Multiple problems -- please help

[bsweeney]

Here's the third screenshot.

[Ried]

Do you have the install disc for Symantec?

[bsweeney]

No, but if you want me to re-install it, I can--it's available on our school's online software library for download.

[Ried]

That would be my suggestion. See if it gives you an option to Repair the installation first. If not, uninstall Symantec via the Add or Remove programs panel and reboot before re-installing it.

Let me know how that worked out for you.

[bsweeney]

Hi Ried,

Just did that, but now I have a new error message instead that says Symantec is out-of-date (even though I just updated and Symantec itself is now saying there are no more updates available). I've included a screenshot of what that looks like in the Windows Security Center below.

Thanks again

[Ried]

Often times the installed AV and Windows Sec Center don't play well together. Let Symantec monitor itself and give you any necessary alerts.

Go to Control Panel>Security Center and click the little arrow next to Virus Protection. Click the Recommendations button. In the ensuing dialog box, place a check next to "I have an anti virus program that I'll monitor myself....' Click OK

[bsweeney]

Okay, sounds good. Thank you again very much for your time and all your help!

[Ried]

You're welcome, Brian. Time to tend to some housekeeping now. :)

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[bsweeney]

I can't believe I'm typing this: but I left my computer alone for a half hour after I last wrote you, and when I came back there were loads of pop-ups from Internet Explorer, that same alert trying to get me to install System Security and my desktop had changed to the warning that my computer was infected in spyware. And the first few times I tried to restart, the computer blue-screened on start-up, so I'm in safe mode now. I think I have the exact same infection that I started with. Should I run combofix again and start the process over? And follow the same steps?

Maybe I got the infection in the brief time when Symantec was uninstalled but it didn't show up till now? I wasn't even online, so I'm confused as to whether the infection ever left?

Sorry to be such a bother. Thanks again!

Brian

[Ried]

It was gone. What sites have you gone to in the last day or so?

No, do not run ComboFix yet. I need to see a scan from gmer.exe first, as well as a fresh dds.txt

Post those as soon as you can.

[bsweeney]

Hey again,

I think I've only been on news sites/blogs in the past two days because the only time I've been on my computer at home has been spent trying to work on this.

But here's the dds.txt and the attach.txt file (sorry that's what I meant in the private message), and I'll send you the gmer results as soon as I have them.

Thank you thank you thank you


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Brian at 14:36:17.73 on Sat 06/20/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.690 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [kell] c:\program files\manson\liser.exe
uRun: [Cognac] c:\docume~1\brian\locals~1\temp\b.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [a-squared] "c:\program files\a-squared anti-malware\a2guard.exe" /d=60
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [13251094] c:\documents and settings\all users\application data\13251094\13251094.exe
mRun: [93261086] c:\documents and settings\all users\application data\93261086\93261086.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} - hxxp://www.lojackforlaptops.com/ctmweb/testoc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\manson\liser.dll
LSA: Notification Packages = scecli psqlpwd csspwntfy

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\flkkzwjh.default\
FF - component: c:\documents and settings\brian\application data\mozilla\firefox\profiles\flkkzwjh.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: c:\documents and settings\brian\application data\mozilla\firefox\profiles\flkkzwjh.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-8-13 85760]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-8-13 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-8-13 6016]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-8-13 4736]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-8-13 4442]
S2 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared anti-malware\a2service.exe [2008-12-5 419448]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
S2 jsr468ijdfghfjsw3rw3i6tjag80;jsr468ijdfghfjsw3rw3i6tjag80;c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe [2009-6-20 12288]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
S2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [2008-12-6 17408]
S2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
S2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2006-2-14 3328]
S2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 121856]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-2 24652]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
S3 EraserUtilDrv10710;EraserUtilDrv10710;c:\program files\common files\symantec shared\eengine\EraserUtilDrv10710.sys [2009-6-20 102712]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070213.051\naveng.sys [2009-6-20 80472]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070213.051\navex15.sys [2009-6-20 852600]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-06-20 14:06 120,836 a------- c:\windows\msa.exe
2009-06-20 14:06 205,828 a------- c:\windows\system32\msxml71.dll
2009-06-20 13:52 155,648 a------- c:\windows\system32\tpsaxyd.exe
2009-06-20 13:52 8 a------- c:\windows\system32\comsa32.sys
2009-06-20 13:52 12,288 a------- c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe
2009-06-20 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\93261086
2009-06-20 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13251094
2009-06-20 13:52 <DIR> --dshr-- c:\program files\Manson
2009-06-20 13:51 110,592 a------- c:\windows\system32\net.net
2009-06-20 12:51 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-20 12:51 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-20 12:51 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-20 12:51 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-20 12:51 <DIR> --d----- c:\program files\Symantec
2009-06-20 12:51 <DIR> --d----- c:\program files\Symantec AntiVirus
2009-06-16 21:28 <DIR> a-dshr-- C:\cmdcons
2009-06-16 21:26 161,792 a------- c:\windows\SWREG.exe
2009-06-16 21:26 155,136 a------- c:\windows\PEV.exe
2009-06-16 21:26 98,816 a------- c:\windows\sed.exe
2009-06-15 19:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware_2

==================== Find3M ====================

2009-06-20 14:15 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-06-20 12:40 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-16 21:40 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-06-14 10:43 5,427 a------- c:\windows\system32\EGATHDRV.SYS
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 21:42 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-27 05:29 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 05:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 11:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 11:11 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-25 18:55 33,280 a------- c:\windows\system32\identprv.dll

============= FINISH: 14:37:43.82 ===============

[bsweeney]

Hey Ried,

Here's that ark.txt file from the gmer scan. Thanks again!

[Ried]

Thanks Brian,

It got onto your system about an hour after you installed Symantec. Can you recall what site you went to around that time?

We'll go ahead and run ComboFix now. If it's still on your system...

Disable your onboard AV, then double click ComboFix.exe. Allow it to update when you see the prompt.


If you've uninstalled it already, download a fresh copy from here

Post the C:\ComboFix.txt

[bsweeney]

Hi Ried,

Thanks for finding that. I have a different version of Symantec, but disabled every part of it (Symantec said it was completely disabled.), but ComboFix was still detecting it. But, I ran the scan anyway, and here's the log from that.

I'm going to be away from the computer for a while, so please respond whenever's convenient for you. Don't worry about me--you've already been a tremendous help.

Thank you!

Brian

ComboFix 09-06-20.02 - Brian 06/20/2009 18:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.657 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix2.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13251094
c:\documents and settings\All Users\Application Data\93261086
c:\program files\Manson
c:\windows\system32\drivers\SKYNETwroyehro.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mta47248.dll
c:\documents and settings\All Users\Application Data\13251094\13251094.exe
c:\documents and settings\All Users\Application Data\13251094\13251094.glu
c:\documents and settings\All Users\Application Data\13251094\pc13251094cnf
c:\documents and settings\All Users\Application Data\13251094\pc13251094ins
c:\documents and settings\All Users\Application Data\93261086\93261086.exe
c:\program files\Manson\liser.dll
c:\program files\Manson\liser.exe
c:\windows\Install.txt
c:\windows\msa.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\SKYNETwroyehro.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\msncache.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\SKYNETitimpwco.dll
c:\windows\system32\SKYNETkuevurvs.dat
c:\windows\system32\SKYNETtncfrrko.dll
c:\windows\system32\sopidkc.exe
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\tpszxyd.sys
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC
-------\Service_msncache
-------\Service_SKYNETusawuntj
-------\Service_sopidkc


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-20 17:52 . 2009-06-20 17:52 12288 ----a-w- c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe
2009-06-20 16:51 . 2009-06-20 16:51 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-20 16:51 . 2009-06-20 16:51 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-20 16:51 . 2009-06-20 16:51 -------- d-----w- c:\program files\Symantec
2009-06-20 16:51 . 2009-06-20 16:52 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-15 23:24 . 2009-06-15 23:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware_2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 22:30 . 2008-12-06 21:36 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-06-20 22:30 . 2007-03-13 04:43 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-06-20 22:21 . 2008-12-06 21:36 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-06-20 19:57 . 2008-10-18 16:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-20 19:56 . 2009-03-30 18:00 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-20 18:11 . 2009-01-05 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-20 16:52 . 2006-08-13 17:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 16:51 . 2009-06-20 16:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-20 16:51 . 2009-06-20 16:51 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-20 16:51 . 2006-08-13 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 23:05 . 2009-04-12 18:28 -------- d-----w- c:\documents and settings\Brian\Application Data\EndNote
2009-06-14 14:43 . 2006-08-13 17:49 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-05-28 05:05 . 2007-12-04 18:40 -------- d-----w- c:\documents and settings\Brian\Application Data\Move Networks
2009-05-26 17:20 . 2008-12-05 20:35 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-05 20:35 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 01:42 . 2007-03-13 04:43 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 1980-01-01 07:00 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 1980-01-01 07:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 23:43 . 2006-08-22 12:40 47208 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 23:30 . 2009-03-26 23:30 965344 ----a-w- c:\documents and settings\Brian\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2009-03-25 22:55 . 2008-01-22 01:43 33280 ----a-w- c:\windows\system32\identprv.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_01.50.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-20 22:21 . 2009-06-20 22:21 16384 c:\windows\Temp\Perflib_Perfdata_f8.dat
+ 2009-06-20 22:30 . 2009-06-20 22:30 16384 c:\windows\Temp\Perflib_Perfdata_4e4.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 65536 c:\windows\system32\wiawow32.sys
+ 2006-08-22 12:30 . 2009-06-20 19:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-22 12:30 . 2009-06-17 01:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-08-22 12:30 . 2009-06-20 19:54 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-08-22 12:30 . 2009-06-17 01:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-08-06 20:52 . 2007-08-06 20:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2009-06-20 16:52 . 2009-06-20 16:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2007-08-06 20:52 . 2007-08-06 20:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2009-06-20 16:52 . 2009-06-20 16:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2007-08-06 20:52 . 2007-08-06 20:52 25214 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\ARPPRODUCTICON.exe
+ 2009-06-20 16:52 . 2009-06-20 16:52 25214 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2006-11-16 43008]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-03-09 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-03-09 69632]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-13 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-02-24 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-24 208896]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"a-squared"="c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2008-12-18 2782352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-27 185872]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-10-21 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-1-17 618557]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-8-29 581632]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-09 09:02 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 20:01 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-14 19:16 39936 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156255765\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156255765\\ee\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [8/13/2006 1:20 PM 85760]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [8/13/2006 1:20 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/13/2006 1:51 PM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/21/2005 8:14 PM 12544]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 4:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 7:45 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2/14/2006 3:02 PM 3328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/2/2008 7:06 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/20/2009 12:58 PM 101936]
S2 jsr468ijdfghfjsw3rw3i6tjag80;jsr468ijdfghfjsw3rw3i6tjag80;c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe [6/20/2009 1:52 PM 12288]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILDRV10710
*Deregistered* - EraserUtilDrv10710
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-06-20 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-13 08:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-13251094 - c:\documents and settings\All Users\Application Data\13251094\13251094.exe
HKLM-Run-93261086 - c:\documents and settings\All Users\Application Data\93261086\93261086.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 18:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1352)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1408)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(5272)
c:\windows\system32\PROCHLP.DLL
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\a-squared Anti-Malware\a2service.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2009-06-20 18:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 22:37
ComboFix2.txt 2009-06-18 22:20
ComboFix3.txt 2009-06-17 22:16
ComboFix4.txt 2009-06-17 01:57

Pre-Run: 58,487,009,280 bytes free
Post-Run: 58,553,667,584 bytes free

302 --- E O F --- 2009-06-11 22:11

[Ried]

Hi Brian,

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/385942-multiple-problems-please-help-2.html#post2199978

Collect::
c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe
c:\windows\system32\wiawow32.sys

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

If for some reason you did not receive a prompt to upload, please visit this site and click 'browse to file to submit'. Browse to C:\Qoobox\Quarantine folder and look for the most recent [4]Submit <date and time>.zip. and upload it.

Post the C:\ComboFix.txt

[bsweeney]

Hi Ried,

Sorry, just got home. I ran ComboFix, but it didn't automatically upload my files, so I sent it in manually again. But, anyway, here's the ComboFix results.

Thanks again!

Brian

ComboFix 09-06-20.02 - Brian 06/21/2009 0:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.369 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix2.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe
file zipped: c:\windows\system32\wiawow32.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jsr468ijdfghfjsw3rw3i6tjag81.exe
c:\windows\system32\wiawow32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_jsr468ijdfghfjsw3rw3i6tjag80
-------\Service_jsr468ijdfghfjsw3rw3i6tjag80


((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-20 16:51 . 2009-06-20 16:51 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-20 16:51 . 2009-06-20 16:51 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-20 16:51 . 2009-06-20 16:51 -------- d-----w- c:\program files\Symantec
2009-06-20 16:51 . 2009-06-20 16:52 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-15 23:24 . 2009-06-15 23:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware_2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 04:46 . 2008-12-06 21:36 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-06-21 04:46 . 2007-03-13 04:43 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-06-21 04:33 . 2009-03-30 18:00 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-21 04:30 . 2006-08-13 17:49 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-06-20 22:21 . 2008-12-06 21:36 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-06-20 19:57 . 2008-10-18 16:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-20 18:11 . 2009-01-05 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-20 16:52 . 2006-08-13 17:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 16:51 . 2009-06-20 16:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-20 16:51 . 2009-06-20 16:51 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-20 16:51 . 2006-08-13 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 23:05 . 2009-04-12 18:28 -------- d-----w- c:\documents and settings\Brian\Application Data\EndNote
2009-05-28 05:05 . 2007-12-04 18:40 -------- d-----w- c:\documents and settings\Brian\Application Data\Move Networks
2009-05-26 17:20 . 2008-12-05 20:35 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-05 20:35 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 01:42 . 2007-03-13 04:43 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-05-07 15:44 . 1980-01-01 07:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 1980-01-01 07:00 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 1980-01-01 07:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 1980-01-01 07:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 23:43 . 2006-08-22 12:40 47208 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 23:30 . 2009-03-26 23:30 965344 ----a-w- c:\documents and settings\Brian\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2009-03-25 22:55 . 2008-01-22 01:43 33280 ----a-w- c:\windows\system32\identprv.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_01.50.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-20 22:30 . 2009-06-20 22:30 16384 c:\windows\Temp\Perflib_Perfdata_4e4.dat
+ 2006-08-22 12:30 . 2009-06-20 19:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-22 12:30 . 2009-06-17 01:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-08-22 12:30 . 2009-06-20 19:54 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-08-22 12:30 . 2009-06-17 01:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-20 16:52 . 2009-06-20 16:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2007-08-06 20:52 . 2007-08-06 20:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2009-06-20 16:52 . 2009-06-20 16:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2007-08-06 20:52 . 2007-08-06 20:52 40960 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2009-06-20 16:52 . 2009-06-20 16:52 25214 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\ARPPRODUCTICON.exe
- 2007-08-06 20:52 . 2007-08-06 20:52 25214 c:\windows\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2006-11-16 43008]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-03-09 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-03-09 69632]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-13 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-02-24 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-24 208896]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"a-squared"="c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2008-12-18 2782352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-27 185872]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-10-21 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-1-17 618557]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-8-29 581632]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-09 09:02 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 20:01 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-14 19:16 39936 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156255765\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156255765\\ee\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [8/13/2006 1:20 PM 85760]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [8/13/2006 1:20 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/13/2006 1:51 PM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/21/2005 8:14 PM 12544]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 4:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 7:45 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2/14/2006 3:02 PM 3328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/2/2008 7:06 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/20/2009 12:58 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILDRV10710
*Deregistered* - EraserUtilDrv10710
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-06-21 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-13 08:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 00:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1364)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1420)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(4408)
c:\windows\system32\PROCHLP.DLL
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\a-squared Anti-Malware\a2service.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2009-06-21 0:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 04:55
ComboFix2.txt 2009-06-20 22:59
ComboFix3.txt 2009-06-18 22:20
ComboFix4.txt 2009-06-17 22:16
ComboFix5.txt 2009-06-21 04:38

Pre-Run: 58,576,785,408 bytes free
Post-Run: 58,562,371,584 bytes free

266 --- E O F --- 2009-06-11 22:11

[Ried]

Files received, thanks Brian.

Please go here to run an online scannner from ESET.

• Note: You will need to use Internet Explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure to set the options as follows:

• Remove found threats is unticked,
• Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[bsweeney]

Hi Ried,

The scan just finished, and I've included the results below. Everything seems to be running fine otherwise that I can see. Thanks!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=656178288a73b846aa88ffaa0e722098
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-21 05:31:54
# local_time=2009-06-21 01:31:54 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3585 63 50 0 0
# scanned=92049
# found=27
# cleaned=0
# scan_time=3160
C:\Qoobox\Quarantine\C\tj.vbs.vir VBS/Agent.NBO trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\13251094\13251094.exe.vir a variant of Win32/Kryptik.UR trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\93261086\93261086.exe.vir a variant of Win32/Kryptik.UR trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\Manson\liser.exe.vir a variant of Win32/PSW.WOW.NLB trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACaaphngdrqbijqys.dll.vir Win32/Olmarik.HQ trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACcfplcqrdnosvxfv.dll.vir Win32/Olmarik.IA trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACercpobdhamqtuug.dll.vir a variant of Win32/Kryptik.PS trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgkphxflnyacllhc.dll.vir Win32/Olmarik.HZ trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjofvdyjienrupxr.dll.vir Win32/Olmarik.IA trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvtmthseecbcquwb.dll.vir Win32/Olmarik.HZ trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwbpddqjwxrviruq.dll.vir a variant of Win32/Kryptik.PS trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACnkuklxjqmlyjlau.sys.vir a variant of Win32/Olmarik.ID trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010107.sys a variant of Win32/Olmarik.ID trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010109.dll Win32/Olmarik.IA trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010111.dll Win32/Olmarik.HZ trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010112.dll a variant of Win32/Kryptik.PS trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010134.vbs VBS/Agent.NBO trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010151.dll Win32/Olmarik.HQ trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010153.dll a variant of Win32/Kryptik.PS trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010154.dll Win32/Olmarik.HZ trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010155.dll Win32/Olmarik.IA trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010171.dll a variant of Win32/Adware.Virtumonde.NEW application 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP42\A0010172.dll a variant of Win32/Adware.Virtumonde.NEW application 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP49\A0011976.exe a variant of Win32/PSW.WOW.NLB trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP49\A0011986.exe a variant of Win32/Kryptik.UR trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP49\A0011987.exe a variant of Win32/Kryptik.UR trojan 00000000000000000000000000000000
C:\WINDOWS\system32\net.net Win32/TrojanClicker.Punad.AA trojan 00000000000000000000000000000000

[Ried]

One more CFScript.

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
c:\windows\system32\net.net

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt

[bsweeney]

Thanks Ried. Here's the new ComboFix log.