Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page 3 Virus Issues
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 08-16-2009, 03:18 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


3 Virus Issues
I have three issues with my friends comp im tryin to repair for her, which all may be related to one another but this is whats going on.

The computer was recently infected with several viruses and trojans that were removed with Malwarebytes (thanks). However, I have not been able to remove this one.

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent)

It states it is to be removed when computer has been rebooted but I just ran another MalBytes scan and it is still there. Zone Alarm scan states no infections.

Im also getting a "Generic Host Process for Win32 Services encountered a problem" error.

The last issue is that the computer will not connect to the internet yet i can pull up the cmd line and ping google.com and any other site.

any help with these problems will be appreciated. thanks guys. i already ran dds and gmer, heres my dds scan and i have attached the gmer scan as well.



DDS (Ver_09-07-30.01) - NTFSx86
Run by kristine felarca at 13:50:22.85 on Sun 08/16/2009
Internet Explorer: 7.0.5730.11

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://update.spysubtract.com/tmuninstall.php?220=
uInternet Settings,ProxyOverride = <local>
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: c:\windows\system32\gsf83iujid.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\gsf83iujid.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Aim6]
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [LowRiskFileTypes] c:\windows\sysguard.exe
uRun: [braviax] c:\windows\system32\braviax.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VAIO Recovery] "c:\windows\sonysys\vaio recovery\PartSeal.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_07\bin\jusched.exe"
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [DISCover] "c:\program files\disc\DISCover.exe"
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [WCULauncher] "c:\program files\sony\smartwi connection utility\WCULauncher.exe"
mRun: [PartSeal] "c:\windows\sonysys\vaio recovery\PartSeal.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\kristi~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\kristi~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\kristi~1\startm~1\programs\startup\vcastm~1.lnk - c:\program files\verizon wireless\v cast music essentials manager\V CAST Music Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - fusstub.dll
Notify: VESWinlogon - VESWinlogon.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\
STS: c:\windows\system32\gsf83iujid.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\gsf83iujid.dll
LSA: Notification Packages = scecli fusstub c:\windows\system32\vizisida.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kristi~1\applic~1\mozilla\firefox\profiles\82woiip3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\kristine felarca\application data\mozilla\firefox\profiles\82woiip3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-16 13:12 0 -------- c:\windows\system32\drivers\str.sys
2009-08-15 18:01 <DIR> --d----- c:\windows\pss
2009-08-15 17:46 <DIR> --d----- c:\docume~1\kristi~1\applic~1\MailFrontier
2009-08-15 17:31 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-15 17:31 72,592 a------- c:\windows\zllsputility.exe
2009-08-15 17:30 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-08-15 17:30 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-08-15 17:30 <DIR> --d----- c:\program files\Zone Labs
2009-08-15 17:30 349,222 a------- c:\windows\system32\vsconfig.xml
2009-08-15 17:29 <DIR> --d----- c:\windows\Internet Logs
2009-08-15 16:59 <DIR> --d----- c:\program files\Lavasoft
2009-08-15 16:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-06 15:29 2 a------- c:\windows\0535251103110107106.lio
2009-08-06 14:30 57 a------- C:\xcrashdump.dat
2009-08-06 14:27 <DIR> --d----- c:\program files\BrowserCtl
2009-08-06 14:27 2 a------- c:\windows\010112010146120114.dat

==================== Find3M ====================

2009-08-06 14:26 238,642 a------- c:\windows\system32\wisdstr.exe
2009-07-10 20:32 56,652 a---h--- c:\windows\system32\mlfcache.dat
2009-07-10 19:51 77,312 a------- c:\windows\system32\drivers\btgcd.sys
2009-07-10 19:45 0 a------- C:\ciuge.exe
2009-07-10 19:45 0 a------- C:\icigerrb.exe
2009-07-10 19:45 0 a------- C:\clynbqef.exe
2009-07-10 19:45 0 a------- C:\lkrpk.exe
2009-07-10 19:45 7,680 a------- C:\kpepb.exe
2009-07-05 14:40 0 a------- C:\jsrtadqg.exe
2009-07-05 14:40 0 a------- C:\kkfwg.exe
2009-07-05 14:40 0 a------- C:\fdvjfx.exe
2009-07-05 14:40 0 a------- C:\gklrwl.exe
2009-07-05 14:39 39,424 a------- C:\tcburi.exe
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2008-01-11 03:48 0 a------- c:\docume~1\kristi~1\applic~1\wklnhst.dat

============= FINISH: 13:52:08.53 ===============
Attached Files
File Type: zip Attach.zip (95.5 KB, 3 views)
Last edited by jimmy3025; 08-16-2009 at 03:20 PM.
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-21-2009, 06:53 PM   #2 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
bump this tread please
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-21-2009, 07:43 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Hello jimmy3025, and thank you for your patience.

Would you be kind enough to run new scans so I may see a more current state of the system? Post the fresh dds.txt and we'll get started.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-21-2009, 11:01 PM   #4 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
thats completly accurate i hvnt changed anything since that scan was taken, i just shut down the computer after i took the last scans
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-21-2009, 11:41 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Let's get started then...

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************


Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.


***************************************************

Download ComboFix.exe from here


=================================================


With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System


Download the file & save it as it's originally named.


=================================================


Transfer all files you just downloaded, to the desktop of the infected computer. **Note: It is important that it is saved directly to your desktop**


=================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


=================================================



  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-22-2009, 01:15 AM   #6 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
ok ill get on it right now it shouldnt be a problem since im reading this on my computer and performing the actions on the other computer that will not connect to the internet
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-22-2009, 02:17 AM   #7 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
i wasn't sure if you wanted me to copy/paste or just post the .txt file so heres both:

ComboFix 09-08-21.01 - kristine felarca 08/22/2009 0:40.1.2 - NTFSx86
Running from: c:\documents and settings\kristine felarca\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kristine felarca\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ciuge.exe
C:\clynbqef.exe
c:\documents and settings\All Users\Start Menu\Programs\Windows Live Messenger .lnk
C:\fdvjfx.exe
C:\gklrwl.exe
C:\icigerrb.exe
C:\jsrtadqg.exe
C:\kkfwg.exe
C:\lkrpk.exe
c:\program files\BrowserCtl
c:\program files\BrowserCtl\BrowserCtl.dll
c:\program files\BrowserCtl\BrowserCtl.sys
c:\recycler\S-1-5-21-149869653-2809816425-3970143102-500
c:\recycler\S-1-5-21-3768998587-3165375610-3404083129-500
c:\windows\010112010146120114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465349.dat
c:\windows\0101120101465749.dat
c:\windows\934fdfg34fgjf23
c:\windows\Installer\20f55bd.msp
c:\windows\Installer\5768f.msi
c:\windows\Installer\8f30ac6.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\setup.exe
c:\windows\system32\drivers\btgcd.sys
c:\windows\system32\drivers\hjgruimjqrwqte.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACykwwyhtm.sys
c:\windows\system32\hjgruidrvrnmyi.dat
c:\windows\system32\hjgruilkrwoniw.dll
c:\windows\system32\hjgruipnoqxwkk.dat
c:\windows\system32\hjgruippjditgr.dll
c:\windows\system32\UACgygqicxn.dll
c:\windows\system32\UACjcqblwcm.dll
c:\windows\system32\UACjoivpjjk.dat
c:\windows\system32\UACouvbkfuq.log
c:\windows\system32\UACpxddqihn.log
c:\windows\system32\UACshfhkrqf.dll
c:\windows\system32\UACueflxwck.dll
c:\windows\system32\UACuscdddrw.dll
c:\windows\system32\UACvakwpwpc.log
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wisdstr.exe
C:\xcrashdump.dat

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiqplvymxf
-------\Legacy_hjgruiqplvymxf
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_AOUSXGWJMGEZV
-------\Legacy_BROWSERCTL
-------\Legacy_BROWSERCTLDRV
-------\Legacy_DRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_browserctl
-------\Service_browserctldrv
-------\Service_drv
-------\Service_SfX


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 07:36 . 2009-08-22 08:01 4401184 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-16 00:46 . 2009-08-16 00:46 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-16 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-22 08:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-16 00:31 . 2008-08-22 03:41 72592 ----a-w- c:\windows\zllsputility.exe
2009-08-16 00:30 . 2008-08-22 03:41 69008 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-16 00:30 . 2008-08-22 03:41 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-16 00:30 . 2009-08-22 07:40 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-16 00:30 . 2009-08-16 00:30 -------- d-----w- c:\program files\Zone Labs
2009-08-16 00:30 . 2008-08-22 03:41 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-16 00:29 . 2009-08-22 07:38 -------- d-----w- c:\windows\Internet Logs
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\program files\Lavasoft
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-15 23:58 . 2009-08-15 23:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 07:58 . 2009-08-22 07:36 55364 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-22 04:43 . 2009-08-22 04:49 39936 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-22 04:43 . 2009-08-22 04:49 2063872 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-16 20:36 . 2009-08-16 20:37 2053632 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-16 20:36 . 2009-08-16 20:37 132608 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-16 03:14 . 2009-01-30 06:52 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\Skype
2009-08-16 02:43 . 2009-08-16 02:43 182447 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_19_43_41_small.dmp.zip
2009-08-16 02:43 . 2009-08-16 02:43 2046976 ----a-w- c:\windows\Internet Logs\xDB2AE.tmp
2009-08-16 02:43 . 2009-08-16 02:43 201216 ----a-w- c:\windows\Internet Logs\xDB2AD.tmp
2009-08-15 23:28 . 2007-01-11 22:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 23:28 . 2007-01-11 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-11 03:32 . 2009-07-11 03:32 56652 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-11 02:45 . 2009-07-11 02:45 7680 ----a-w- C:\kpepb.exe
2009-07-05 21:39 . 2009-07-05 21:39 -------- d-----w- c:\program files\drv
2009-07-05 21:39 . 2009-07-05 21:39 39424 ----a-w- C:\tcburi.exe
2009-07-04 08:51 . 2007-01-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Digital Interactive Systems Corporation
2009-07-04 07:10 . 2009-07-04 07:10 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\TweetDeck
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-04 07:09 . 2009-07-04 07:09 38208 ----a-w- c:\documents and settings\kristine felarca\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-27 23:18 . 2007-08-02 16:54 -------- d-----w- c:\program files\AIM6
2009-06-27 23:06 . 2007-01-12 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-21 03:47 . 2009-06-21 03:47 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 11:44 . 2009-06-19 11:44 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2009-06-19 11:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-06-19 11:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 18:42 . 2009-06-21 03:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2008-04-20 00:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-19 21633320]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7561216]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"WCULauncher"="c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe" [2006-02-08 73728]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-22 981904]

c:\documents and settings\kristine felarca\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-1-25 446464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-4-7 1773568]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 02:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/22/2006 11:31 AM 9216]
R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/5/2009 2:39 PM 9344]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 7:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 7:13 PM 33024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/18/2007 6:01 PM 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/22/2006 11:31 AM 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/22/2006 11:31 AM 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/22/2006 11:31 AM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/22/2006 11:31 AM 226304]
S2 aousxgwjmgezv;aousxgwjmgezv;\??\c:\windows\system32\drivers\btgcd.sys --> c:\windows\system32\drivers\btgcd.sys [?]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [7/22/2006 12:46 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [7/22/2006 12:46 PM 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-08-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LowRiskFileTypes - c:\windows\sysguard.exe
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://update.spysubtract.com/tmuninstall.php?220=
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 01:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\mysafe.dll

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(1812)
c:\windows\system32\browselc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Sony\SmartWi Connection Utility\SmartWiService.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\DISC\DiscStreamHub.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Java\jre1.5.0_07\bin\jucheck.exe
c:\program files\Sony\SmartWi Connection Utility\SmartWiTogglet.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-08-22 1:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 08:14

Pre-Run: 68,892,987,392 bytes free
Post-Run: 80,298,278,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

342 --- E O F --- 2009-08-07 20:37
Attached Files
File Type: txt ComboFix.txt (20.6 KB, 0 views)
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-22-2009, 09:02 AM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Hi jimmy2035,

Thank you, we do prefer the reports to be copy/pasted directly into the reply box unless otherwise requested. : )

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/405361-3-virus-issues.html

Collect::
C:\kpepb.exe
C:\tcburi.exe

File::
c:\windows\system32\mlfcache.dat
c:\windows\system32\drivers\btgcd.sys

Folder::
c:\Program Files\drv

Driver::
drvdrv
aousxgwjmgezv

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"drv"=-
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-23-2009, 02:31 PM   #9 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
sry for the delay i had to work all day yesterday but here are the updated combofix scans and the kaspersky scans

ComboFix 09-08-21.01 - kristine felarca 08/22/2009 18:41.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1468 [GMT -7:00]
Running from: c:\documents and settings\kristine felarca\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kristine felarca\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 01:37 . 2009-08-23 01:37 -------- d-----w- c:\windows\LastGood
2009-08-23 01:33 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-08-23 01:33 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-08-23 01:33 . 2009-08-23 01:33 -------- d-----w- c:\windows\system32\KB905474
2009-08-22 07:36 . 2009-08-23 01:49 8607008 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-16 00:46 . 2009-08-16 00:46 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-16 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-22 08:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-16 00:31 . 2008-08-22 03:41 72592 ----a-w- c:\windows\zllsputility.exe
2009-08-16 00:30 . 2008-08-22 03:41 69008 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-16 00:30 . 2008-08-22 03:41 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-16 00:30 . 2009-08-22 07:40 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-16 00:30 . 2009-08-16 00:30 -------- d-----w- c:\program files\Zone Labs
2009-08-16 00:30 . 2008-08-22 03:41 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-16 00:29 . 2009-08-23 01:35 -------- d-----w- c:\windows\Internet Logs
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\program files\Lavasoft
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-15 23:58 . 2009-08-15 23:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 01:39 . 2007-01-11 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-23 01:38 . 2007-01-11 22:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-22 07:58 . 2009-08-22 07:36 55364 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-22 04:43 . 2009-08-22 04:49 39936 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-22 04:43 . 2009-08-22 04:49 2063872 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-16 20:36 . 2009-08-16 20:37 2053632 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-16 20:36 . 2009-08-16 20:37 132608 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-16 03:14 . 2009-01-30 06:52 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\Skype
2009-08-16 02:43 . 2009-08-16 02:43 182447 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_19_43_41_small.dmp.zip
2009-08-16 02:43 . 2009-08-16 02:43 2046976 ----a-w- c:\windows\Internet Logs\xDB2AE.tmp
2009-08-16 02:43 . 2009-08-16 02:43 201216 ----a-w- c:\windows\Internet Logs\xDB2AD.tmp
2009-07-11 03:32 . 2009-07-11 03:32 56652 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-11 02:45 . 2009-07-11 02:45 7680 ----a-w- C:\kpepb.exe
2009-07-05 21:39 . 2009-07-05 21:39 -------- d-----w- c:\program files\drv
2009-07-05 21:39 . 2009-07-05 21:39 39424 ----a-w- C:\tcburi.exe
2009-07-04 08:51 . 2007-01-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Digital Interactive Systems Corporation
2009-07-04 07:10 . 2009-07-04 07:10 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\TweetDeck
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-04 07:09 . 2009-07-04 07:09 38208 ----a-w- c:\documents and settings\kristine felarca\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-27 23:18 . 2007-08-02 16:54 -------- d-----w- c:\program files\AIM6
2009-06-27 23:06 . 2007-01-12 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-21 03:47 . 2009-06-21 03:47 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 11:44 . 2009-06-19 11:44 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2009-06-19 11:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-06-19 11:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 18:42 . 2009-06-21 03:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2008-04-20 00:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-22_08.01.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-23 01:25 . 2009-08-23 01:25 16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
+ 2009-08-16 00:43 . 2009-08-23 01:37 108192 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-19 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7561216]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"WCULauncher"="c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe" [2006-02-08 73728]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-22 981904]

c:\documents and settings\kristine felarca\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-1-25 446464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-4-7 1773568]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 02:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/22/2006 11:31 AM 9216]
R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/5/2009 2:39 PM 9344]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 7:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 7:13 PM 33024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/18/2007 6:01 PM 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/22/2006 11:31 AM 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/22/2006 11:31 AM 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/22/2006 11:31 AM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/22/2006 11:31 AM 226304]
S2 aousxgwjmgezv;aousxgwjmgezv;\??\c:\windows\system32\drivers\btgcd.sys --> c:\windows\system32\drivers\btgcd.sys [?]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [7/22/2006 12:46 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [7/22/2006 12:46 PM 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-08-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2009-08-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-23 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://update.spysubtract.com/tmuninstall.php?220=
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 18:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\config.dll

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
.
Completion time: 2009-08-23 18:51
ComboFix-quarantined-files.txt 2009-08-23 01:51
ComboFix2.txt 2009-08-22 08:14

Pre-Run: 80,030,474,240 bytes free
Post-Run: 79,971,414,016 bytes free

248 --- E O F --- 2009-08-23 01:33


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 23, 2009 05:35:49
Records in database: 2679159
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 109290
Threats found: 9
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 01:41:51


File name / Threat / Threats count
C:\kpepb.exe Infected: Trojan-Downloader.Win32.Agent.cica 1
C:\Program Files\drv\drv.dll Infected: Trojan-Downloader.Win32.Agent.chpc 1
C:\Program Files\drv\drv.sys Infected: Rootkit.Win32.Small.adn 1
C:\Qoobox\Quarantine\C\Program Files\BrowserCtl\BrowserCtl.dll.vir Infected: Net-Worm.Win32.Koobface.bhg 1
C:\Qoobox\Quarantine\C\Program Files\BrowserCtl\BrowserCtl.sys.vir Infected: Rootkit.Win32.Small.afd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruilkrwoniw.dll.vir Infected: Trojan.Win32.Monder.cqbi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Trojan.Win32.Inject.agbb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.eyw 1
C:\tcburi.exe Infected: Trojan-Downloader.Win32.Clopack.a 1

Selected area has been scanned.
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-23-2009, 08:40 PM   #10 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Hi jimmy3025,

No need to apologize for any delay, we all have lives.

None of the fixes I gave in the cfscript took place. Did you receive any error messages?


Quote:
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
You have 2 Internet Security Suites installed. This is never a good idea. Please decide on which one you want to leave installed, and uninstall the other via the Add or Remove programs.

Reboot, then try the CFScript again.

If ComboFix prompts you for an update, do allow it.

Post the Combofix.txt when complete.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-23-2009, 10:15 PM   #11 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
the funny part is that i uninstalled norton on the computer and its not even listed on the add remove programs list nor does it have a folder in the programs folder on the c drive. i disabled the zone alarm security for the scan and the combofix program. any advice on how to fully get the norton off would be greatly appreciated
Last edited by jimmy3025; 08-23-2009 at 10:19 PM.
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-23-2009, 10:39 PM   #12 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Please go to this site and follow the instructions for downloading and running
Symantec Removal Tool.

Let me know how that worked out.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2009, 04:05 PM   #13 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
ok i got norton removed. here is the updated combo fix scan, it wont let me post it so i have attached it

ComboFix 09-08-22.06 - kristine felarca 08/24/2009 1:13.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1546 [GMT -7:00]
Running from: c:\documents and settings\kristine felarca\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kristine felarca\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-24 06:04 . 2009-08-24 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-24 06:04 . 2009-08-24 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-24 05:57 . 2009-08-24 05:57 -------- d-----w- c:\program files\gBurner
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\program files\MSBuild
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\program files\Reference Assemblies
2009-08-23 20:27 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-23 20:27 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-23 20:27 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- C:\258b7fb31352ce9531031f914067
2009-08-23 20:27 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-23 20:27 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-23 20:27 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-23 20:27 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-23 20:27 . 2009-08-23 21:54 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-23 20:23 . 2009-08-23 20:23 -------- d-----w- c:\program files\MSXML 6.0
2009-08-23 20:17 . 2009-08-23 20:17 -------- d-----w- c:\windows\ServicePackFiles
2009-08-23 03:31 . 2009-08-23 03:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 03:30 . 2009-08-23 03:30 152576 ----a-w- c:\documents and settings\kristine felarca\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 03:26 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-23 03:26 . 2009-02-06 09:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-08-23 03:26 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-08-23 03:26 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-08-23 03:26 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-08-23 03:26 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-23 03:26 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-23 03:26 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-08-23 03:26 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-08-23 01:37 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 01:36 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-22 07:36 . 2009-08-24 08:23 44472096 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-16 00:46 . 2009-08-16 00:46 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-16 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-22 08:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-16 00:31 . 2008-08-22 03:41 72592 ----a-w- c:\windows\zllsputility.exe
2009-08-16 00:30 . 2008-08-22 03:41 69008 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-16 00:30 . 2008-08-22 03:41 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-16 00:30 . 2009-08-22 07:40 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-16 00:30 . 2009-08-16 00:30 -------- d-----w- c:\program files\Zone Labs
2009-08-16 00:30 . 2008-08-22 03:41 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-16 00:29 . 2009-08-24 08:08 -------- d-----w- c:\windows\Internet Logs
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\program files\Lavasoft
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-15 23:58 . 2009-08-15 23:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 04:53 . 2009-07-29 04:53 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:53 . 2009-07-29 04:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 08:01 . 2009-08-22 07:36 574148 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-24 07:59 . 2007-01-11 22:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-24 06:07 . 2007-01-11 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-24 04:26 . 2007-01-12 00:49 72088 ----a-w- c:\documents and settings\kristine felarca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 20:21 . 2007-01-11 22:39 -------- d-----w- c:\program files\Microsoft Works
2009-08-23 20:19 . 2009-07-05 21:39 -------- d-----w- c:\program files\drv
2009-08-23 03:30 . 2006-07-22 20:06 -------- d-----w- c:\program files\Java
2009-08-22 04:43 . 2009-08-22 04:49 39936 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-22 04:43 . 2009-08-22 04:49 2063872 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-16 20:36 . 2009-08-16 20:37 2053632 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-16 20:36 . 2009-08-16 20:37 132608 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-16 03:14 . 2009-01-30 06:52 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\Skype
2009-08-16 02:43 . 2009-08-16 02:43 182447 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_19_43_41_small.dmp.zip
2009-08-16 02:43 . 2009-08-16 02:43 2046976 ----a-w- c:\windows\Internet Logs\xDB2AE.tmp
2009-08-16 02:43 . 2009-08-16 02:43 201216 ----a-w- c:\windows\Internet Logs\xDB2AD.tmp
2009-08-05 09:11 . 2006-07-22 18:31 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2006-07-22 18:31 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2006-07-22 18:31 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2006-07-22 18:30 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-07-22 18:31 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 03:32 . 2009-07-11 03:32 56652 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-04 08:51 . 2007-01-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Digital Interactive Systems Corporation
2009-07-04 07:10 . 2009-07-04 07:10 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\TweetDeck
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-04 07:09 . 2009-07-04 07:09 38208 ----a-w- c:\documents and settings\kristine felarca\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-29 16:12 . 2006-07-22 18:31 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-07-22 18:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-07-22 18:30 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-27 23:18 . 2007-08-02 16:54 -------- d-----w- c:\program files\AIM6
2009-06-27 23:06 . 2007-01-12 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-25 18:36 . 2006-07-22 18:31 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-07-22 18:31 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-07-22 18:31 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-07-22 18:31 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-07-22 18:31 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-07-22 18:31 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-07-22 18:31 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-07-22 18:31 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-07-22 18:31 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-07-22 18:31 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-07-22 18:31 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-07-22 18:31 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2006-07-22 18:31 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-07-22 18:31 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-07-22 18:31 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-07-22 18:31 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-21 03:47 . 2009-06-21 03:47 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 11:44 . 2009-06-19 11:44 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2009-06-19 11:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-06-19 11:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 11:50 . 2006-07-22 18:31 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2006-07-22 18:31 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2006-07-22 18:30 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2006-07-22 18:31 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 18:42 . 2009-06-21 03:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2008-04-20 00:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 07:42 . 2006-07-22 18:44 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2006-07-22 18:31 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-22_08.01.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-24 08:03 . 2009-08-24 08:03 16384 c:\windows\Temp\Perflib_Perfdata_7b0.dat
+ 2009-08-24 08:03 . 2009-08-24 08:03 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
+ 2008-07-30 04:10 . 2008-07-30 04:10 26112 c:\windows\system32\TsWpfWrp.exe
+ 2006-07-22 19:37 . 2007-11-30 11:18 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-23 20:27 . 2008-07-06 12:06 89088 c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll


**edited for space**


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-19 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7561216]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"WCULauncher"="c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe" [2006-02-08 73728]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-22 981904]

c:\documents and settings\kristine felarca\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-1-25 446464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-4-7 1773568]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 02:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/22/2006 11:31 AM 9216]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 7:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 7:13 PM 33024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/18/2007 6:01 PM 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/22/2006 11:31 AM 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/22/2006 11:31 AM 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/22/2006 11:31 AM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/22/2006 11:31 AM 226304]
S2 aousxgwjmgezv;aousxgwjmgezv;\??\c:\windows\system32\drivers\btgcd.sys --> c:\windows\system32\drivers\btgcd.sys [?]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [7/22/2006 12:46 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [7/22/2006 12:46 PM 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-08-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://update.spysubtract.com/tmuninstall.php?220=
uInternet Settings,ProxyOverride = <local>
Trusted Zone: kaspersky.com\www
FF - ProfilePath - c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 01:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\config.dll

- - - - - - - > 'lsass.exe'(972)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(4880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-24 1:26
ComboFix-quarantined-files.txt 2009-08-24 08:25
ComboFix2.txt 2009-08-23 01:51
ComboFix3.txt 2009-08-22 08:14

Pre-Run: 78,386,622,464 bytes free
Post-Run: 78,448,246,784 bytes free

1224 --- E O F --- 2009-08-23 20:34
Attached Files
File Type: txt ComboFix.txt (139.3 KB, 1 views)
Last edited by Ried; 08-24-2009 at 04:44 PM.
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2009, 04:51 PM   #14 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Let's try this one more time.
Open notepad and copy/paste the text in the code box below into it:

Quote:


File::
C:\kpepb.exe
C:\tcburi.exe
c:\windows\system32\mlfcache.dat
c:\windows\system32\drivers\btgcd.sys

Folder::
c:\Program Files\drv

Driver::
drvdrv
aousxgwjmgezv

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"drv"=-
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


===================================


Open Notepad and copy/paste the contents inside the quote box below, into Notepad.

Quote:
PEV -l "%systemdrive%\proquota.ex*" >log.txt
start notepad log.txt
Save this as look.bat Choose to "Save type as - All Files"
It should look like this:

Double click on look.bat & allow it to run. Then post the log which it produces, along with the C:\ComboFix.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2009, 12:24 AM   #15 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
k here is the combo fix and look logs

ComboFix 09-08-24.05 - kristine felarca 08/24/2009 22:52.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1514 [GMT -7:00]
Running from: c:\documents and settings\kristine felarca\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kristine felarca\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"C:\kpepb.exe"
"C:\tcburi.exe"
"c:\windows\system32\drivers\btgcd.sys"
"c:\windows\system32\mlfcache.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\drv
c:\program files\drv\drv.dll
c:\windows\system32\mlfcache.dat

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVDRV
-------\Service_aousxgwjmgezv


((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))
.

2009-08-24 06:04 . 2009-08-24 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-24 06:04 . 2009-08-24 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-24 05:57 . 2009-08-24 05:57 -------- d-----w- c:\program files\gBurner
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\program files\MSBuild
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\program files\Reference Assemblies
2009-08-23 20:27 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-23 20:27 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-23 20:27 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- C:\258b7fb31352ce9531031f914067
2009-08-23 20:27 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-23 20:27 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-23 20:27 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-23 20:27 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-23 20:27 . 2009-08-23 21:54 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-23 20:23 . 2009-08-23 20:23 -------- d-----w- c:\program files\MSXML 6.0
2009-08-23 20:17 . 2009-08-23 20:17 -------- d-----w- c:\windows\ServicePackFiles
2009-08-23 03:31 . 2009-08-23 03:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 03:30 . 2009-08-23 03:30 152576 ----a-w- c:\documents and settings\kristine felarca\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 03:26 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-23 03:26 . 2009-02-06 09:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-08-23 03:26 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-08-23 03:26 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-08-23 03:26 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-08-23 03:26 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-23 03:26 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-23 03:26 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-08-23 03:26 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-08-23 01:37 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 01:36 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-22 07:36 . 2009-08-25 06:07 47246112 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-16 00:46 . 2009-08-16 00:46 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-16 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-22 08:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-16 00:31 . 2008-08-22 03:41 72592 ----a-w- c:\windows\zllsputility.exe
2009-08-16 00:30 . 2008-08-22 03:41 69008 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-16 00:30 . 2008-08-22 03:41 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-16 00:30 . 2009-08-22 07:40 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-16 00:30 . 2009-08-16 00:30 -------- d-----w- c:\program files\Zone Labs
2009-08-16 00:30 . 2008-08-22 03:41 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-16 00:29 . 2009-08-25 06:03 -------- d-----w- c:\windows\Internet Logs
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\program files\Lavasoft
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-15 23:58 . 2009-08-15 23:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 04:53 . 2009-07-29 04:53 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:53 . 2009-07-29 04:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 06:02 . 2009-08-22 07:36 632348 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-24 07:59 . 2007-01-11 22:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-24 06:07 . 2007-01-11 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-24 04:26 . 2007-01-12 00:49 72088 ----a-w- c:\documents and settings\kristine felarca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 20:21 . 2007-01-11 22:39 -------- d-----w- c:\program files\Microsoft Works
2009-08-23 03:30 . 2006-07-22 20:06 -------- d-----w- c:\program files\Java
2009-08-22 04:43 . 2009-08-22 04:49 39936 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-22 04:43 . 2009-08-22 04:49 2063872 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-16 20:36 . 2009-08-16 20:37 2053632 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-16 20:36 . 2009-08-16 20:37 132608 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-16 03:14 . 2009-01-30 06:52 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\Skype
2009-08-16 02:43 . 2009-08-16 02:43 182447 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_19_43_41_small.dmp.zip
2009-08-16 02:43 . 2009-08-16 02:43 2046976 ----a-w- c:\windows\Internet Logs\xDB2AE.tmp
2009-08-16 02:43 . 2009-08-16 02:43 201216 ----a-w- c:\windows\Internet Logs\xDB2AD.tmp
2009-08-05 09:11 . 2006-07-22 18:31 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2006-07-22 18:31 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2006-07-22 18:31 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2006-07-22 18:30 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-07-22 18:31 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 08:51 . 2007-01-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Digital Interactive Systems Corporation
2009-07-04 07:10 . 2009-07-04 07:10 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\TweetDeck
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-04 07:09 . 2009-07-04 07:09 38208 ----a-w- c:\documents and settings\kristine felarca\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-29 16:12 . 2006-07-22 18:31 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-07-22 18:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-07-22 18:30 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-27 23:18 . 2007-08-02 16:54 -------- d-----w- c:\program files\AIM6
2009-06-27 23:06 . 2007-01-12 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-25 18:36 . 2006-07-22 18:31 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-07-22 18:31 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-07-22 18:31 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-07-22 18:31 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-07-22 18:31 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-07-22 18:31 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-07-22 18:31 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-07-22 18:31 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-07-22 18:31 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-07-22 18:31 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-07-22 18:31 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-07-22 18:31 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2006-07-22 18:31 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-07-22 18:31 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-07-22 18:31 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-07-22 18:31 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-21 03:47 . 2009-06-21 03:47 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 11:44 . 2009-06-19 11:44 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2009-06-19 11:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-06-19 11:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 11:50 . 2006-07-22 18:31 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2006-07-22 18:31 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2006-07-22 18:30 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2006-07-22 18:31 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 18:42 . 2009-06-21 03:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2008-04-20 00:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 07:42 . 2006-07-22 18:44 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2006-07-22 18:31 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-24_08.23.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-25 06:04 . 2009-08-25 06:04 16384 c:\windows\Temp\Perflib_Perfdata_7dc.dat
+ 2009-08-25 06:04 . 2009-08-25 06:04 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
+ 2006-07-22 18:31 . 2006-10-04 08:48 50176 c:\windows\system32\utilman.exe
- 2006-07-22 18:31 . 2006-02-28 12:00 50176 c:\windows\system32\utilman.exe
+ 2006-07-22 18:31 . 2006-10-04 13:33 35840 c:\windows\system32\umandlg.dll
- 2006-07-22 18:31 . 2006-02-28 12:00 35840 c:\windows\system32\umandlg.dll
+ 2006-07-22 19:27 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2006-07-22 19:27 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2006-07-22 18:31 . 2006-10-04 08:48 53760 c:\windows\system32\narrator.exe
- 2006-07-22 18:31 . 2006-02-28 12:00 53760 c:\windows\system32\narrator.exe
- 2006-07-22 18:31 . 2006-02-28 12:00 72704 c:\windows\system32\magnify.exe
+ 2006-07-22 18:31 . 2006-10-04 08:48 72704 c:\windows\system32\magnify.exe
+ 2006-10-04 08:48 . 2006-10-04 08:48 50176 c:\windows\system32\dllcache\utilman.exe
+ 2006-10-04 13:33 . 2006-10-04 13:33 35840 c:\windows\system32\dllcache\umandlg.dll
+ 2006-10-04 08:48 . 2006-10-04 08:48 53760 c:\windows\system32\dllcache\narrator.exe
+ 2006-10-04 08:48 . 2006-10-04 08:48 72704 c:\windows\system32\dllcache\magnify.exe
+ 2009-08-16 00:43 . 2009-08-25 06:04 129948 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-08-16 00:43 . 2009-08-24 08:08 129948 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2006-07-22 18:31 . 2006-02-28 12:00 215552 c:\windows\system32\osk.exe
+ 2006-07-22 18:31 . 2006-10-04 08:48 215552 c:\windows\system32\osk.exe
+ 2006-10-04 08:48 . 2006-10-04 08:48 215552 c:\windows\system32\dllcache\osk.exe
+ 2009-08-24 09:20 . 2009-08-24 09:20 972800 c:\windows\Installer\480bed.msi
+ 2008-08-30 03:06 . 2008-08-30 03:06 1350664 c:\windows\system32\msxml6.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-19 21633320]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7561216]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"WCULauncher"="c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe" [2006-02-08 73728]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-22 981904]

c:\documents and settings\kristine felarca\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-1-25 446464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-4-7 1773568]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 02:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/22/2006 11:31 AM 9216]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 7:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 7:13 PM 33024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/18/2007 6:01 PM 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/22/2006 11:31 AM 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/22/2006 11:31 AM 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/22/2006 11:31 AM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/22/2006 11:31 AM 226304]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [7/22/2006 12:46 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [7/22/2006 12:46 PM 53248]
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-08-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://update.spysubtract.com/tmuninstall.php?220=
uInternet Settings,ProxyOverride = <local>
Trusted Zone: kaspersky.com\www
FF - ProfilePath - c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\KRISTI~1\LOCALS~1\Temp\CSC13.tmp 796 bytes
c:\docume~1\KRISTI~1\LOCALS~1\Temp\ddgqee-c.0.cs 58070 bytes
c:\docume~1\KRISTI~1\LOCALS~1\Temp\ddgqee-c.cmdline 346 bytes
c:\docume~1\KRISTI~1\LOCALS~1\Temp\ddgqee-c.dll 0 bytes
c:\docume~1\KRISTI~1\LOCALS~1\Temp\ddgqee-c.err 0 bytes
c:\docume~1\KRISTI~1\LOCALS~1\Temp\ddgqee-c.out 430 bytes


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\MSVCR71.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\mysafe.dll

- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(3564)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Sony\SmartWi Connection Utility\SmartWiService.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-08-25 23:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-25 06:15
ComboFix2.txt 2009-08-24 08:26
ComboFix3.txt 2009-08-23 01:51
ComboFix4.txt 2009-08-22 08:14

Pre-Run: 78,399,197,184 bytes free
Post-Run: 78,331,801,600 bytes free

366 --- E O F --- 2009-08-24 09:21









----a-w- 35,840 2006-02-28 12:00:00 C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir
------w- 26,379 2006-02-28 12:00:00 C:\WINDOWS\I386\PROQUOTA.EX_
----a-w- 4,608 2001-08-24 01:53:06 C:\WINDOWS\mui\FALLBACK\040C\proquota.exe.mui
----a-w- 4,608 2001-09-06 07:40:04 C:\WINDOWS\mui\FALLBACK\0416\proquota.exe.mui
----a-w- 4,608 2001-08-23 06:20:26 C:\WINDOWS\mui\FALLBACK\0C0A\proquota.exe.mui
----a-w- 50,176 2008-04-14 00:12:32 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\proquota.exe

Entries: 6 (6)
Directories: 0 Files: 6
Bytes: 126,219 Blocks: 247
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2009, 05:19 AM   #16 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Much better. Open notepad and copy/paste the text in the code box below into it:

Code:
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\proquota.exe | c:\windows\system32\proquota.exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, post the C:\ComboFix.txt and an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2009, 06:37 PM   #17 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
ok so the system is running 80% better than it was, its able to connect to the internet and no generic host process errors have happen in the last 2 days so im thinking that its cured. i cant thank you enough for all the help you have been. here is the combofix scan

ComboFix 09-08-25.01 - kristine felarca 08/25/2009 16:58.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1434 [GMT -7:00]
Running from: c:\documents and settings\kristine felarca\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kristine felarca\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))
.

2009-08-25 23:58 . 2009-08-25 23:58 -------- d-----w- c:\windows\LastGood
2009-08-25 23:58 . 2006-02-28 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-25 23:58 . 2006-02-28 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-24 06:04 . 2009-08-24 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-24 06:04 . 2009-08-24 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-24 05:57 . 2009-08-24 05:57 -------- d-----w- c:\program files\gBurner
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\program files\MSBuild
2009-08-23 20:28 . 2009-08-23 20:28 -------- d-----w- c:\program files\Reference Assemblies
2009-08-23 20:27 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-23 20:27 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-23 20:27 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- C:\258b7fb31352ce9531031f914067
2009-08-23 20:27 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-23 20:27 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-23 20:27 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-23 20:27 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-23 20:27 . 2009-08-23 21:54 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-23 20:23 . 2009-08-23 20:23 -------- d-----w- c:\program files\MSXML 6.0
2009-08-23 20:17 . 2009-08-23 20:17 -------- d-----w- c:\windows\ServicePackFiles
2009-08-23 03:31 . 2009-08-23 03:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 03:30 . 2009-08-23 03:30 152576 ----a-w- c:\documents and settings\kristine felarca\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 03:26 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-23 03:26 . 2009-02-06 09:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-08-23 03:26 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-08-23 03:26 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-08-23 03:26 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-08-23 03:26 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-23 03:26 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-23 03:26 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-08-23 03:26 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-08-23 01:37 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-23 01:36 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-22 07:36 . 2009-08-26 00:02 49000480 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-16 00:46 . 2009-08-16 00:46 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-16 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-08-16 00:31 . 2009-08-22 08:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-16 00:31 . 2008-08-22 03:41 72592 ----a-w- c:\windows\zllsputility.exe
2009-08-16 00:30 . 2008-08-22 03:41 69008 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-16 00:30 . 2008-08-22 03:41 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-16 00:30 . 2009-08-22 07:40 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-16 00:30 . 2009-08-16 00:30 -------- d-----w- c:\program files\Zone Labs
2009-08-16 00:30 . 2008-08-22 03:41 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-16 00:29 . 2009-08-25 06:08 -------- d-----w- c:\windows\Internet Logs
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\program files\Lavasoft
2009-08-15 23:59 . 2009-08-15 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-15 23:58 . 2009-08-15 23:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 04:53 . 2009-07-29 04:53 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:53 . 2009-07-29 04:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 06:02 . 2009-08-22 07:36 632348 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-24 07:59 . 2007-01-11 22:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-24 06:07 . 2007-01-11 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-24 04:26 . 2007-01-12 00:49 72088 ----a-w- c:\documents and settings\kristine felarca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 20:21 . 2007-01-11 22:39 -------- d-----w- c:\program files\Microsoft Works
2009-08-23 03:30 . 2006-07-22 20:06 -------- d-----w- c:\program files\Java
2009-08-22 04:43 . 2009-08-22 04:49 39936 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-08-22 04:43 . 2009-08-22 04:49 2063872 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-08-16 20:36 . 2009-08-16 20:37 2053632 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-08-16 20:36 . 2009-08-16 20:37 132608 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-08-16 03:14 . 2009-01-30 06:52 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\Skype
2009-08-16 02:43 . 2009-08-16 02:43 182447 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_15_19_43_41_small.dmp.zip
2009-08-16 02:43 . 2009-08-16 02:43 2046976 ----a-w- c:\windows\Internet Logs\xDB2AE.tmp
2009-08-16 02:43 . 2009-08-16 02:43 201216 ----a-w- c:\windows\Internet Logs\xDB2AD.tmp
2009-08-05 09:11 . 2006-07-22 18:31 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2006-07-22 18:31 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2006-07-22 18:31 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2006-07-22 18:30 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-07-22 18:31 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 08:51 . 2007-01-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Digital Interactive Systems Corporation
2009-07-04 07:10 . 2009-07-04 07:10 -------- d-----w- c:\documents and settings\kristine felarca\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\TweetDeck
2009-07-04 07:09 . 2009-07-04 07:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-04 07:09 . 2009-07-04 07:09 38208 ----a-w- c:\documents and settings\kristine felarca\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-29 16:12 . 2006-07-22 18:31 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-07-22 18:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-07-22 18:30 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-27 23:18 . 2007-08-02 16:54 -------- d-----w- c:\program files\AIM6
2009-06-27 23:06 . 2007-01-12 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-25 18:36 . 2006-07-22 18:31 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-07-22 18:31 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-07-22 18:31 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-07-22 18:31 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-07-22 18:31 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-07-22 18:31 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-07-22 18:31 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-07-22 18:31 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-07-22 18:31 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-07-22 18:31 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-07-22 18:31 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-07-22 18:31 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2006-07-22 18:31 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-07-22 18:31 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-07-22 18:31 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-07-22 18:31 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-21 03:47 . 2009-06-21 03:47 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 11:44 . 2009-06-19 11:44 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2009-06-19 11:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-06-19 11:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 11:50 . 2006-07-22 18:31 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2006-07-22 18:31 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2006-07-22 18:30 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2006-07-22 18:31 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 18:42 . 2009-06-21 03:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2008-04-20 00:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 07:42 . 2006-07-22 18:44 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2006-07-22 18:31 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-24_08.23.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-25 06:04 . 2009-08-25 06:04 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
- 2006-07-22 18:31 . 2006-02-28 12:00 50176 c:\windows\system32\utilman.exe
+ 2006-07-22 18:31 . 2006-10-04 08:48 50176 c:\windows\system32\utilman.exe
- 2006-07-22 18:31 . 2006-02-28 12:00 35840 c:\windows\system32\umandlg.dll
+ 2006-07-22 18:31 . 2006-10-04 13:33 35840 c:\windows\system32\umandlg.dll
+ 2006-07-22 19:27 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2006-07-22 19:27 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2006-07-22 18:31 . 2006-10-04 08:48 53760 c:\windows\system32\narrator.exe
- 2006-07-22 18:31 . 2006-02-28 12:00 53760 c:\windows\system32\narrator.exe
- 2006-07-22 18:31 . 2006-02-28 12:00 72704 c:\windows\system32\magnify.exe
+ 2006-07-22 18:31 . 2006-10-04 08:48 72704 c:\windows\system32\magnify.exe
+ 2006-10-04 08:48 . 2006-10-04 08:48 50176 c:\windows\system32\dllcache\utilman.exe
+ 2006-10-04 13:33 . 2006-10-04 13:33 35840 c:\windows\system32\dllcache\umandlg.dll
+ 2006-10-04 08:48 . 2006-10-04 08:48 53760 c:\windows\system32\dllcache\narrator.exe
+ 2006-10-04 08:48 . 2006-10-04 08:48 72704 c:\windows\system32\dllcache\magnify.exe
+ 2009-08-25 23:58 . 2008-04-14 00:12 50176 c:\windows\LastGood\system32\proquota.exe
- 2009-08-16 00:43 . 2009-08-24 08:08 129948 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-08-16 00:43 . 2009-08-25 06:11 129948 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2006-07-22 18:31 . 2006-10-04 08:48 215552 c:\windows\system32\osk.exe
- 2006-07-22 18:31 . 2006-02-28 12:00 215552 c:\windows\system32\osk.exe
+ 2006-10-04 08:48 . 2006-10-04 08:48 215552 c:\windows\system32\dllcache\osk.exe
+ 2009-08-24 09:20 . 2009-08-24 09:20 972800 c:\windows\Installer\480bed.msi
+ 2008-08-30 03:06 . 2008-08-30 03:06 1350664 c:\windows\system32\msxml6.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-19 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7561216]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-13 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"WCULauncher"="c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe" [2006-02-08 73728]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-22 981904]

c:\documents and settings\kristine felarca\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-1-25 446464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-4-7 1773568]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 02:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/22/2006 11:31 AM 9216]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 7:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 7:13 PM 33024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/18/2007 6:01 PM 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/22/2006 11:31 AM 36352]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/22/2006 11:31 AM 30080]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/22/2006 11:31 AM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/22/2006 11:31 AM 226304]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [7/22/2006 12:46 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [7/22/2006 12:46 PM 53248]
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-08-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://update.spysubtract.com/tmuninstall.php?220=
uInternet Settings,ProxyOverride = <local>
Trusted Zone: kaspersky.com\www
FF - ProfilePath - c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\kristine felarca\Application Data\Mozilla\Firefox\Profiles\82woiip3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-25 17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\MSVCR71.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\config.dll

- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-26 17:06
ComboFix-quarantined-files.txt 2009-08-26 00:05
ComboFix2.txt 2009-08-25 06:17
ComboFix3.txt 2009-08-24 08:26
ComboFix4.txt 2009-08-23 01:51
ComboFix5.txt 2009-08-25 23:57

Pre-Run: 78,412,005,376 bytes free
Post-Run: 78,389,039,104 bytes free

321 --- E O F --- 2009-08-24 09:21
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2009, 07:58 PM   #18 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
That is great to hear.

What we need to do now is run this online scan to search for any remnants. It will take quite some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2009, 11:45 PM   #19 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 12
OS: windows xp pro


Re: 3 Virus Issues
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 25, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 26, 2009 04:48:09
Records in database: 2688429
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 111580
Threats found: 9
Infected objects found: 14
Suspicious objects found: 0
Scan duration: 01:42:39


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\BrowserCtl\BrowserCtl.dll.vir Infected: Net-Worm.Win32.Koobface.bhg 1
C:\Qoobox\Quarantine\C\Program Files\BrowserCtl\BrowserCtl.sys.vir Infected: Rootkit.Win32.Small.afd 1
C:\Qoobox\Quarantine\C\Program Files\drv\drv.dll.vir Infected: Trojan-Downloader.Win32.Agent.chpc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruilkrwoniw.dll.vir Infected: Trojan.Win32.Monder.cqbi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Trojan.Win32.Inject.agbb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.eyw 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP6\A0004046.dll Infected: Trojan.Win32.Monderb.vim 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP6\A0004052.dll Infected: Trojan.Win32.Monderb.vim 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP6\A0004053.dll Infected: Trojan.Win32.Monderb.vim 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP6\A0004054.dll Infected: Trojan.Win32.Monderb.vim 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP6\A0004055.exe Infected: Trojan-Downloader.Win32.Agent.cica 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP6\A0004056.exe Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP6\A0004068.dll Infected: Trojan.Win32.Monderb.vim 1
C:\System Volume Information\_restore{5CEDDF2F-F941-4AE6-ADA4-2ED3F7BAF8AE}\RP7\A0004748.dll Infected: Trojan-Downloader.Win32.Agent.chpc 1

Selected area has been scanned.
jimmy3025 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2009, 11:50 PM   #20 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,987
OS: WinXP and Vista


Re: 3 Virus Issues
Kaspersky is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:40 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85