_23.50.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-31 01:33 . 2009-08-31 01:33 16384 c:\windows\Temp\Perflib_Perfdata_cc4.dat
+ 2009-08-31 01:31 . 2009-08-31 01:31 16384 c:\windows\Temp\Perflib_Perfdata_480.dat
+ 2009-08-31 01:33 . 2009-08-31 01:33 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat
+ 2009-08-31 01:32 . 2008-09-11 17:48 176195 c:\windows\Temp\JIEC6E.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Push Client"="c:\program files\Interwise\Participant\pull.exe" [2008-04-13 886000]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SchedulingAgent_nDG"="c:\program files\ManageSoft\Schedule Agent\ndschedag.exe" [2009-01-19 1419528]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-29 96816]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-09-11 356429]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Dmol\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT Backup Registry\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2009-1-14 25214]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2009-1-14 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3123560112-828541007-3928990100-1148\Scripts\Logon\0\0]
"Script"=GISPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3123560112-828541007-3928990100-7110\Scripts\Logon\0\0]
"Script"=GISPDetect.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 mgsdl;ManageSoft Peer-to-Peer Download Service;c:\program files\ManageSoft\Launcher\mgsdl.exe [1/19/2009 4:18 PM 1406464]
R2 mgssecsvc;ManageSoft Security Service;c:\program files\ManageSoft\Security Agent\mgssecsvc.exe [1/19/2009 4:43 PM 1078784]
R2 ndGlobalLauncher;ManageSoft installation agent;c:\program files\ManageSoft\Launcher\ndserv.exe [1/19/2009 5:28 PM 2901768]
R2 ndinit;ManageSoft managed device;c:\program files\ManageSoft\Schedule Agent\ndinit.exe [1/19/2009 5:27 PM 712456]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 11:08 PM 54960]
S1 94e4b305;94e4b305;c:\windows\system32\drivers\94e4b305.sys [8/28/2009 8:49 PM 0]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [7/22/2009 10:37 PM 91392]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\NNEMailRecipientLink]
c:\windows\MailRecipient.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8577AE8C-87A5-4366-8287-5ADD80E14952}]
"c:\windows\system32\msiexec.exe" /fu {8577AE8C-87A5-4366-8287-5ADD80E14952} /q
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: Documentum Content Transfer 5.2.5 SP - hxxp://nneus03/nnedocs/wdk/contentXfer/ContentXfer.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} - hxxps://drawing.constructware.com/IGC/BravaClientX.cab
FF - ProfilePath - c:\documents and settings\Dmol\Application Data\Mozilla\Firefox\Profiles\muppxix4.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 21:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(808)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\ManageSoft\Schedule Agent\ndtask.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\stacsv.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
c:\program files\ManageSoft\Schedule Agent\ndtask.exe
c:\windows\Temp\JIEC6E.EXE
c:\program files\ManageSoft\Tracker\ndtrack.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2009-08-31 21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 01:37
ComboFix2.txt 2009-08-30 23:56

Pre-Run: 8,077,189,120 bytes free
Post-Run: 7,957,422,080 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=2 Sets=1,2,3,4,5,6
271
________________________________________________________________________________
____

Here is the Sysclean log:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-08-30, 21:59:27, Auto-clean mode specified.
2009-08-30, 21:59:28, Initialized Rootkit Driver version 2.2.0.1004.
2009-08-30, 21:59:28, Running scanner "C:\DCE\TSC.BIN"...
2009-08-30, 21:59:52, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-08-30, 21:59:52, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 2 )




S t a r t t i m e : S u n A u g 3 0 2 0 0 9 2 1 : 5 9 : 2 9





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 5 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : S u n A u g 3 0 2 0 0 9 2 1 : 5 9 : 5 2


E x e c u t e p a t t e r n c o u n t ( 3 0 6 0 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-08-30, 21:59:52, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-08-30, 23:45:20, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-08-30, 23:45:20, VSCANTM Log:

2009-08-30, 23:45:20, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/30/2009 21:59:52
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 407 (465486/465486 Patterns) (2009/08/30) (640700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.407

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\11860784\11860784.exe.vir [Cryp_FakeAV-17]
C:\Qoobox\Quarantine\C\WINDOWS\system32\kigomila.exe.vir [Cryp_FakeAV-17]
C:\Qoobox\Quarantine\C\WINDOWS\system32\lds.exe.vir [TROJ_Generic.DIT]
C:\Qoobox\Quarantine\C\WINDOWS\system32\lehevusa.dll.vir [Cryp_Vundo-24]
C:\Qoobox\Quarantine\C\WINDOWS\system32\wutupile.exe.vir [Cryp_FakeAV-17]
C:\Qoobox\Quarantine\[4]-Submit_2009-08-30_21.28.08.zip (1/15 Viruses Found)
52356 files have been read.
52356 files have been checked.
52315 files have been scanned.
2057126 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/30/2009 23:45:20 1 hour 45 minutes 27 seconds (6327.08 seconds) has elapsed.(120.847 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-08-30, 23:45:20, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/30/2009 21:59:52
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 407 (465486/465486 Patterns) (2009/08/30) (640700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.407

52356 files have been read.
52356 files have been checked.
52315 files have been scanned.
2057126 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/30/2009 23:45:20 1 hour 45 minutes 27 seconds (6327.08 seconds) has elapsed.(120.847 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-08-30, 23:45:20, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/30/2009 21:59:52
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 407 (465486/465486 Patterns) (2009/08/30) (640700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.407

52356 files have been read.
52356 files have been checked.
52315 files have been scanned.
2057126 files have been scanned. (including files in archived)
6 files containing viruses.
Found 6 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/30/2009 23:45:20 1 hour 45 minutes 27 seconds (6327.08 seconds) has elapsed.(120.847 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-08-30, 23:45:20, Running SSAPI scanner ""...
2009-08-31, 00:09:52, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 8.17
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 08/30/2009 23:45:23


SSAPI requires the system to reboot.
Detected Items:
Detected: 1 items.
Cleaned Success: 1 items.
Clean Failed: 0 items.

Spyware Scan Ended: 08/31/2009 00:09:52
Scan Complete. Time=1471.985229.

________________________________________________________________________________
______________

Here is the MBAM scan log:

Malwarebytes' Anti-Malware 1.40
Database version: 2719
Windows 5.1.2600 Service Pack 2

8/31/2009 9:24:59 AM
mbam-log-2009-08-31 (09-24-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 166174
Time elapsed: 43 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\enurmyv.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\qbuf.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\smss.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A594FDF5-2686-41F0-866A-122E01AE9172}\RP1\A0000139.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A594FDF5-2686-41F0-866A-122E01AE9172}\RP1\A0000140.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
___________________________________________________________________________

[Maurice Naggar]

So far, looking much better. I'd like for you to do some additional follow-up.

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

=
Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
=

Post back with copies of the Kaspersky.txt report
checkup.txt
.
How is your system now ?

[dmol]

Post back with copies of the Kaspersky.txt report
checkup.txt
.
How is your system now ?
_________________________________________

Here is the Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 1, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 31, 2009 20:54:15
Records in database: 2732386
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\


Scan statistics:
Objects scanned: 482177
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 9:19:56


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACiwymglgbmi.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClojqybwsuy.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir Infected: not-a-virus:FraudTool.Win32.Agent.vz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Packed.Win32.Krap.x 1

________________________________________________________________________________
_________

Here is the checkup report:

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Trend Micro OfficeScan Client


WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 15
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Trend Micro OfficeScan Client pccntmon.exe

Trend Micro OfficeScan Client tmlisten.exe
Trend Micro OfficeScan Client ntrtscan.exe
Trend Micro OfficeScan Client OfcPfwSvc.exe

``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

__________________________________________________--

Maurice TrendMicro is saying there is a Threat Alert and creating this report:

Threat Alert
OfficeScan detected Cryp_FakeAV-17 on NNE-US-PC7165(dmol) in Nneas domains.
File: C:\Qoobox\Quarantine\C\WINDOWS\system32\wutupile.exe.vir
Detection date: 8/30/2009 20:56:49
Action: Pass
---------------------------------------------------
Threat Alert
OfficeScan detected TROJ_TDSS.AKK on NNE-US-PC7165(dmol) in Nneas domains.
File: C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbxcudxsdsi.dll.vir
Detection date: 8/30/2009 20:56:50
Action: Virus successfully detected, cannot perform the Quarantine action
---------------------------------------------------
Threat Alert
OfficeScan detected TROJ_ALUREON.AUA on NNE-US-PC7165(dmol) in Nneas domains.
File: C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnjilaiwqme.dll.vir
Detection date: 8/30/2009 20:56:50
Action: Virus successfully detected, cannot perform the Quarantine action




Is there a way to stop TrendMicro from creating this alert??

[dmol]

How is your system now ?
_________________________________________

BTW the system is much better now, THANKS for all your help.

[Maurice Naggar]

Hello David,
The items tagged by your TrendMicro are in quarantine & out of the way. In any event, they will be deleted as part of the following Combofix cleanup.

Check on the Security Center service
from the Start button > RUN option .... type in

services.msc

look for Security Center service
If it is listed as off or inactive, press on the link at top left to Start it.

=
De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html

See this topic in the AumHa Security forum and get the latest Java run-time
http://aumha.net/vie...hp?f=26&t=41698

=

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
De-install Kaspersky online scan
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run.
  
  In the command box that opens, type or copy/paste combo-fix /u and then click OK.

• Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  
• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  
  
• You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" }
  
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
  
• Check in at Windows Update and install any Critical Updates offered.
  
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all times)
  
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  
  Plan for & get & apply XP service pack 3:
  For WinXP SP3 installation tips, etc., see http://aumha.net/vie...hp?f=62&t=33296
  and the other SP3-related "stickies" in that forum.
  
  IE and Windows XP Service Pack 3
  http://blogs.msdn.com/ie/archive/2008/05/0...-and-xpsp3.aspx
  
  
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  
  ESET Online Scanner
  
  Panda ActiveScan
  
  Trend Micro Housecall
  
  F-Secure Online Scanner
  
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  
  Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingc...tutorial82.html

We are finished here. Best regards.

[dmol]

GREAT!!!! Thank you so much for your help.

[Maurice Naggar]

You're welcome. Stay safe.

This thread topic is now closed. For all casual viewers, be aware the procedures used here are only for this case.
Do not try them on your system.