Solve : Please Help: Can't Shake The Vundo!!?

1.	Solve : Please Help: Can't Shake The Vundo!!?
Answer» ComboFix 08-01-17.3 - Louie 2008-01-17 0:02:42.2 - NTFSx86 Running from: C:\Documents and Settings\Louie\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Louie\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))) . 2008-01-16 19:15 . 2000-08-31 08:0051,200--a------C:\WINDOWS\NirCmd.exe 2008-01-16 15:21 . 2008-01-16 15:21d--------C:\WINDOWS\ERUNT 2008-01-16 15:19 . 2004-07-13 18:36d--------C:\Documents and Settings\help\Application Data\Symantec 2008-01-16 15:19 . 2004-07-13 18:40d--------C:\Documents and Settings\help\Application Data\Sonic 2008-01-14 22:18 . 2008-01-14 22:18d--------C:\Program Files\Trend Micro 2008-01-14 21:55 . 2007-09-24 23:3169,632--a------C:\WINDOWS\system32\javacpl.cpl 2008-01-14 21:53 . 2008-01-14 21:53d--------C:\Program Files\Common Files\Java 2008-01-14 19:26 . 2008-01-14 21:30d--------C:\Program Files\EsetOnlineScanner 2008-01-14 15:58 . 2008-01-14 15:58d--------C:\Documents and Settings\Louie\DoctorWeb 2008-01-14 06:30 . 2008-01-17 00:02d--------C:\Program Files\SUPERAntiSpyware 2008-01-14 06:30 . 2008-01-14 06:30d--------C:\Program Files\Common Files\Wise Installation Wizard 2008-01-14 06:30 . 2008-01-14 06:30d--------C:\Documents and Settings\Louie\Application Data\SUPERAntiSpyware.com 2008-01-14 06:30 . 2008-01-14 06:30d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-01-14 06:20 . 2008-01-14 06:20d--------C:\Program Files\CCleaner 2008-01-14 03:21 . 2008-01-14 04:51d--------C:\WINDOWS\BDOSCAN8 2008-01-13 12:44 . 2008-01-13 12:445,360--a------C:\WINDOWS\system32\tmp.reg 2008-01-13 12:43 . 2007-09-05 23:22289,144--a------C:\WINDOWS\system32\VCCLSID.exe 2008-01-13 12:43 . 2006-04-27 16:49288,417--a------C:\WINDOWS\system32\SrchSTS.exe 2008-01-13 12:43 . 2007-12-20 23:1181,920--a------C:\WINDOWS\system32\IEDFix.exe 2008-01-13 12:43 . 2003-06-05 20:1353,248--a------C:\WINDOWS\system32\Process.exe 2008-01-13 12:43 . 2004-07-31 17:5051,200--a------C:\WINDOWS\system32\dumphive.exe 2008-01-13 12:43 . 2007-10-03 23:3625,600--a------C:\WINDOWS\system32\WS2Fix.exe 2008-01-13 06:52 . 2008-01-13 06:52d--------C:\VundoFix Backups 2008-01-13 03:12 . 2008-01-13 03:12d--------C:\Program Files\Common Files\Cisco Systems 2008-01-13 03:12 . 2006-11-17 03:061,495,552--a------C:\WINDOWS\system32\epoPGPsdk.dll 2008-01-13 03:11 . 2006-11-30 08:50168,776--a------C:\WINDOWS\system32\drivers\mfehidk.sys 2008-01-13 03:11 . 2006-11-30 08:5072,264--a------C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-01-13 03:11 . 2006-11-30 08:5064,360--a------C:\WINDOWS\system32\drivers\mfeapfk.sys 2008-01-13 03:11 . 2006-11-30 08:5052,136--a------C:\WINDOWS\system32\drivers\mfetdik.sys 2008-01-13 03:11 . 2006-11-30 08:5034,152--a------C:\WINDOWS\system32\drivers\mfebopk.sys 2008-01-13 02:26 . 2008-01-13 07:43d--------C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-12 16:02 . 2003-07-21 08:12102,400--a------C:\WINDOWS\system32\drivers\ianswxp.sys 2008-01-12 16:00 . 2008-01-12 16:00d--------C:\Program Files\Analog Devices 2008-01-12 16:00 . 2001-09-11 18:201,285,632--a------C:\WINDOWS\system32\SMMedia.dll 2008-01-12 16:00 . 2003-01-08 12:2349,152--a------C:\WINDOWS\system32\DSndUp.exe 2008-01-12 16:00 . 2002-04-17 16:0545,056--a------C:\WINDOWS\system32\CleanUp.exe 2008-01-12 16:00 . 2001-09-11 16:2030,208--a------C:\WINDOWS\system32\wdmioctl.dll 2008-01-12 15:57 . 2008-01-12 15:57d--------C:\Program Files\CONEXANT 2008-01-12 15:57 . 2004-01-21 13:571,041,152--a------C:\WINDOWS\system32\drivers\HSF_DP.sys 2008-01-12 15:57 . 2004-01-21 13:59675,840--a------C:\WINDOWS\system32\drivers\HSF_CNXT.sys 2008-01-12 15:57 . 2004-01-21 14:02197,888--a------C:\WINDOWS\system32\drivers\HSFHWICH.sys 2008-01-12 15:57 . 2004-01-21 13:20125,638--a------C:\WINDOWS\system32\drivers\IBM0559.cty 2008-01-12 15:57 . 2003-04-09 16:0190,112--a------C:\WINDOWS\system32\mdmxsdk.dll 2008-01-12 15:57 . 2003-04-09 15:4811,043--a------C:\WINDOWS\system32\drivers\mdmxsdk.sys 2008-01-12 15:43 . 2008-01-12 15:43d--------C:\WINDOWS\SxsCaPendDel 2008-01-12 07:33 . 2008-01-13 12:55118,784--a------C:\WINDOWS\MXOALDR.EXE 2008-01-12 07:11 . 2008-01-14 16:32d--------C:\Program Files\Dot1XCfg 2007-12-29 02:38 . 2007-12-29 02:38d--------C:\Documents and Settings\Louie\.onion 2007-12-27 20:36 . 2007-12-27 23:29d--------C:\Program Files\NinjaSurfing 2007-12-27 20:36 . 2007-12-27 23:29125--a------C:\ioSpecial.ini 2007-12-27 15:22 . 2007-12-27 15:22d--------C:\Program Files\avijoin . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-17 05:02---------d-----wC:\Program Files\Winamp 2008-01-17 05:02---------d-----wC:\Program Files\AIM95 2008-01-17 00:26---------d-----wC:\Program Files\Swarmcast 2008-01-17 00:25---------d-----wC:\Program Files\QuickTime 2008-01-17 00:25---------d-----wC:\Program Files\iTunes 2008-01-15 02:55---------d-----wC:\Program Files\Java 2008-01-14 08:07---------d-----wC:\Program Files\mIRC 2008-01-14 08:07---------d-----wC:\Documents and Settings\Louie\Application Data\mIRC 2008-01-13 17:37---------d-----wC:\Documents and Settings\Louie\Application Data\U3 2008-01-13 08:12---------d-----wC:\Program Files\McAfee 2008-01-13 05:37---------d-----wC:\Documents and Settings\Louie\Application Data\uTorrent 2008-01-12 21:01---------d-----wC:\Program Files\Intel 2008-01-12 21:00---------d--h--wC:\Program Files\InstallShield Installation Information 2008-01-12 20:58---------d-----wC:\Program Files\NetWaiting 2008-01-12 20:58---------d-----wC:\Program Files\Digital Line Detect 2007-12-29 11:22---------d-----wC:\Documents and Settings\Louie\Application Data\Vso 2007-12-09 18:5514,336----a-wC:\WINDOWS\system32\svchost.exe 2007-12-07 18:20---------d-----wC:\Documents and Settings\Louie\Application Data\Skype 2007-11-27 01:59---------d-----wC:\Documents and Settings\Louie\Application Data\Winamp 2007-11-19 05:33---------d-----wC:\Documents and Settings\DELETE\Application Data\AdobeUM 2007-11-14 07:26450,560------wC:\WINDOWS\system32\dllcache\jscript.dll 2007-11-07 09:26721,920----a-wC:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:26721,920------wC:\WINDOWS\system32\dllcache\lsasrv.dll 2007-10-30 17:20360,064------wC:\WINDOWS\system32\dllcache\tcpip.sys 2007-10-30 10:163,058,688------wC:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-29 22:431,287,680----a-wC:\WINDOWS\system32\quartz.dll 2007-10-29 22:431,287,680------wC:\WINDOWS\system32\dllcache\quartz.dll 2007-10-27 22:40227,328----a-wC:\WINDOWS\system32\wmasf.dll 2007-10-27 22:40227,328----a-wC:\WINDOWS\system32\dllcache\wmasf.dll 2007-10-26 03:368,454,656------wC:\WINDOWS\system32\dllcache\shell32.dll 2007-10-25 15:2653,248----a-wC:\WINDOWS\bdoscandel.exe 2007-05-23 04:2947,360----a-wC:\Documents and Settings\Louie\Application Data\pcouffin.sys 2004-07-13 23:4159,751----a-wC:\Program Files\setuplog.txt 2004-07-13 23:4154,342----a-wC:\Program Files\uninstal.log . ((((((((((((((((((((((((((((( [emailprotected]_19.29.03.07 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-17 00:16:15233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-17 05:02:36233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-17 00:16:168,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-17 05:02:378,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-17 00:16:16233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat + 2008-01-17 05:02:37233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat - 2008-01-17 00:16:168,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-17 05:02:378,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-17 00:16:1614,958,592----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-17 05:02:3814,958,592----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-17 00:16:17167,936----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-17 05:02:39167,936----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-14 20:21:40122,940----a-wC:\WINDOWS\system32\dla\DLACTRLW.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-14 03:16 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "S3TRAY2"="S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-14 03:15 512000] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe] "BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 02:56 380416 C:\WINDOWS\system32\irprops.cpl] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2008-01-14 03:15 897024] "TpShocks"="TpShocks.exe" [2003-12-17 13:12 102400 C:\WINDOWS\system32\TpShocks.exe] "BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2008-01-14 03:15 20480] "BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 03:36 394752] "TP4EX"="tp4ex.exe" [2002-09-04 03:05 53248 C:\WINDOWS\system32\TP4EX.exe] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-14 03:15 335872] "UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2008-01-14 03:15 36864] "UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-14 03:15 110592] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-14 00:50 180272] "MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2008-01-13 12:55 118784] "BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 03:36 106496] "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe" [2008-01-14 01:05 49152] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-16 19:11 132496] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 19:11 256576] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-03-24 19:12:40] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-13 18:31:38] InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-07-13 18:41:37] Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-06-02 13:04:58] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlij] pmnnlij.dll R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 15:50] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2004-03-12 02:10] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2004-03-12 02:10] R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 03:36] R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 14:05] R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 19:29] S3 gAGP440p;gAGP440p;C:\DOCUME~1\Louie\LOCALS~1\Temp\gAGP440p.sys [] S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2004-03-12 02:10] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e27fcc9-7f1b-11db-891a-000e353678ce}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16bf73a0-1ec2-11dc-89af-000e353678ce}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9530d7f4-0ff8-11dc-89a4-000e353678ce}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2ccfd30-c1f0-11dc-9dc3-000d607598a8}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-01-12 14:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2004-12-03 00:32:26 C:\WINDOWS\Tasks\BMMTask.job" - C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-17 00:04:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-01-17 0:05:32 ComboFix-quarantined-files.txt 2008-01-17 05:05:16 ComboFix2.txt 2008-01-17 00:29:20 . 2008-01-14 11:16:37--- E O F --- Go here >> http://www.malwarebytes.org/regassassin.php << Download RegASSASSIN to the desktop and open the program. Copy this line: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlij Paste it in the Text box and click Delete. ---------- Please download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows: Double-click on drweb-cureit.exe and then click Start. An EXPRESS Scan of your PC notice will appear. Under Start the Express Scan Now Click OK to start. This is a short scan that will scan the files currently running in memory. If or when something is found, click the Yes button when it asks you if you want to cure it. Once the short scan has finished, Click Options > Change settings Choose the Scan tab and UNcheck Heuristic analysis and click OK Back at the main window, select the Complete scan button. Then click the Green Arrow Start Scanning button on the right and the scan will start. Click Yes to all if it asks if you want to cure/move any file(s). When the scan is done. In the Dr.Web CureIt menu on top left, click File and choose Save report list. Save the DrWeb.csv report to your Desktop. Exit Dr.Web Cureit. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. [/COLOR] After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad Copy and paste that log in the next reply ---------- Next post Dr. Web CureIt logProcess.exe;C:\Documents and Settings\Louie\Desktop\SmitfraudFix;Tool.Prockill;; restart.exe;C:\Documents and Settings\Louie\Desktop\SmitfraudFix;Tool.ShutDown.11;; iTunesHelper.exe.vir;C:\QooBox\Quarantine\C\Program Files\iTunes;Trojan.MulDrop.10006;Deleted.; jusched.exe.vir;C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.; backup-20080115-172114-558-PowerReg Scheduler V3 .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.; backup-20080115-172114-736-PowerReg Scheduler V3 .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.; backup-20080115-172114-921-PowerReg Scheduler V3 .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.; hggff.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.10006;Deleted.; instsrv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Tool.SrvRunner;; Process.exe;C:\SDFix\apps;Tool.Prockill;; A0000006.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.; A0000007.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.; A0000008.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.; A0000018.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.; A0000019.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.; A0000020.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.; A0000024.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000026.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000027.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000028.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000029.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000030.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000031.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000032.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000033.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000034.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000035.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000036.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000037.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000038.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000039.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.; A0000040.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Tool.SrvRunner;; Process.exe;C:\WINDOWS\system32;Tool.Prockill;; I think you are in the clear. Please download ATF Cleaner by Atribune. ATF Cleaner.exe Make sure that all browser windows are closed. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All and UNCHECK Cookies. Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All and UNCHECK Cookies. Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All and UNCHECK Cookies. Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main ATF Cleaner menu to close the program. Post a new Hijackthis log Let me know how everything is now.I think we did it! Startup was amazingly fast. hggff.exe is no longer there after reboot. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:47:54 PM, on 1/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\System32\RegSrvc.exe C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\MXOALDR.EXE C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\3M\PSNLite\PsnLite.exe C:\PROGRA~1\3M\PSNLite\PSNGive.exe C:\Program Files\Swarmcast\swarmcast.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Epson printer Registration.lnk = D:\Drivers\E_reg\EPSONREG.EXE O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O11 - Options group: [JAVA_IBM] Java (IBM) O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) CORPORATION - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe -- End of file - 8280 bytes The log looks fine. Final steps. Time to do some cleanup and secure the work you have done. Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. The above procedure will: Delete the following: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. ---------- Here are some great tools to help you keep from getting infected again. Spybot Search & Destroy** - A SAFE and effective spyware scanner. * Official Spybot Tutorial * Spybot FAQ AVG Anti-Spyware Free Edition - Very reliable with a high detection rate. * AVG Anti-Spyware User Manual SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * SpywareBlaster Tutorial Comodo BOClean - Stops trojans and many more malicious attacks. Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. * Click here for a list of free firewalls. * Why would I consider a third party firewall? UPDATE UPDATE UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. * Help with Windows updates Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place? Let us know if anything else comes up.Almost forgot. Check out this tutorial to install the Recovery Console http://www.bleepingcomputer.com/tutorials/tutorial117.html

Answer»

ComboFix 08-01-17.3 - Louie 2008-01-17 0:02:42.2 - NTFSx86
Running from: C:\Documents and Settings\Louie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Louie\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 19:15 . 2000-08-31 08:0051,200--a------C:\WINDOWS\NirCmd.exe
2008-01-16 15:21 . 2008-01-16 15:21d--------C:\WINDOWS\ERUNT
2008-01-16 15:19 . 2004-07-13 18:36d--------C:\Documents and Settings\help\Application Data\Symantec
2008-01-16 15:19 . 2004-07-13 18:40d--------C:\Documents and Settings\help\Application Data\Sonic
2008-01-14 22:18 . 2008-01-14 22:18d--------C:\Program Files\Trend Micro
2008-01-14 21:55 . 2007-09-24 23:3169,632--a------C:\WINDOWS\system32\javacpl.cpl
2008-01-14 21:53 . 2008-01-14 21:53d--------C:\Program Files\Common Files\Java
2008-01-14 19:26 . 2008-01-14 21:30d--------C:\Program Files\EsetOnlineScanner
2008-01-14 15:58 . 2008-01-14 15:58d--------C:\Documents and Settings\Louie\DoctorWeb
2008-01-14 06:30 . 2008-01-17 00:02d--------C:\Program Files\SUPERAntiSpyware
2008-01-14 06:30 . 2008-01-14 06:30d--------C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 06:30 . 2008-01-14 06:30d--------C:\Documents and Settings\Louie\Application Data\SUPERAntiSpyware.com
2008-01-14 06:30 . 2008-01-14 06:30d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 06:20 . 2008-01-14 06:20d--------C:\Program Files\CCleaner
2008-01-14 03:21 . 2008-01-14 04:51d--------C:\WINDOWS\BDOSCAN8
2008-01-13 12:44 . 2008-01-13 12:445,360--a------C:\WINDOWS\system32\tmp.reg
2008-01-13 12:43 . 2007-09-05 23:22289,144--a------C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 12:43 . 2006-04-27 16:49288,417--a------C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 12:43 . 2007-12-20 23:1181,920--a------C:\WINDOWS\system32\IEDFix.exe
2008-01-13 12:43 . 2003-06-05 20:1353,248--a------C:\WINDOWS\system32\Process.exe
2008-01-13 12:43 . 2004-07-31 17:5051,200--a------C:\WINDOWS\system32\dumphive.exe
2008-01-13 12:43 . 2007-10-03 23:3625,600--a------C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 06:52 . 2008-01-13 06:52d--------C:\VundoFix Backups
2008-01-13 03:12 . 2008-01-13 03:12d--------C:\Program Files\Common Files\Cisco Systems
2008-01-13 03:12 . 2006-11-17 03:061,495,552--a------C:\WINDOWS\system32\epoPGPsdk.dll
2008-01-13 03:11 . 2006-11-30 08:50168,776--a------C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-13 03:11 . 2006-11-30 08:5072,264--a------C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-13 03:11 . 2006-11-30 08:5064,360--a------C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-01-13 03:11 . 2006-11-30 08:5052,136--a------C:\WINDOWS\system32\drivers\mfetdik.sys
2008-01-13 03:11 . 2006-11-30 08:5034,152--a------C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-13 02:26 . 2008-01-13 07:43d--------C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 16:02 . 2003-07-21 08:12102,400--a------C:\WINDOWS\system32\drivers\ianswxp.sys
2008-01-12 16:00 . 2008-01-12 16:00d--------C:\Program Files\Analog Devices
2008-01-12 16:00 . 2001-09-11 18:201,285,632--a------C:\WINDOWS\system32\SMMedia.dll
2008-01-12 16:00 . 2003-01-08 12:2349,152--a------C:\WINDOWS\system32\DSndUp.exe
2008-01-12 16:00 . 2002-04-17 16:0545,056--a------C:\WINDOWS\system32\CleanUp.exe
2008-01-12 16:00 . 2001-09-11 16:2030,208--a------C:\WINDOWS\system32\wdmioctl.dll
2008-01-12 15:57 . 2008-01-12 15:57d--------C:\Program Files\CONEXANT
2008-01-12 15:57 . 2004-01-21 13:571,041,152--a------C:\WINDOWS\system32\drivers\HSF_DP.sys
2008-01-12 15:57 . 2004-01-21 13:59675,840--a------C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-01-12 15:57 . 2004-01-21 14:02197,888--a------C:\WINDOWS\system32\drivers\HSFHWICH.sys
2008-01-12 15:57 . 2004-01-21 13:20125,638--a------C:\WINDOWS\system32\drivers\IBM0559.cty
2008-01-12 15:57 . 2003-04-09 16:0190,112--a------C:\WINDOWS\system32\mdmxsdk.dll
2008-01-12 15:57 . 2003-04-09 15:4811,043--a------C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-01-12 15:43 . 2008-01-12 15:43d--------C:\WINDOWS\SxsCaPendDel
2008-01-12 07:33 . 2008-01-13 12:55118,784--a------C:\WINDOWS\MXOALDR.EXE
2008-01-12 07:11 . 2008-01-14 16:32d--------C:\Program Files\Dot1XCfg
2007-12-29 02:38 . 2007-12-29 02:38d--------C:\Documents and Settings\Louie\.onion
2007-12-27 20:36 . 2007-12-27 23:29d--------C:\Program Files\NinjaSurfing
2007-12-27 20:36 . 2007-12-27 23:29125--a------C:\ioSpecial.ini
2007-12-27 15:22 . 2007-12-27 15:22d--------C:\Program Files\avijoin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 05:02---------d-----wC:\Program Files\Winamp
2008-01-17 05:02---------d-----wC:\Program Files\AIM95
2008-01-17 00:26---------d-----wC:\Program Files\Swarmcast
2008-01-17 00:25---------d-----wC:\Program Files\QuickTime
2008-01-17 00:25---------d-----wC:\Program Files\iTunes
2008-01-15 02:55---------d-----wC:\Program Files\Java
2008-01-14 08:07---------d-----wC:\Program Files\mIRC
2008-01-14 08:07---------d-----wC:\Documents and Settings\Louie\Application Data\mIRC
2008-01-13 17:37---------d-----wC:\Documents and Settings\Louie\Application Data\U3
2008-01-13 08:12---------d-----wC:\Program Files\McAfee
2008-01-13 05:37---------d-----wC:\Documents and Settings\Louie\Application Data\uTorrent
2008-01-12 21:01---------d-----wC:\Program Files\Intel
2008-01-12 21:00---------d--h--wC:\Program Files\InstallShield Installation Information
2008-01-12 20:58---------d-----wC:\Program Files\NetWaiting
2008-01-12 20:58---------d-----wC:\Program Files\Digital Line Detect
2007-12-29 11:22---------d-----wC:\Documents and Settings\Louie\Application Data\Vso
2007-12-09 18:5514,336----a-wC:\WINDOWS\system32\svchost.exe
2007-12-07 18:20---------d-----wC:\Documents and Settings\Louie\Application Data\Skype
2007-11-27 01:59---------d-----wC:\Documents and Settings\Louie\Application Data\Winamp
2007-11-19 05:33---------d-----wC:\Documents and Settings\DELETE\Application Data\AdobeUM
2007-11-14 07:26450,560------wC:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26721,920----a-wC:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26721,920------wC:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20360,064------wC:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:163,058,688------wC:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:431,287,680----a-wC:\WINDOWS\system32\quartz.dll
2007-10-29 22:431,287,680------wC:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40227,328----a-wC:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40227,328----a-wC:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:368,454,656------wC:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 15:2653,248----a-wC:\WINDOWS\bdoscandel.exe
2007-05-23 04:2947,360----a-wC:\Documents and Settings\Louie\Application Data\pcouffin.sys
2004-07-13 23:4159,751----a-wC:\Program Files\setuplog.txt
2004-07-13 23:4154,342----a-wC:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((( [emailprotected]_19.29.03.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 00:16:15233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 05:02:36233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 00:16:168,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 05:02:378,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 00:16:16233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 05:02:37233,472----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-17 00:16:168,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 05:02:378,192----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 00:16:1614,958,592----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 05:02:3814,958,592----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-17 00:16:17167,936----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 05:02:39167,936----a-wC:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 20:21:40122,940----a-wC:\WINDOWS\system32\dla\DLACTRLW.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-14 03:16 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-14 03:15 512000]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 02:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2008-01-14 03:15 897024]
"TpShocks"="TpShocks.exe" [2003-12-17 13:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2008-01-14 03:15 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 03:36 394752]
"TP4EX"="tp4ex.exe" [2002-09-04 03:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-14 03:15 335872]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2008-01-14 03:15 36864]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-14 03:15 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-14 00:50 180272]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2008-01-13 12:55 118784]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 03:36 106496]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe" [2008-01-14 01:05 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-16 19:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 19:11 256576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-03-24 19:12:40]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-13 18:31:38]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-07-13 18:41:37]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-06-02 13:04:58]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlij]
pmnnlij.dll

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 15:50]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2004-03-12 02:10]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2004-03-12 02:10]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 03:36]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 14:05]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 19:29]
S3 gAGP440p;gAGP440p;C:\DOCUME~1\Louie\LOCALS~1\Temp\gAGP440p.sys []
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2004-03-12 02:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e27fcc9-7f1b-11db-891a-000e353678ce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16bf73a0-1ec2-11dc-89af-000e353678ce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9530d7f4-0ff8-11dc-89a4-000e353678ce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2ccfd30-c1f0-11dc-9dc3-000d607598a8}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 14:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-12-03 00:32:26 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 00:04:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 0:05:32
ComboFix-quarantined-files.txt 2008-01-17 05:05:16
ComboFix2.txt 2008-01-17 00:29:20
.
2008-01-14 11:16:37--- E O F --- Go here >> http://www.malwarebytes.org/regassassin.php <<

Download RegASSASSIN to the desktop and open the program.

Copy this line:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlij

Paste it in the Text box and click Delete.

----------

Please download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start.
An EXPRESS Scan of your PC notice will appear.
Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory.
- If or when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button.
Then click the Green Arrow Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
Copy and paste that log in the next reply

----------

Next post
Dr. Web CureIt logProcess.exe;C:\Documents and Settings\Louie\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Louie\Desktop\SmitfraudFix;Tool.ShutDown.11;;
iTunesHelper.exe.vir;C:\QooBox\Quarantine\C\Program Files\iTunes;Trojan.MulDrop.10006;Deleted.;
jusched.exe.vir;C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
backup-20080115-172114-558-PowerReg Scheduler V3 .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.;
backup-20080115-172114-736-PowerReg Scheduler V3 .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.;
backup-20080115-172114-921-PowerReg Scheduler V3 .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.;
hggff.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.10006;Deleted.;
instsrv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Tool.SrvRunner;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0000006.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.;
A0000007.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.;
A0000008.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.;
A0000018.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.;
A0000019.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.;
A0000020.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.;
A0000024.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000026.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000027.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000028.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000029.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000030.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000031.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000032.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000033.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000034.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000035.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000036.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000037.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000038.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000039.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000040.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Tool.SrvRunner;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
I think you are in the clear.

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Post a new Hijackthis log

Let me know how everything is now.I think we did it! Startup was amazingly fast. hggff.exe is no longer there after reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:54 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Epson printer Registration.lnk = D:\Drivers\E_reg\EPSONREG.EXE
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) CORPORATION - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 8280 bytes

The log looks fine.

Final steps.

Time to do some cleanup and secure the work you have done.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Here are some great tools to help you keep from getting infected again.

Spybot Search & Destroy - A SAFE and effective spyware scanner.
* Official Spybot Tutorial
* Spybot FAQ

AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* SpywareBlaster Tutorial

Comodo BOClean - Stops trojans and many more malicious attacks.

Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
* Why would I consider a third party firewall?

UPDATE UPDATE UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.Almost forgot. Check out this tutorial to install the Recovery Console

http://www.bleepingcomputer.com/tutorials/tutorial117.html

Solve : Please Help: Can't Shake The Vundo!!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment