IE popups (Virtumonde?) and disabled Windows Update

[10011]

Hello. I have a recurring problem where Windows Automatic Updates keeps getting disabled, presumably by malware. Additionally, last night I seem to have been infected with Virtumonde (according to SpyBot S&D). I was out of town for the holidays with my computer powered down. After boot-up, I was browsing the internet with Firefox when the popups began. I have not recently installed any new software or visited any suspicious webpages.

When running Gmer, the following error box appeared:
Windows - Drive Not Ready
"Exception Processing Message c00000a3 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c"

I had options to Try Again, Cancel, or Continue. Try Again reproduced the same error message, so I Continued and completed the log.

Here's my DDS.txt:

DDS (Version 1.0) - NTFSx86
Run by 10011 at 12:18:48.82 on Mon 12/01/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1098 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\10011\Desktop\gmer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\10011\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\gebXQihe.dll
BHO: {C70B421F-A5D8-4D0E-A525-49A0C9C0FAB3} - c:\windows\system32\pmnoMGxw.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 2007\pccguide.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
StartupFolder: c:\docume~1\10011\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\10011\startm~1\programs\startup\foldin~1.lnk - c:\program files\folding@home\winFAH.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: gebXQihe - gebXQihe.dll
AppInit_DLLs: eralhq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\gebXQihe.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnoMGxw

============= SERVICES / DRIVERS ===============

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-2-21 4096]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -sAUTODESKVAULT [2008-2-26 29183504]
R2 mxssvr;NI Configuration Manager;"c:\program files\national instruments\max\nimxs.exe" [2007-2-22 12696]
R2 NITaggerService;National Instruments Variable Engine;"c:\program files\national instruments\shared\tagger\tagsrv.exe" [2007-2-6 703264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-28 24652]
R3 cm102u32;C-Media CM6501 Like Sound Interface;c:\windows\system32\drivers\c6501.sys [2007-9-15 1419968]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-8-20 42512]

=============== Created Last 30 ================

2008-12-01 11:43 250 a------- c:\windows\gmer.ini
2008-12-01 10:50 921,554 a--sh--- c:\windows\system32\wxGMonmp.ini2
2008-12-01 10:14 173 a------- c:\windows\wininit.ini
2008-12-01 03:57 <DIR> --d----- c:\program files\Lavasoft
2008-12-01 03:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-12-01 03:55 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-01 03:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-01 03:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-30 19:14 129,024 -------- c:\windows\system32\eralhq.dll
2008-11-30 19:14 129,024 a------- c:\windows\system32\syerjrpt.dll
2008-11-30 19:10 72,704 a------- c:\windows\system32\gihloesa.dll
2008-11-30 19:05 921,554 a--sh--- c:\windows\system32\wxGMonmp.ini
2008-11-30 19:05 318,464 a------- c:\windows\system32\pmnoMGxw.dll
2008-11-30 18:59 <DIR> --d----- c:\docume~1\10011\applic~1\GetModule
2008-11-30 18:59 25,600 a------- c:\windows\system32\jkKawTjJ.dll
2008-11-30 18:59 25,600 a------- c:\windows\system32\gebXQihe.dll
2008-11-30 18:59 198,760 a------- c:\windows\system32\wpv431228088626.cpx
2008-11-30 18:59 38,476 a------- c:\windows\system32\wpv131227968766.cpx
2008-11-30 18:59 34,816 a------- c:\windows\system32\wpv651228079860.cpx
2008-11-22 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATI
2008-11-22 13:02 0 a------- c:\windows\ativpsrm.bin
2008-11-22 12:59 <DIR> --d----- c:\program files\ATI
2008-11-22 12:46 <DIR> --d----- C:\ATI
2008-11-22 11:31 <DIR> --d----- c:\program files\Steam
2008-11-20 12:44 42,320 a------- c:\windows\system32\xfcodec.dll
2008-11-17 14:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-11 12:26 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:25 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-01 17:09 <DIR> --d----- c:\docume~1\10011\applic~1\Red Alert 3

==================== Find3M ====================

2008-12-01 11:21 8,142 ac------ c:\windows\system32\ealregsnapshot1.reg
2008-12-01 10:19 <DIR> --d----- c:\program files\Xfire
2008-12-01 04:40 <DIR> --d----- c:\docume~1\10011\applic~1\Azureus
2008-12-01 03:20 <DIR> --d----- c:\docume~1\10011\applic~1\Xfire
2008-11-23 10:14 <DIR> --d----- c:\program files\Folding@Home
2008-11-22 12:58 <DIR> --d----- c:\program files\ATI Technologies
2008-11-21 11:42 <DIR> --d----- c:\program files\Azureus
2008-11-19 20:10 <DIR> --d----- c:\program files\Trend Micro
2008-11-17 14:23 <DIR> --d----- c:\program files\AIM6
2008-11-17 14:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-10-31 17:20 <DIR> --d----- c:\program files\Bethesda Softworks
2008-10-31 16:52 <DIR> --d----- c:\program files\Messenger
2008-10-31 16:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-31 16:38 <DIR> --d----- c:\program files\Windows NT
2008-10-28 21:05 593,920 a------- c:\windows\system32\ati2sgag.exe
2008-10-28 18:23 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-10-28 18:22 314,880 a------- c:\windows\system32\ati2dvag.dll
2008-10-28 18:11 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-10-28 18:11 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-10-28 18:11 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-10-28 18:11 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-10-28 18:10 10,973,184 a------- c:\windows\system32\atioglxx.dll
2008-10-28 18:10 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-10-28 18:09 585,728 a------- c:\windows\system32\ati2evxx.exe
2008-10-28 18:07 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-10-28 17:57 4,041,472 a------- c:\windows\system32\ati3duag.dll
2008-10-28 17:49 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-10-28 17:41 2,472,832 a------- c:\windows\system32\ativvaxx.dll
2008-10-28 17:40 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-10-28 17:40 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-10-28 17:40 887,724 a------- c:\windows\system32\ativva6x.dat
2008-10-28 17:25 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-10-28 17:21 389,120 a------- c:\windows\system32\atikvmag.dll
2008-10-28 17:19 44,032 a------- c:\windows\system32\atiadlxx.dll
2008-10-28 17:19 17,408 a------- c:\windows\system32\atitvo32.dll
2008-10-28 17:18 253,952 a------- c:\windows\system32\atiok3x2.dll
2008-10-28 17:12 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-10-28 09:54 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-22 15:15 <DIR> --d----- c:\program files\Starcraft
2008-10-21 09:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-16 12:56 <DIR> --d----- c:\docume~1\10011\applic~1\Sites
2008-10-16 12:56 <DIR> --d----- c:\docume~1\10011\applic~1\SiteClasses
2008-10-11 08:57 <DIR> --d----- c:\program files\SanrioTown
2008-10-04 10:44 <DIR> --d----- c:\docume~1\10011\applic~1\SPORE
2008-10-02 16:40 <DIR> --d----- c:\docume~1\10011\applic~1\Bioshock
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-14 01:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2008-09-14 00:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-09-11 08:27 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-09-09 20:38 <DIR> --d----- c:\docume~1\10011\applic~1\SPORE Creature Creator
2008-09-09 17:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-04 09:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-24 01:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SimCity Societies
2008-08-18 16:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Autodesk
2008-06-17 12:27 <DIR> --d----- c:\docume~1\10011\applic~1\Autodesk
2008-06-06 18:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MGTEK
2008-05-20 19:55 <DIR> --d----- c:\docume~1\10011\applic~1\LimeWire
2008-05-18 17:36 <DIR> --d----- c:\docume~1\10011\applic~1\Armagetron
2008-05-18 17:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Armagetron
2008-04-30 15:30 <DIR> --d----- c:\docume~1\10011\applic~1\Ansys
2008-03-12 03:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\National Instruments
2007-12-11 16:16 <DIR> --d----- c:\docume~1\10011\applic~1\Command & Conquer 3 Tiberium Wars
2007-12-01 00:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2007-10-25 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Mathematica
2007-10-25 18:43 <DIR> --d----- c:\docume~1\10011\applic~1\Mathematica
2007-09-29 21:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2007-09-17 11:35 <DIR> --d----- c:\docume~1\10011\applic~1\Dynamic
2007-09-16 21:03 <DIR> --d----- c:\docume~1\10011\applic~1\Viewpoint
2007-09-16 10:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus

============= FINISH: 12:20:35.07 ===============


Thank you for your time.

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[10011]

ComboFix ran fine. Kudos to you, sir. It appears to have removed the two .dlls that were identified as part of the Virtumonde trojan that I couldn't get rid of with SpyBot S&D (gebXQihe.dll
and pmnoMGxw.dll). Previously, when SpyBot removed them, they would subsequently be restored by some other hidden file. I'm tempted to run SpyBot to check for them again, but I'll wait for your advice.

ComboFix also removed c6501.cpl which was a file for my C-Media C6501 sound card. Not exactly sure what that file did (loads C-Media settings at startup?), but I don't know why ComboFix would remove it.

The only other oddity is that running ComboFix also has apparently added an Internet Explorer executable to my desktop. Not a shortcut, but an executable.

Anyways, thanks for picking up my case, sUBs. Looking forward to your advice.

ComboFix log below:

ComboFix 08-12-01.01 - 10011 2008-12-01 14:22:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1380 [GMT -8:00]
Running from: c:\documents and settings\10011\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\10011\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\drivers\npf.sys
c:\windows\system32\eralhq.dll
c:\windows\system32\gebXQihe.dll
c:\windows\system32\gihloesa.dll
c:\windows\system32\jkKawTjJ.dll
c:\windows\system32\packet.dll
c:\windows\system32\pmnoMGxw.dll
c:\windows\system32\syerjrpt.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wpv131227968766.cpx
c:\windows\system32\wpv431228088626.cpx
c:\windows\system32\wpv651228079860.cpx
c:\windows\system32\wxGMonmp.ini
c:\windows\system32\wxGMonmp.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 11:43 . 2008-12-01 11:52 250 --a------ c:\windows\gmer.ini
2008-12-01 10:14 . 2008-12-01 10:14 173 --a------ c:\windows\wininit.ini
2008-12-01 03:57 . 2008-12-01 03:57 <DIR> d-------- c:\program files\Lavasoft
2008-12-01 03:57 . 2008-12-01 04:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 03:55 . 2008-12-01 03:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-01 03:52 . 2008-12-01 10:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-01 03:52 . 2008-12-01 10:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 18:59 . 2008-11-30 18:59 <DIR> d-------- c:\documents and settings\10011\Application Data\GetModule
2008-11-22 13:03 . 2008-11-22 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-11-22 13:02 . 2008-11-22 13:02 0 --a------ c:\windows\ativpsrm.bin
2008-11-22 12:59 . 2008-12-01 03:45 <DIR> d-------- c:\program files\ATI
2008-11-22 12:46 . 2008-11-22 12:46 <DIR> d-------- C:\ATI
2008-11-22 11:34 . 2008-11-22 11:35 <DIR> d-------- c:\program files\7-Zip
2008-11-22 11:31 . 2008-11-24 17:25 <DIR> d-------- c:\program files\Steam
2008-11-20 12:44 . 2008-11-20 12:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-17 14:22 . 2008-11-17 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-11 12:26 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:25 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 17:09 . 2008-11-01 17:09 <DIR> d-------- c:\documents and settings\10011\Application Data\Red Alert 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 19:20 --------- d-----w c:\documents and settings\10011\Application Data\U3
2008-12-01 18:19 --------- d-----w c:\program files\Xfire
2008-12-01 12:40 --------- d-----w c:\documents and settings\10011\Application Data\Azureus
2008-12-01 11:20 --------- d-----w c:\documents and settings\10011\Application Data\Xfire
2008-11-25 23:16 --------- d-----w c:\documents and settings\10011\Application Data\gtk-2.0
2008-11-23 18:14 --------- d-----w c:\program files\Folding@Home
2008-11-22 21:03 --------- d-----w c:\documents and settings\10011\Application Data\ATI
2008-11-22 20:58 --------- d-----w c:\program files\ATI Technologies
2008-11-22 20:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 19:42 --------- d-----w c:\program files\Azureus
2008-11-20 04:10 --------- d-----w c:\program files\Trend Micro
2008-11-17 22:23 --------- d-----w c:\program files\AIM6
2008-11-17 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-17 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-16 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-01 01:20 --------- d-----w c:\program files\Bethesda Softworks
2008-10-31 06:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-28 17:54 --------- d-----w c:\program files\Java
2008-10-25 18:34 --------- d-----w c:\program files\Electronic Arts
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 23:15 --------- d-----w c:\program files\Starcraft
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\Sites
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\SiteClasses
2008-10-11 16:57 --------- d-----w c:\program files\SanrioTown
2008-10-04 18:44 --------- d-----w c:\documents and settings\10011\Application Data\SPORE
2008-10-03 00:40 --------- d-----w c:\documents and settings\10011\Application Data\Bioshock
2008-05-02 17:28 22,328 ----a-w c:\documents and settings\10011\Application Data\PnkBstrK.sys
2004-03-16 01:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 18:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 17:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-13 363008]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-28 3429904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-28 136600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]

c:\documents and settings\10011\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Folding@Home 5.03.lnk - c:\program files\Folding@Home\winFAH.exe [2007-09-15 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eralhq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Visicom Media\\AceFTP 3 Freeware\\Aceftp3free.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-02-21 4096]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sAUTODESKVAULT [2008-02-26 29183504]
R2 mxssvr;NI Configuration Manager;"c:\program files\National Instruments\MAX\nimxs.exe" [2007-02-22 12696]
R2 NITaggerService;National Instruments Variable Engine;"c:\program files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 703264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-28 24652]
R3 cm102u32;C-Media CM6501 Like Sound Interface;c:\windows\system32\drivers\c6501.sys [2007-09-15 1419968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89869d2-71fa-11dc-8177-0018f30d24bf}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - (no file)
BHO-{C70B421F-A5D8-4D0E-A525-49A0C9C0FAB3} - c:\windows\system32\pmnoMGxw.dll
HKLM-Run-C6501Sound - c6501.cpl
Notify-gebXQihe - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\10011\Application Data\Mozilla\Firefox\Profiles\9lg9mm8v.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 14:29:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-01 14:39:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 22:39:01

Pre-Run: 8,522,563,584 bytes free
Post-Run: 8,480,497,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

233 --- E O F --- 2008-11-11 22:24:43

[sUBs]

Quote:

ComboFix also removed c6501.cpl which was a file for my C-Media C6501 sound card. Not exactly sure what that file did (loads C-Media settings at startup?), but I don't know why ComboFix would remove it.

Do you mean this line ...

Quote:

- - - - ORPHANS REMOVED - - - -

HKLM-Run-C6501Sound - c6501.cpl

ComboFix removed it because the file c6501.cpl appears to no longer exist on your machine. That makes an orphaned loading point; one which malware may exploit to bypass security programs. Please check to see if the file does exist. I need to know if ComboFix was erroneous.

Quote:

The only other oddity is that running ComboFix also has apparently added an Internet Explorer executable to my desktop. Not a shortcut, but an executable.

ComboFix should not do that. It may restore the default Windows shortcut for IE but it won't drop an executable on Desktop. Some malware will delete the original IE shortcut & replace them with dummies to trick users to click on them. If found to be missing, ComboFix restores the original shortcuts to alert the user.


----------



Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

FOLDER::
c:\documents and settings\10011\Application Data\GetModule
REGISTRY::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[10011]

Quote:

Originally Posted by sUBs

Do you mean this line ...

ComboFix removed it because the file c6501.cpl appears to no longer exist on your machine. That makes an orphaned loading point; one which malware may exploit to bypass security programs. Please check to see if the file does exist. I need to know if ComboFix was erroneous.

A search returned C:\WINDOWS\system\c6051.cpl and C:\Program Files\C-Media 6501 Sound\Driver\c6501.cpl.
:|

[sUBs]

Is this machine upgraded from Win9x to SP?

C:\Windows\System is the system folder for Win9x machines & not XP. C:\Windows\System & C:\Program Files\C-Media 6501 Sound\Driver are not in your machine's $Path variable. The OS should not be able to use the loading point to locate the file. Did Creative's Control Panel applet used to load on startup before running ComboFix?

[10011]

Quote:

Originally Posted by sUBs

Did Creative's Control Panel applet used to load on startup before running ComboFix?

Yes, it did used to load. This computer never had any other OS installed on it before XP SP2. Not sure about why this was like that.

So I should get rid of the old shortcut I had to "C:\Program Files\Internet Explorer\iexplore.exe" and use the one that ComboFix put on my desktop instead?

I ran the ComboFix script and Kaspersky is updating and preparing to run now.

Here's the log of the second run of ComboFix using the script you provided:

ComboFix 08-12-01.01 - 10011 2008-12-01 16:10:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1128 [GMT -8:00]
Running from: c:\documents and settings\10011\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\10011\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\10011\Application Data\GetModule

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 11:43 . 2008-12-01 11:52 250 --a------ c:\windows\gmer.ini
2008-12-01 10:14 . 2008-12-01 10:14 173 --a------ c:\windows\wininit.ini
2008-12-01 03:57 . 2008-12-01 03:57 <DIR> d-------- c:\program files\Lavasoft
2008-12-01 03:57 . 2008-12-01 04:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 03:55 . 2008-12-01 03:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-01 03:52 . 2008-12-01 10:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-01 03:52 . 2008-12-01 10:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 13:03 . 2008-11-22 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-11-22 13:02 . 2008-11-22 13:02 0 --a------ c:\windows\ativpsrm.bin
2008-11-22 12:59 . 2008-12-01 03:45 <DIR> d-------- c:\program files\ATI
2008-11-22 12:46 . 2008-11-22 12:46 <DIR> d-------- C:\ATI
2008-11-22 11:34 . 2008-11-22 11:35 <DIR> d-------- c:\program files\7-Zip
2008-11-22 11:31 . 2008-11-24 17:25 <DIR> d-------- c:\program files\Steam
2008-11-20 12:44 . 2008-11-20 12:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-17 14:22 . 2008-11-17 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-11 12:26 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:25 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 19:21 8,142 -c--a-w c:\windows\system32\ealregsnapshot1.reg
2008-12-01 19:20 --------- d-----w c:\documents and settings\10011\Application Data\U3
2008-12-01 18:19 --------- d-----w c:\program files\Xfire
2008-12-01 12:40 --------- d-----w c:\documents and settings\10011\Application Data\Azureus
2008-12-01 11:20 --------- d-----w c:\documents and settings\10011\Application Data\Xfire
2008-11-25 23:16 --------- d-----w c:\documents and settings\10011\Application Data\gtk-2.0
2008-11-23 18:14 --------- d-----w c:\program files\Folding@Home
2008-11-22 21:03 --------- d-----w c:\documents and settings\10011\Application Data\ATI
2008-11-22 20:58 --------- d-----w c:\program files\ATI Technologies
2008-11-22 20:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 19:42 --------- d-----w c:\program files\Azureus
2008-11-20 04:10 --------- d-----w c:\program files\Trend Micro
2008-11-17 22:23 --------- d-----w c:\program files\AIM6
2008-11-17 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-17 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-16 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-02 01:09 --------- d-----w c:\documents and settings\10011\Application Data\Red Alert 3
2008-11-01 01:20 --------- d-----w c:\program files\Bethesda Softworks
2008-10-31 06:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-29 05:05 593,920 ----a-w c:\windows\system32\ati2sgag.exe
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-28 17:54 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-28 17:54 --------- d-----w c:\program files\Java
2008-10-25 18:34 --------- d-----w c:\program files\Electronic Arts
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 23:15 --------- d-----w c:\program files\Starcraft
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\Sites
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\SiteClasses
2008-10-11 16:57 --------- d-----w c:\program files\SanrioTown
2008-10-04 18:44 --------- d-----w c:\documents and settings\10011\Application Data\SPORE
2008-10-03 00:40 --------- d-----w c:\documents and settings\10011\Application Data\Bioshock
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-11 16:27 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-05-02 17:28 22,328 ----a-w c:\documents and settings\10011\Application Data\PnkBstrK.sys
2004-03-16 01:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 18:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 17:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-01_14.38.46.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-01 22:56:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_83c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-13 363008]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-28 3429904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-28 136600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]

c:\documents and settings\10011\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Folding@Home 5.03.lnk - c:\program files\Folding@Home\winFAH.exe [2007-09-15 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebXQihe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Visicom Media\\AceFTP 3 Freeware\\Aceftp3free.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-02-21 4096]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sAUTODESKVAULT [2008-02-26 29183504]
R2 mxssvr;NI Configuration Manager;"c:\program files\National Instruments\MAX\nimxs.exe" [2007-02-22 12696]
R2 NITaggerService;National Instruments Variable Engine;"c:\program files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 703264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-28 24652]
R3 cm102u32;C-Media CM6501 Like Sound Interface;c:\windows\system32\drivers\c6501.sys [2007-09-15 1419968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89869d2-71fa-11dc-8177-0018f30d24bf}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C70B421F-A5D8-4D0E-A525-49A0C9C0FAB3} - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 16:13:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-01 16:15:49
ComboFix-quarantined-files.txt 2008-12-02 00:14:33
ComboFix2.txt 2008-12-01 22:39:04

Pre-Run: 8,421,052,416 bytes free
Post-Run: 8,454,119,424 bytes free

201 --- E O F --- 2008-11-11 22:24:43

[10011]

Kaspersky finally finished. I had to abort the scan of the G drive and start over as it was hanging up on some large .rar files from work that I ultimately unrared. The scan of all drives yielded only 2 hits: a toolbar that was listed as adware. I guess that means I'm clean then.
Thanks. I'm going to run a few more virus and malware scans tonight just to make sure. I figure you probably won't check back on this thread until sometime tomorrow afternoon anyways.

Here's the Kaspersky logs:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 01, 2008 18:39:03
Records in database: 1429900
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 202112
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:16:49


File name / Threat name / Threats count
C:\Program Files\Visicom Media\AceFTP 3 Freeware\vmntoolbar\vmntoolbarsetup1.7_en.exe Infected: not-a-virus:AdWare.Win32.MegaSearch.n 1
C:\Program Files\vmntoolbar\vmntoolbar.dll.old11 Infected: not-a-virus:AdWare.Win32.MegaSearch.n 1

The scan was stopped by the user.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 01, 2008 18:39:03
Records in database: 1429900
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
G:\

Scan statistics:
Files scanned: 52173
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:01:49

No malware has been detected. The scan area is clean.

The selected area was scanned.

[sUBs]

Quote:

Yes, it did used to load.

Let's restore the entry that ComboFix removed. To prevent future ComboFix runs from removing it again, we'll make a copy of the C:\WINDOWS\system\c6051.cpl to be placed in the C:\Windows\System32 directory.



Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
attrib -h -r -s -a c:\windows\system\c6051.cpl
copy /y c:\windows\system\c6051.cpl  c:\windows\system32\
swreg delete "hklm\software\microsoft\windows nt\currentversion\winlogon\notify\gebxqihe"
regedit /s c:\qoobox\quarantine\registry_backups\hklm-run-c6501sound.reg.dat
swreg query "hklm\software\microsoft\windows\currentversion\run" >log.txt
start log.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[10011]

Quote:

Originally Posted by sUBs

Post back to tell me what it says

Done.

Code:

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
   LifeCam	REG_SZ         	"C:\Program Files\Microsoft LifeCam\LifeExp.exe"
   VX3000	REG_SZ         	C:\WINDOWS\vVX3000.exe
   AsusStartupHelp	REG_SZ         	C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
   pccguide.exe	REG_SZ         	"C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
   googletalk	REG_SZ         	C:\Program Files\Google\Google Talk\googletalk.exe /autostart
   Adobe Reader Speed Launcher	REG_SZ         	"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
   AppleSyncNotifier	REG_SZ         	C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
   iTunesHelper	REG_SZ         	"C:\Program Files\iTunes\iTunesHelper.exe"
   NeroFilterCheck	REG_SZ         	C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
   QuickTime Task	REG_SZ         	"C:\Program Files\QuickTime\qttask.exe" -atboottime
   StartCCC	REG_SZ         	"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
   ATICustomerCare	REG_SZ         	"C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
   SunJavaUpdateSched	REG_SZ         	"C:\Program Files\Java\jre6\bin\jusched.exe"
   C6501Sound	REG_SZ         	RunDll32 c6501.cpl,CMICtrlWnd

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents

Malware/Virus scans report clean, so I'm pretty satisfied. A little googling has convinced me that a Java exploit allowed this malware to infect my system while browsing the web. I went ahead and uninstalled the old versions of JRE on my computer and got the latest version, which will hopefully prevent future issues.

[sUBs]

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[10011]

Guess I'm all taken care of. Thank you very much and hopefully I don't end up here ever again. :)