0

First and foremost, who are you folks and how did you figure out how to increase the length of your days or go without sleep!!! The obvious effort you put into helping the less fortunate and knowledgeable is amazing. Not to overlook many others that contribute, as I only found DW yesterday, but Crunchie and Gerbil are all over this place fighting the evil nasties!!! Thanks in advance for everyone and all they do!!!

OK, to my problem. After googling what the file iifgf.exe, which appears to be at least related to my problem, I stumbled here and from going through some threads, I guess this is some variant of VUNDO. Tried to do as much as possible--running a Trend Micro AV scan many times, running FixVundo from Symantec, running VundoFix found via this site, etc. And while the usual problems have diminished--bad popups and redirects, disappearing desktop, constant triggering without fix by Trend Micro AV, reloading obvious bad add-ins into IE--they have not completely gone away. I always say I only know enough about PCs to be dangerous, but having read up on this type of malware, I don't think it is gone and it will only come back.

So I am here for help. Thanks.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:27 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6983 bytes

4
Contributors
29
Replies
30
Views
9 Years
Discussion Span
Last Post by NTXPablo
0

Sorry, Gerbil, to seemingly ignore your help and take so long getting back, but I had a bit of a family emergency that pulled me out of the loop and out of town until Saturday night.

Here is the vundofix.txt that you requested:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 9:21:50 PM 1/21/2008

Listing files found while scanning....

C:\WINDOWS\system32\cedcylng.dll
C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\jfdcpxnh.dll
C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cedcylng.dll
C:\WINDOWS\system32\cedcylng.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\fgfii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\iifgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jfdcpxnh.dll
C:\WINDOWS\system32\jfdcpxnh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\fgfii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\iifgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 10:59:53 PM 1/23/2008

Listing files found while scanning....

C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fgfii.ini
C:\WINDOWS\system32\fgfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgfii.ini2
C:\WINDOWS\system32\fgfii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\iifgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 11:54:01 PM 1/23/2008

Listing files found while scanning....

C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

0

A delay is not a problem for me, Pablo.
Let's try to delete manually the file that Vundofix could not..
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Now first off start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

Now go in and rclick these files and use Unlocker....
C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\mrofinu72.exe
Restart your machine, delete C:\vundofix.txt, dl a fresh copy of Vundofix and run it.
Post another Hijackthis log.

0

Gerbil,

Did what you said and had mixed results. First, which is probably important was that unlocker did not seem to ever unlock the file. Every time I ran it on that particular file, got an error message saying that Windows Explorer had to close. Then, when I ran VundoFix, it could not delete the file.

Was able to remove the line that you said in the HJT. The other thing was that the second file you said to use unlocker on, was nowhere to be found--not in C:\WINDOWS, not in a search of my hard drives.

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:41 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)
O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - C:\WINDOWS\system32\pmnmnnm.dll
O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7555 bytes

0

Congratulations of a sort are due - that is the first I have seen where Unlocker has failed.
Try running Vundofix this way...=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\mnnmnmp.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Follow with this.. we will get a chance to see other new files that were created with Vundo.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post the contents of C:\vundofix.txt plus a new HijackThis log also.

0

you can remove these entries through the HiJackThis...

O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)

O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - C:\WINDOWS\system32\pmnmnnm.dll

O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)

0

OK, Gerbil...did all that you asked so here goes with the logs:

COMBOFIX LOG:

ComboFix 08-01-29.3 - Paul 2008-01-29 1:23:58.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.818 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\pmnmnnm.dll

----- BITS: Possible infected sites -----

hxxp://80.93.59.108
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 20:57 . 2008-01-28 20:57 306 --a------ C:\WINDOWS\QTW.QTW
2008-01-28 20:53 . 2008-01-28 20:53 86,400 --a------ C:\WINDOWS\~GLC0000.TMP
2008-01-28 19:09 . 2008-01-28 19:10 13,824 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-27 15:20 . 2008-01-28 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:57 . 2008-01-23 21:57 <DIR> d-------- C:\WINDOWS\Sun
2008-01-23 21:57 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 21:55 . 2008-01-23 21:57 <DIR> d-------- C:\Program Files\Java
2008-01-23 21:55 . 2008-01-23 21:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-21 23:32 . 2008-01-21 23:32 78,912 --a------ C:\WINDOWS\system32\ejtkbemq.junk
2008-01-21 23:29 . 2008-01-21 23:29 6,675 --a------ C:\WINDOWS\system32\rxqmhuct.junk
2008-01-21 23:26 . 2008-01-21 23:26 6,675 --a------ C:\WINDOWS\system32\chbcmnky.junk
2008-01-21 23:20 . 2008-01-21 23:20 78,912 --a------ C:\WINDOWS\system32\qxpcdpaj.junk
2008-01-21 21:21 . 2008-01-29 01:17 <DIR> d-------- C:\VundoFix Backups
2008-01-20 12:19 . 2008-01-20 12:19 6,675 --a------ C:\WINDOWS\system32\qbeebqpx.dll
2008-01-20 12:17 . 2008-01-20 12:17 6,675 --a------ C:\WINDOWS\system32\dbqcvrqi.dll
2008-01-20 11:16 . 2007-12-16 18:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-19 17:34 . 2008-01-19 19:45 <DIR> d-------- C:\Documents and Settings\Paul\.housecall6.6
2008-01-19 14:51 . 2006-05-03 11:57 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-19 14:20 . 2008-01-23 09:01 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:53 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-01-29 02:53 --------- d-----w C:\Program Files\YOU DON'T KNOW JACK
2008-01-29 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 02:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-20 17:16 --------- d-----w C:\Program Files\Trend Micro
2008-01-20 02:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 23:10 --------- d-----w C:\Program Files\Common Files\Real
2008-01-19 23:01 --------- d-----w C:\Program Files\Total 3D Home Deluxe
2008-01-19 23:00 --------- d-----w C:\Program Files\TDK
2008-01-19 22:52 --------- d-----w C:\Program Files\Rage
2008-01-19 22:45 --------- d-----w C:\Program Files\InterActual
2008-01-19 22:27 --------- d-----w C:\Program Files\ATI Technologies
2008-01-19 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-19 19:54 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft
2008-01-19 18:11 --------- d-----w C:\Program Files\QuickTime
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-17 00:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-17 00:29 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-17 00:29 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-17 00:29 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-17 00:29 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-05-02 17:34 66,192 ----a-w C:\Documents and Settings\Paul\Application Data\GDIPFONTCACHEV1.DAT
.

<pre>
----a-w            39,792 2008-01-19 20:20:51  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         1,393,928 2008-01-24 01:02:54  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w           492,808 2008-01-24 01:02:53  C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
----a-w            15,360 2008-01-23 15:01:18  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]
C:\WINDOWS\system32\ejtkbemq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
C:\WINDOWS\system32\iifgf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [ ]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [ ]
"ATI Launchpad"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-01-23 19:43 492808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [ ]
"Regx10EXE"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2007-04-09 11:32 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [ ]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-23 19:43 1393928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"VundoFix"="C:\Documents and Settings\Paul\Desktop\vundofix.exe" [2008-01-28 19:52 132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-02-11 20:54:15 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R0 portenum;Intek21 PCI IO Driver;C:\WINDOWS\system32\DRIVERS\portenum.sys [2000-07-07 20:59]
R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 13:15]
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 15:29]
S2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [1999-11-05 18:43]
S2 SESUSBHW;%SESUSBHW.SvcDesc%;C:\WINDOWS\system32\Drivers\sesusb.sys [2001-05-11 16:50]
S3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 10:53]
S3 DCamUSBAlaris;ALARIS QuickVideo weeCam USB;C:\WINDOWS\system32\DRIVERS\DVC2USB.sys [1999-08-04 05:08]
S3 WEBNTACCESS;WEBNTACCESS;C:\WINDOWS\System32\NTACCESS.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 01:28:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
.
**************************************************************************
.
Completion time: 2008-01-29 1:31:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 07:31:09
.
2008-01-09 15:24:01 --- E O F ---


VUNDOFIX LOG:

VundoFix V6.7.7

Checking Java version...

Scan started at 11:21:34 PM 1/28/2008

Listing files found while scanning....

C:\WINDOWS\system32\pmnmnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\pmnmnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!


HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:03 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)
O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7337 bytes

0

you can remove these entries through the HiJackThis...

O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)

O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - C:\WINDOWS\system32\pmnmnnm.dll

O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)

0

Whilst Gerbil is offline, can you please do the following;

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O2 - BHO: {47059018-7f25-7e68-a464-797a7d1802db} - {bd2081d7-a797-464a-86e7-52f781095074} - C:\WINDOWS\system32\ejtkbemq.dll (file missing)
    O2 - BHO: (no name) - {EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6} - C:\WINDOWS\system32\iifgf.dll (file missing)

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RENV::
----a-w 39,792 2008-01-19 20:20:51 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 1,393,928 2008-01-24 01:02:54 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w 492,808 2008-01-24 01:02:53 C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
----a-w 15,360 2008-01-23 15:01:18 C:\WINDOWS\system32\ctfmon .exe

File::
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\rxqmhuct.junk
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\dbqcvrqi.dll
C:\WINDOWS\system32\iifgf.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

Aw, heck, ni just worked this up...
Killall::

File::
C:\WINDOWS\~GLC0000.TMP
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\rxqmhuct.junk
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\dbqcvrqi.dll

RenV::
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
:)

0

I was offline, came back on just a bit too late for the glory. Missed one, did I, crunchie? Well, durn. Mighta picked it up on the next run... you gotta make em work at it to teach em a lesson about getting infected in the first place.... :)
I'm getting tired of the Opera caching... may go back to FF. Caching speeds Opera up, but is no help on this job.
BTW, Overwhelmed... that script fix includes a fix for the two registry entries that you point out from Hijackthis...

0

Every time I revisit a thread I get the old cached copy... have to hit the refresh button, and sometimes I forget and get confused by what I see.... FF doesn't cache like that. I have fooled with my FF but I still cannot get it to read that post with the looong list of Posxxx.tmp deletions.
If I make an entry in a thread Opera puts up the refreshed page immediately, but if I load another page [thread] that I have been to before a bit earlier I get a cached [and sometimes out of date] copy.

0

Go to Tools | Preferences | Advanced | History and where the Check Documents entry is, from the drop down box, select Always.

Attachments Opera.jpg 28.58 KB
0

Heck, you did it again!! I just changed that setting to how you said! We gotta stop meeting like this!!
I also cut the cache from default 200MB to 10MB. Not having used Opera for several months, and having just updated it totally I got all the defaults; I'll get around to checking them all one day. I did already move the cache away from XP to another volume, though; no way do I want caches disturbing XP.
Btw, Crunchie, it was interesting that Vundofix could not delete C:\WINDOWS\system32\pmnmnnm.dll even when it was pointed right at it. Did you notice that Unlocker failed also?

0

Guys (the all-encompassing, non-gender specific because I am not sure if you are a lady or a gentleman "Guys" greeting that is native to Tex-ass!!!),

My thread reminds me of the old adage, "How many <insert person's job> does it take to <insert problem>???

So far the answer is three for this numbnuts!!!

Seriously, thanks for all the input. I am at work, so it will be this evening before I can put the next piece of advice into action. I will certainly post the requested logs once that is completed.

But I saw that several posts had been added to my thread and then saw Crunchie and Gerbil even had the opportunity to work out some of their own issues, so I thought I would jump on briefly. I am so glad that my tainted PC could provide the springboard to Gerbil getting his Opera issues handled!!!

Another question I have that I planned to ask once we got to the end game, but will ask during our little "halftime" here and spurred by Gerbil's comment "you gotta make em work at it to teach em a lesson about getting infected in the first place."

I know that was tongue in cheek, although to a certain extent I imagine it is true. That said, working for an IT company even though I do not do IT work (audio-visual), I am pretty security minded. Certainly learned a lot at this site that will help me ramp up my defenses after this incident, but really, is it just plausibly inevitable that sooner or later, no matter what you do, if you go online at all, you are going to get bit?

I mean, we have two computers at the house, both are hardware and software firewall protected, have never had either online unprotected, have used Trend Micro/PC Cillin with paid-for updates that check seemingly everything, scan regularly with AdAware and SpyBot, and still this happens!!!

Over the years, get the occasional trigger from virus software killing a bug, but never have we had a full-blown outbreak on either PC (glad the laptop seems to be clean). It just doesn't figure unless I am using an inferior anti-virus product--I wonder now, input appreciated--or if it is just a case of no matter how many times you wash your hands, you can never be 100% clean?!?!

The funny thing is, this problem really bogged down the speed of my computer, which made me think initially that it was just time to upgrade until all the popups and other clues that it was a virus happened. But now that I have done the preliminary work on compiling a parts list for a new rig, I am too excited to turn back now!!! I will move forward in the next month with building a new PC and probably turning this one into a server of some sort (considering using Windows Home Server software). But before I dump any files on a clean build, DEFINITELY want to get this one clean.

Again, I really appreciate the time and expertise. You "guys" are the best. I will post again once I get home tonight and apply the latest measures previously suggested.

Later...

0

Heck, you did it again!! I just changed that setting to how you said! We gotta stop meeting like this!!
I also cut the cache from default 200MB to 10MB. Not having used Opera for several months, and having just updated it totally I got all the defaults; I'll get around to checking them all one day. I did already move the cache away from XP to another volume, though; no way do I want caches disturbing XP.
Btw, Crunchie, it was interesting that Vundofix could not delete C:\WINDOWS\system32\pmnmnnm.dll even when it was pointed right at it. Did you notice that Unlocker failed also?

I have had Vundo files like that at another site I help out at. Would not go no matter what we threw at it. In the end the OP had to slave the drive to another system to get rid of it.
Looks like combofix got it though.

0

Protection. If you have even a half decent firewall [like Window's version] getting infected by malware comes down to it simply being invited in. Therein lie the problems: your gullibility, innocence, impatience and yes, your trust in others. Websites are infected or carry infected objects knowingly or unknowingly, friends and others have systems which permit them to send you infected objects, you don't suspect that a pretty picture or animation could do any harm... and for those people who trawl the more risque or basic instinct sites, well, they just have lowered ideas of worth, self or otherwise [imo, not nec this site's.. :)].
Ok, you clicked on it, it's not being blocked and so it is coming in...
"Over the years, get the occasional trigger from virus software killing a bug" ...yep, luckily your software caught a known one, or recognised a pattern, a style of attack. But AV, AS etc is not always in front of the game, actually, mostly it is behind by a step or more. The sole compensation is that a new attack is almost by definition a rare attack. Your best defence is to layer your defences behind the firewall: a reputable and updated AV [there is no best AV ...], an updated AS lying in reserve, a process blocker, and possibly either a registry sentinel or simply not web-crawling while an administrator.
If you have a two-way firewall [like most are] you may get told if something like adware is trying to work because generally it has to call out for instructions - but you have to READ those firewall popups. That is when you run your AS if it is not a full-service scanner. A new virus... well, it's pretty much up to what the virus intends doing; it may just want to spread inside, spread outside, and perhaps wreck your system. It just sometimes comes down to you becoming aware of it when things no longer work right; a decent virus will make sure that your AV doesn't see it by either blocking it or hiding, and that your firewall accepts it. A registry sentinel can help here.
"...it's not being blocked..." - a process blocker [for want of a better term on the spur of the moment] will stop known bad programs from coming in or running if they are already in. Spywareblaster is one, it's currently blocking 9511 ActiveX controls, websites and cookies [it does not impose any arbitrary "taste" blocks]. There are also free hosts file lists out there to block known dangerous websites.
So. Don't be impatient, be suspicious, check file extensions and be a bit lucky. Like most things, surfing more increases your risk, and ruins your suntan. And yeah, there are viruses outside in the real world, too.
Oh, and please, crunchie n I are blokes, not guys.

0

OK Guys...er I mean blokes!!!

Well, when it rains it poors!!! Came home Tuesday night to find that the power supply in my PC had bit the dust!!! Lovely, but finally had a chance to pick one up yesterday and replaced it this AM...glad it did not fry any components in the PC.

Anyway, finally I am back in business to continue the business of cleaning up this vundo mess...thanks in advance for your patience...

So, completed the processess that were prescribed. However, dragging the .txt file into combofix did not produce a new combofix log. Maybe I misunderstood, but anyway, ran combofix again afterwards to produce a new log:

ComboFix 08-01-29.3 - Paul 2008-02-03 13:49:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.595 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-01-28 20:57 . 2008-01-28 20:57 306 --a------ C:\WINDOWS\QTW.QTW
2008-01-28 20:53 . 2008-01-28 20:53 86,400 --a------ C:\WINDOWS\~GLC0000.TMP
2008-01-28 19:09 . 2008-01-28 19:10 13,824 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-27 15:20 . 2008-01-28 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:57 . 2008-01-23 21:57 <DIR> d-------- C:\WINDOWS\Sun
2008-01-23 21:57 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 21:55 . 2008-01-23 21:57 <DIR> d-------- C:\Program Files\Java
2008-01-23 21:55 . 2008-01-23 21:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-21 23:32 . 2008-01-21 23:32 78,912 --a------ C:\WINDOWS\system32\ejtkbemq.junk
2008-01-21 23:29 . 2008-01-21 23:29 6,675 --a------ C:\WINDOWS\system32\rxqmhuct.junk
2008-01-21 23:26 . 2008-01-21 23:26 6,675 --a------ C:\WINDOWS\system32\chbcmnky.junk
2008-01-21 23:20 . 2008-01-21 23:20 78,912 --a------ C:\WINDOWS\system32\qxpcdpaj.junk
2008-01-21 21:21 . 2008-01-29 01:17 <DIR> d-------- C:\VundoFix Backups
2008-01-20 12:19 . 2008-01-20 12:19 6,675 --a------ C:\WINDOWS\system32\qbeebqpx.dll
2008-01-20 12:17 . 2008-01-20 12:17 6,675 --a------ C:\WINDOWS\system32\dbqcvrqi.dll
2008-01-20 11:16 . 2007-12-16 18:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-19 17:34 . 2008-01-19 19:45 <DIR> d-------- C:\Documents and Settings\Paul\.housecall6.6
2008-01-19 14:51 . 2006-05-03 11:57 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-19 14:20 . 2008-01-23 09:01 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:53 86,400 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-01-29 02:53 --------- d-----w C:\Program Files\YOU DON'T KNOW JACK
2008-01-29 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 02:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-20 17:16 --------- d-----w C:\Program Files\Trend Micro
2008-01-20 02:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 23:10 --------- d-----w C:\Program Files\Common Files\Real
2008-01-19 23:01 --------- d-----w C:\Program Files\Total 3D Home Deluxe
2008-01-19 23:00 --------- d-----w C:\Program Files\TDK
2008-01-19 22:52 --------- d-----w C:\Program Files\Rage
2008-01-19 22:45 --------- d-----w C:\Program Files\InterActual
2008-01-19 22:27 --------- d-----w C:\Program Files\ATI Technologies
2008-01-19 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-19 19:54 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft
2008-01-19 18:11 --------- d-----w C:\Program Files\QuickTime
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-17 00:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-17 00:29 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-17 00:29 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-17 00:29 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-17 00:29 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-05-02 17:34 66,192 ----a-w C:\Documents and Settings\Paul\Application Data\GDIPFONTCACHEV1.DAT
.

<pre>
----a-w            39,792 2008-01-19 20:20:51  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         1,393,928 2008-01-24 01:02:54  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
----a-w           492,808 2008-01-24 01:02:53  C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
----a-w            15,360 2008-01-23 15:01:18  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [ ]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [ ]
"ATI Launchpad"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-01-23 19:43 492808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [ ]
"Regx10EXE"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2007-04-09 11:32 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [ ]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-23 19:43 1393928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-02-11 20:54:15 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R0 portenum;Intek21 PCI IO Driver;C:\WINDOWS\system32\DRIVERS\portenum.sys [2000-07-07 20:59]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 15:29]
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [1999-11-05 18:43]
R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 13:15]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 10:53]
S2 SESUSBHW;%SESUSBHW.SvcDesc%;C:\WINDOWS\system32\Drivers\sesusb.sys [2001-05-11 16:50]
S3 DCamUSBAlaris;ALARIS QuickVideo weeCam USB;C:\WINDOWS\system32\DRIVERS\DVC2USB.sys [1999-08-04 05:08]
S3 WEBNTACCESS;WEBNTACCESS;C:\WINDOWS\System32\NTACCESS.SYS []

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:51:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-02-03 13:52:04
ComboFix-quarantined-files.txt 2008-02-03 19:51:49
ComboFix2.txt 2008-01-29 07:31:13
.
2008-01-09 15:24:01 --- E O F ---


And here is the requested HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:10 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6946 bytes


Thanks again Gerbil and Crunchie for the help. Apprise me of the next steps,if any.

0

Pablo, if you have saved CFScript.txt [note the spelling..] onto your desktop where combofix is, I see, then you just drag the icon onto the Combofix icon. You should immediately see it start working. Drag the icon, not the file itself. Try it again, if it still fails we shall have to try something else.

0

No, i was able to do that and it appeared to do it's thing. However, what it did not do was produce a new combofix log, which was requested to be posted along with a HJT log in the previous instructions.

So to get a new combofix log, I ran combofix a second time to produce the log.

But I can run the whole process again and post the results.

Thanks.

0

Pablo, yes.. you should run it again because nothing in the script was deleted. Delete your copy of Combofix, dl a fresh one and try again.
[this is actually a normal way of starting a program, for instance you can drag a .jpg onto photshop.exe and it will open with it]
If it should fail again try it with this modified script:
_______________________________________________________________

Killall::

File::
C:\WINDOWS\~GLC0000.TMP
C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\rxqmhuct.junk
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\dbqcvrqi.dll
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
________________________________________________________

and if it still fails, attempt with either script in Safe mode.

0

OK, did as instructed, let's see what you think about this:

COMBOFIX LOG:

ComboFix 08-02.05.3 - Paul 2008-02-06 8:49:48.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.524 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Paul\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\WINDOWS\~GLC0000.TMP
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\dbqcvrqi.dll
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\rxqmhuct.junk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\WINDOWS\~GLC0000.TMP
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\dbqcvrqi.dll
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\rxqmhuct.junk

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-03 14:44 . 2008-02-03 14:44 <DIR> d-------- C:\WINDOWS\Performance
2008-02-03 14:44 . 2008-02-03 14:44 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-02-03 14:44 . 2008-02-03 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-01-28 20:57 . 2008-01-28 20:57 306 --a------ C:\WINDOWS\QTW.QTW
2008-01-28 19:11 . 2008-01-28 19:12 <DIR> d-------- C:\Program Files\Unlocker
2008-01-28 19:09 . 2008-01-28 19:10 13,824 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-27 15:20 . 2008-01-28 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:57 . 2008-01-23 21:57 <DIR> d-------- C:\WINDOWS\Sun
2008-01-23 21:57 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 21:55 . 2008-01-23 21:57 <DIR> d-------- C:\Program Files\Java
2008-01-23 21:55 . 2008-01-23 21:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-21 21:21 . 2008-01-29 01:17 <DIR> d-------- C:\VundoFix Backups
2008-01-20 11:16 . 2007-12-16 18:29 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-20 11:16 . 2007-12-16 18:29 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-19 17:34 . 2008-01-19 19:45 <DIR> d-------- C:\Documents and Settings\Paul\.housecall6.6
2008-01-19 14:51 . 2006-05-03 11:57 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:53 --------- d-----w C:\Program Files\YOU DON'T KNOW JACK
2008-01-29 02:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-29 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 02:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-20 17:16 --------- d-----w C:\Program Files\Trend Micro
2008-01-20 02:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 23:10 --------- d-----w C:\Program Files\Common Files\Real
2008-01-19 23:01 --------- d-----w C:\Program Files\Total 3D Home Deluxe
2008-01-19 23:00 --------- d-----w C:\Program Files\TDK
2008-01-19 22:52 --------- d-----w C:\Program Files\Rage
2008-01-19 22:45 --------- d-----w C:\Program Files\InterActual
2008-01-19 22:27 --------- d-----w C:\Program Files\ATI Technologies
2008-01-19 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-19 19:54 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft
2008-01-19 18:11 --------- d-----w C:\Program Files\QuickTime
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-19 18:10 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-17 00:29 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-17 00:29 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-17 00:29 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-17 00:29 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-17 00:29 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-05-02 17:34 66,192 ----a-w C:\Documents and Settings\Paul\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="" []
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [ ]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\main\ATISched.EXE" [ ]
"ATI Launchpad"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-01-23 19:43 492808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [ ]
"Regx10EXE"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2007-04-09 11:32 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [ ]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-21 12:16 1393928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-02-11 20:54:15 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R0 portenum;Intek21 PCI IO Driver;C:\WINDOWS\system32\DRIVERS\portenum.sys [2000-07-07 20:59]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 15:29]
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [1999-11-05 18:43]
R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 13:15]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 10:53]
S2 SESUSBHW;%SESUSBHW.SvcDesc%;C:\WINDOWS\system32\Drivers\sesusb.sys [2001-05-11 16:50]
S3 DCamUSBAlaris;ALARIS QuickVideo weeCam USB;C:\WINDOWS\system32\DRIVERS\DVC2USB.sys [1999-08-04 05:08]
S3 WEBNTACCESS;WEBNTACCESS;C:\WINDOWS\System32\NTACCESS.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 08:56:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-06 9:04:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 15:04:36
ComboFix2.txt 2008-01-29 07:31:13
.
2008-01-09 15:24:01 --- E O F ---


HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:22 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182776430710
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7086 bytes


Thanks...

0

Many, many thanks are in order Gerbil!!! I so appreciate the help.

Not to bore you with details, but sorry again for the long interludes during this process, including this last one to respond to your assertion that the logs were clean. I will simply state that a virus laden computer has not been my only distraction the last few weeks!!! At least I can cross this particular problem off my list of "things that need addressing ASAP."

So, no other problems per se...just have to figure out my new PC build, new home server build, and networking everything. But compared to VUNDO, those are a piece of cake!!!

Thanks also to Crunchie and others that chimed in on this thread with help.

So you can mark this one FIXED!!!

Take care...

Paul

0

Nice, Paul... And no apologies needed, it all proceeds at your pace [with a few delays thrown in by us..]. Glad your sys is sorted, but you have to mark it solved, we cannot. Only you know when you are satisfied, you see?
Cheers.

0

Thanks again, Gerbil, et al.

Yes, as far as I can tell, we are solved here.

Big Kudos to this place...what a lucky find for me and apparently many others.

Now I can go scan the Networking, Hardware, and Vista threads for tips on building a couple of new rigs!!!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.