Spyware/Virus Removal (cont'd from previous thread)

[e-bama]

Previous topic

Spyware/Virus Removal - PLEASE HELP!!

Please help with the remaining steps in cleaning my computer. ComboFix.txt log listed below.

THANKS!


ComboFix 09-06-21.01 - 410Brantley 06/22/2009 10:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2279 [GMT -5:00]
Running from: c:\documents and settings\410brantley\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\410brantley\Application Data\mllntuec
c:\documents and settings\410brantley\Local Settings\Application Data\mllntuec
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\NetworkService\Application Data\mllntuec
c:\documents and settings\NetworkService\Local Settings\Application Data\mllntuec
c:\program files\Common
c:\recycler\S-1-5-21-1233931459-2918598142-4291659859-1005
c:\recycler\S-1-5-21-703021747-2940346758-2480081977-500
c:\windows\system32\drivers\pdmpdpgu.sys
c:\windows\system32\drivers\wjuzuyas.sys
c:\windows\system32\gkbqdlu.dll
c:\windows\system32\spkdmqm.dll
c:\windows\Tasks\At1.job
c:\documents and settings\410brantley\Application Data\mllntuec\profiles.ini
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\cert8.db
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\compatibility.ini
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\compreg.dat
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\cookies.sqlite
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\formhistory.sqlite
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\key3.db
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\localstore.rdf
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\permissions.sqlite
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\places.sqlite
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\pluginreg.dat
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\prefs.js
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\secmod.db
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\webappsstore.sqlite
c:\documents and settings\410brantley\Application Data\mllntuec\Profiles\6ql0ki60.default\xpti.dat
c:\documents and settings\410brantley\Local Settings\Application Data\mllntuec\Profiles\6ql0ki60.default\urlclassifier3.sqlite
c:\documents and settings\410brantley\Local Settings\Application Data\mllntuec\Profiles\6ql0ki60.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\mllntuec\profiles.ini
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\cert8.db
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\key3.db
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\prefs.js
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\secmod.db
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\mllntuec\Profiles\gymdxgv1.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\mllntuec\Profiles\gymdxgv1.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\mllntuec\Profiles\gymdxgv1.default\XPC.mfl
c:\program files\Common\helper.dll
c:\recycler\S-1-5-21-1233931459-2918598142-4291659859-1005\desktop.ini
c:\recycler\S-1-5-21-1233931459-2918598142-4291659859-1005\INFO2
c:\recycler\S-1-5-21-703021747-2940346758-2480081977-500\desktop.ini
c:\recycler\S-1-5-21-703021747-2940346758-2480081977-500\INFO2
c:\windows\pesp32p.dll

----- BITS: Possible infected sites -----

hxxp://SCCM01.EMJMETALS.COM:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GWMKZOFE
-------\Legacy_WJUZUYAS
-------\Service_gwmkzofe
-------\Service_wjuzuyas


((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-06-22 15:21 . 2009-06-22 15:21 -------- d-----w- C:\quarantine
2009-06-16 15:27 . 2006-09-15 01:00 58464 ----a-w- c:\windows\system32\drivers\mvstdi5x.sys
2009-06-16 15:27 . 2006-09-15 01:00 116992 ----a-w- c:\windows\system32\drivers\naiavf5x.sys
2009-06-16 15:27 . 2009-06-16 15:27 -------- d-----w- c:\program files\Common Files\Network Associates
2009-06-15 19:57 . 2009-06-15 21:16 -------- d-----w- c:\documents and settings\410brantley\.housecall6.6
2009-06-15 18:34 . 2009-06-22 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 18:34 . 2009-06-22 15:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-22 15:35 . 2009-04-13 16:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 01:35 . 2007-02-25 18:04 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-06-16 15:27 . 2007-04-18 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2009-06-16 15:27 . 2007-04-18 14:09 -------- d-----w- c:\program files\Network Associates
2009-06-16 01:47 . 2007-02-25 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 01:47 . 2009-04-06 15:41 -------- d-----w- c:\program files\Common Files\Kaspersky Lab
2009-06-16 01:42 . 2009-04-13 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-15 15:27 . 2009-04-12 03:00 0 ----a-w- c:\windows\Rnojetasoyuy.bin
2009-05-27 18:42 . 2009-01-08 16:31 66696 ----a-w- c:\documents and settings\410brantley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 21:47 . 2007-02-25 17:52 -------- d-----w- c:\program files\Java
2009-04-16 17:07 . 2009-04-11 02:03 408 ----a-w- c:\windows\Kfawocub.dat
2009-04-14 19:33 . 2009-04-14 19:33 2609 ----a-w- c:\windows\mdgmemsg.dll
2009-04-14 14:03 . 2009-04-14 14:03 2609 ----a-w- c:\windows\sh32df.dll
2009-04-14 13:59 . 2009-04-14 13:59 2609 ----a-w- c:\windows\iforobif.dll
2009-04-13 19:41 . 2009-04-13 19:41 2609 ----a-w- c:\windows\mdgxdl.dll
2009-04-13 19:37 . 2009-04-13 19:37 2609 ----a-w- c:\windows\ukegajekumibol.dll
2009-04-11 02:03 . 2009-04-11 02:03 2609 ----a-w- c:\windows\cmp320n.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-03 2832280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-04 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-07-04 110592]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-10-27 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2006-10-04 131072]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\Client\FaxCtrl.exe" [2004-10-22 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2008-06-25 49928]
"Mobile Synchronization"="c:\program files\Pivotal\SyncStream\\HttpSyncStat.exe" [2007-05-29 1236992]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2006-07-11 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-08-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2006-03-16 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-5-9 1528880]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-1-8 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-8-19 282624]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2009-1-8 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-25 01:31 95496 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 17:57 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-127668209-1135159211-1132862498-14694\Scripts\Logoff\0\0]
"Script"=Logoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-127668209-1135159211-1132862498-14694\Scripts\Logon\0\0]
"Script"=Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52988:TCP"= 52988:TCP:@xpsp2res.dll,-22009
"37077:TCP"= 37077:TCP:@xpsp2res.dll,-22009
"8635:TCP"= 8635:TCP:@xpsp2res.dll,-22009
"15665:TCP"= 15665:TCP:@xpsp2res.dll,-22009
"15639:TCP"= 15639:TCP:@xpsp2res.dll,-22009
"6325:TCP"= 6325:TCP:@xpsp2res.dll,-22009
"45651:TCP"= 45651:TCP:@xpsp2res.dll,-22009
"60637:TCP"= 60637:TCP:@xpsp2res.dll,-22009
"64141:TCP"= 64141:TCP:@xpsp2res.dll,-22009
"58808:TCP"= 58808:TCP:@xpsp2res.dll,-22009
"35789:TCP"= 35789:TCP:@xpsp2res.dll,-22009
"38368:TCP"= 38368:TCP:@xpsp2res.dll,-22009
"45349:TCP"= 45349:TCP:@xpsp2res.dll,-22009
"31509:TCP"= 31509:TCP:@xpsp2res.dll,-22009
"60965:TCP"= 60965:TCP:@xpsp2res.dll,-22009
"48049:TCP"= 48049:TCP:@xpsp2res.dll,-22009
"24038:TCP"= 24038:TCP:@xpsp2res.dll,-22009
"14288:TCP"= 14288:TCP:@xpsp2res.dll,-22009
"45851:TCP"= 45851:TCP:@xpsp2res.dll,-22009
"3026:TCP"= 3026:TCP:@xpsp2res.dll,-22009
"27566:TCP"= 27566:TCP:@xpsp2res.dll,-22009
"44743:TCP"= 44743:TCP:@xpsp2res.dll,-22009
"62696:TCP"= 62696:TCP:@xpsp2res.dll,-22009
"48351:TCP"= 48351:TCP:@xpsp2res.dll,-22009
"3562:TCP"= 3562:TCP:@xpsp2res.dll,-22009
"34612:TCP"= 34612:TCP:@xpsp2res.dll,-22009
"19107:TCP"= 19107:TCP:@xpsp2res.dll,-22009
"63709:TCP"= 63709:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2/25/2007 12:42 PM 88576]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 3:00 AM 26624]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [6/16/2009 10:27 AM 58464]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2/25/2007 12:42 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2/25/2007 12:42 PM 4442]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/13/2006 7:05 PM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 6:55 PM 3968]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [6/24/2008 8:07 PM 12560]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 3:00 AM 2944]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WJUZUYAS
*Deregistered* - wjuzuyas
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-02-25 16:13]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://emjcommunity/JAZ/home.asp
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: emjmetals.com
Trusted Zone: emjmetals.com\archivemanager
Trusted Zone: zillappprod
Trusted Zone: zilloptiprod
Trusted Zone: emjmetals.com\archivemanager
Trusted Zone: zillappprod
Trusted Zone: zilloptiprod
TCP: {9AAACF33-4612-4673-953E-F0C29967A4F4} = 68.28.90.91 68.28.82.91
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 10:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\CSGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(504)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll

- - - - - - - > 'explorer.exe'(5824)
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\DWRCS.EXE
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\DWRCST.EXE
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\msiexec.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-06-22 10:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-22 15:44

Pre-Run: 55,422,844,928 bytes free
Post-Run: 55,795,175,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

341 --- E O F --- 2009-01-08 17:01

[tetonbob]

Hello -

As amateur noted in the initial reply you received, this forum is very busy. Three days seems like plenty to return a reply. If there are extenuating circumstances which might prevent a reply in that time, it's a good idea to let the volunteer know, as we all only take on a certain amount of active topics. This then prevents us from helping someone else during that time period.

Please try to complete these steps more promptly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

ComboFix seems to have done a good job.


Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

c:\windows\Rnojetasoyuy.bin
c:\windows\Kfawocub.dat
c:\windows\mdgmemsg.dll
c:\windows\sh32df.dll
c:\windows\iforobif.dll
c:\windows\mdgxdl.dll
c:\windows\ukegajekumibol.dll
c:\windows\cmp320n.dll

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 14 -"
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6u14 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  
  
  Java(TM) SE Runtime Environment 6 Update 1
  
  
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

Post a new set of logs from DDS, and let me know how the machine is behaving, please.

[e-bama]

Thanks for helping tetonbob.

The fix.bat said it "deleted successfully". I deleted the older version of Java and downloaded JRE6 Update 14.

The Kasperspy Online Scan results are as follows:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 22, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 22, 2009 22:57:55
Records in database: 2378674
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 60487
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:01:29


File name / Threat name / Threats count
C:\Documents and Settings\410brantley\.housecall6.6\Quarantine\pesp32p.dll.bac_a04248 Infected: Trojan-Downloader.Win32.Mufanom.td 1
C:\Documents and Settings\410brantley\.housecall6.6\Quarantine\sys.dat.bac_a04248 Infected: not-a-virus:AdWare.Win32.SuperJuan.tou 1
C:\Documents and Settings\410brantley\.housecall6.6\Quarantine\syssvc.exe.bac_a04248 Infected: Trojan-Dropper.Win32.FrauDrop.f 1
C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir Infected: Trojan.Win32.ExeDot.mq 1
C:\Qoobox\Quarantine\C\WINDOWS\pesp32p.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.td 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_wjuzuyas_.sys.zip Infected: Trojan.Win32.BHO.ext 1

The selected area was scanned.


The new #DDS.txt file is as follows:

DDS (Ver_09-05-14.01) - NTFSx86
Run by 410Brantley at 17:37:35.84 on Mon 06/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2295 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\Client\FaxCtrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Documents and Settings\410brantley\Local Settings\Temporary Internet Files\Content.IE5\2XOX4R8B\dds[1].pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://emjcommunity/JAZ/home.asp
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PDService.exe] "c:\program files\lenovo\safeguard privatedisk\pdservice.exe"
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\client\FaxCtrl.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [Mobile Synchronization] c:\program files\pivotal\syncstream\\HttpSyncStat.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: emjmetals.com
Trusted Zone: emjmetals.com\archivemanager
Trusted Zone: zillappprod
Trusted Zone: zilloptiprod
Trusted Zone: emjmetals.com\archivemanager
Trusted Zone: zillappprod
Trusted Zone: zilloptiprod
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ACGina psqlpwd

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2007-2-25 88576]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-2-25 11520]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-2-25 4224]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2009-6-16 58464]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2007-2-25 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-2-25 4442]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-4-18 98304]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2006-9-14 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2006-9-14 29184]
R2 MSSEARCH;Microsoft Search;c:\program files\common files\system\mssearch\bin\mssearch.exe [2007-4-18 69632]
R2 PrivateDisk;PrivateDisk;c:\program files\lenovo\safeguard privatedisk\privatediskm.sys [2006-3-13 58368]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-6-24 12560]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2009-6-16 116992]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-5-9 280344]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

=============== Created Last 30 ================

2009-06-22 13:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-22 13:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-22 13:37 <DIR> --d----- c:\documents and settings\410brantley\.SunDownloadManager
2009-06-22 10:21 <DIR> --d----- C:\quarantine
2009-06-22 10:20 <DIR> a-dshr-- C:\cmdcons
2009-06-22 10:18 161,792 a------- c:\windows\SWREG.exe
2009-06-22 10:18 155,136 a------- c:\windows\PEV.exe
2009-06-22 10:18 98,816 a------- c:\windows\sed.exe
2009-06-16 10:27 116,992 a------- c:\windows\system32\drivers\naiavf5x.sys
2009-06-16 10:27 58,464 a------- c:\windows\system32\drivers\mvstdi5x.sys
2009-06-16 10:27 <DIR> --d----- c:\program files\common files\Network Associates
2009-06-15 14:57 <DIR> --d----- c:\documents and settings\410brantley\.housecall6.6
2009-06-15 13:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-15 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-06-21 20:35 5,427 a------- c:\windows\system32\EGATHDRV.SYS

============= FINISH: 17:38:01.75 ===============


The new #attach.txt and Ark.txt logs are attached.



The computer is running fine now.

Let me know what other steps need to be taken.

Thanks!

[tetonbob]

Hi e-bama -

Kaspersky has found infected items in Trend Micro Housecall's quarantine folder. This folder can be deleted, or you can delete the contents.



C:\Documents and Settings\410brantley\.housecall6.6\Quarantine

To easily get to the folder, Go to Start > Run, and copy/paste the following, then press Enter

"C:\Documents and Settings\410brantley\.housecall6.6"



The other items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help