Possible Virus - Help (Computer slow and Internet Freezes)

I was recently infected with the Total Internet Security 2010 virus.... I cleaned it up w/ Malwarebytes but my computer still runs really slow and my internet will freeze. Especially when it's trying to play videos. Things just freeze up. I tried a few scan programs S&D and symantec antivirus and didn't pick up anything new. I wasn't really able to complete running comobofix (even when i re-named the file). I used the DDS file to produce the following:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Cheng at 22:33:40.76 on Wed 01/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.449 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cheng\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
mStart Page = hxxp://www.google.com
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: QConGina - QConGina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cheng\applic~1\mozilla\firefox\profiles\1if256f5.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2004-12-16 6912]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-5-4 14208]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-1 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-1 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-10-1 2477304]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100120.032\NAVENG.SYS [2010-1-20 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100120.032\NAVEX15.SYS [2010-1-20 1323568]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-5-4 6016]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 2715DqgmF;2715DqgmF;c:\windows\system32\drivers\2715DqgmF.sys [2010-1-16 72192]
S1 aswSP;avast! Self Protection; [x]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswfsblk.sys --> c:\windows\system32\drivers\aswFsBlk.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-1 23888]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-5-4 12288]
S4 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashserv.exe" --> c:\program files\alwil software\avast4\ashServ.exe [?]
S4 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashmaisv.exe" /service --> c:\program files\alwil software\avast4\ashMaiSv.exe [?]
S4 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashwebsv.exe" /service --> c:\program files\alwil software\avast4\ashWebSv.exe [?]
S4 SDMainSvc;SDMainSvc;c:\program files\spywaredetector\sdmainservice.exe --> c:\program files\spywaredetector\SDMainService.exe [?]
S4 SDService;SDService;c:\program files\spywaredetector\sdservice.exe --> c:\program files\spywaredetector\SDService.exe [?]

=============== Created Last 30 ================

2010-01-21 02:17:23 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-21 02:17:23 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-21 02:17:23 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-21 02:17:23 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-21 02:14:38 348160 ----a-w- c:\windows\system32\MSVCR71.DL1
2010-01-21 02:14:37 503808 ----a-w- c:\windows\system32\MSVCP71.DL1
2010-01-21 02:14:37 1060864 ----a-w- c:\windows\system32\MFC71.DL1
2010-01-21 02:12:50 0 d-----w- c:\program files\Symantec
2010-01-21 02:12:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-01-18 04:51:13 0 d-----w- c:\program files\AVG
2010-01-18 04:33:13 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-17 11:50:50 0 d-----w- C:\SDFix
2010-01-17 10:31:13 261632 ----a-w- c:\windows\PEV.exe
2010-01-17 06:13:08 77312 ----a-w- c:\windows\MBR.exe
2010-01-17 04:35:49 72192 ----a-w- c:\windows\system32\drivers\2715DqgmF.sys
2010-01-06 05:20:18 376 ----a-w- c:\documents and settings\cheng\Application Dataprivacy.xml

==================== Find3M ====================

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-27 05:19:57 26224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-09-17 21:30:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat
2009-09-19 19:44:21 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 22:34:54.62 ===============

Haven't been successful to get my computer recovered. Just thought I'd let yall know, I haven't been able to start up my computer in SafeMode. It would crash in a blue screen and say that I might have a possible virus. Still can't run ComboFix without it freezing/stopping. I also see this file wmiprsve.exe pop-up and have seen the name in a few folders. Internet Explorer would freeze after maybe 5-10 min of use.

Hope yall can help. Thanks!


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 26 January 2010 - 06:28 AM.

Hello ,
And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following

• The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
• A new DDS log (don't forget attach.txt)
• GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.

Thanks and again sorry for the delay.

thanks for the help. Here are the requested logs

Hello cowboyhorn,

Please do not attach the logs if possible, thanks!

COMBOFIX
---------------
Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe and follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:

• Combofix.txt

elise025 -- I'm out of town til Monday. I will post the combofix.txt when i get back on Monday if that is ok

Hi elise025 -- Please find my combofix log attached

Hello cowboyhorn,

Did you observe this?

CF-SCRIPT
-------------
We need to execute a CF-script.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:

• Combofix.txt

ComboFix 10-02-02.02 - Cheng 02/02/2010 18:04:47.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.536 [GMT -6:00]
Running from: c:\documents and settings\Cheng\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cheng\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\ibmtools\utils\bak
c:\ibmtools\utils\bak\ibmprc.exe
c:\program files\ATI Technologies\ATI Control Panel\bak
c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\IBM\Messages By IBM\bak
c:\program files\IBM\Messages By IBM\bak\ibmmessages.exe
c:\program files\IBM\Updater\bak
c:\program files\IBM\Updater\bak\ucstartup.exe
c:\program files\Intel\Wireless\Bin\bak
c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe
c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
c:\program files\ThinkPad\ConnectUtilities\bak
c:\program files\ThinkPad\ConnectUtilities\bak\bak\QCTray.exe
c:\program files\ThinkPad\ConnectUtilities\bak\DISKCNW
c:\program files\ThinkPad\ConnectUtilities\bak\DISKCNW.ID
c:\program files\ThinkPad\ConnectUtilities\bak\DISKCNW.VER
c:\program files\ThinkPad\ConnectUtilities\bak\MerlinC201.dll
c:\program files\ThinkPad\ConnectUtilities\bak\QcAthExt.dll
c:\program files\ThinkPad\ConnectUtilities\bak\QCMurPI.dll
c:\program files\ThinkPad\ConnectUtilities\bak\QCON.DLL
c:\program files\ThinkPad\ConnectUtilities\bak\QCSebPI.dll
c:\program files\ThinkPad\ConnectUtilities\bak\QCWIZARD.EXE
c:\program files\ThinkPad\ConnectUtilities\bak\QCWLIcon.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\bak
c:\program files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe
c:\program files\ThinkPad\Utilities\bak
c:\program files\ThinkPad\Utilities\bak\EzEjMnAp.Exe
c:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe
c:\windows\system32\bak
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\dla\bak
c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-01-27 07:50 . 2010-01-27 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-27 07:47 . 2010-01-27 07:47 -------- d-----w- c:\program files\Bonjour
2010-01-25 07:22 . 2010-01-25 07:22 -------- d-----w- c:\documents and settings\Cheng\Application Data\DivX
2010-01-25 06:28 . 2010-01-25 06:28 128 ----a-w- c:\documents and settings\Cheng\Local Settings\Application Data\fusioncache.dat
2010-01-22 14:14 . 2010-01-22 14:16 -------- dc-h--w- c:\windows\ie8
2010-01-22 04:03 . 2010-01-22 04:03 -------- d-----w- c:\windows\Sun
2010-01-22 00:44 . 2010-01-22 00:44 -------- d-----w- c:\documents and settings\Cheng\Application Data\AdobeUM
2010-01-22 00:20 . 2010-01-22 00:20 0 ----a-w- c:\windows\system32\drivers\{4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B}.sys
2010-01-21 17:51 . 2010-01-21 17:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-21 08:59 . 2010-01-21 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-21 08:32 . 2010-01-21 08:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-21 08:31 . 2010-01-21 08:31 -------- d-----w- c:\program files\Java
2010-01-21 02:25 . 2010-01-21 02:25 -------- d-----w- c:\documents and settings\Cheng\Local Settings\Application Data\Symantec
2010-01-21 02:17 . 2010-01-21 02:17 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-21 02:17 . 2010-01-21 02:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-21 02:12 . 2010-01-21 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-21 02:12 . 2010-01-21 02:17 -------- d-----w- c:\program files\Symantec
2010-01-18 04:33 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-18 04:15 . 2010-01-21 08:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-01-18 04:14 . 2010-01-21 01:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 04:36 . 2008-04-08 17:09 -------- d-----w- c:\documents and settings\Cheng\Application Data\uTorrent
2010-01-28 01:20 . 2005-08-25 02:10 -------- d-----w- c:\documents and settings\Cheng\Application Data\Apple Computer
2010-01-28 01:16 . 2008-09-21 00:11 26224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-28 01:14 . 2005-08-10 05:13 -------- d-----w- c:\program files\QuickTime
2010-01-27 07:52 . 2007-04-04 05:20 -------- d-----w- c:\program files\iTunes
2010-01-27 07:51 . 2005-08-25 02:08 -------- d-----w- c:\program files\iPod
2010-01-27 07:51 . 2008-09-11 02:13 -------- d-----w- c:\program files\Common Files\Apple
2010-01-27 07:44 . 2008-10-24 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-27 07:34 . 2008-11-09 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-27 05:24 . 2005-06-02 01:01 -------- d-----w- c:\program files\mIRC
2010-01-22 03:22 . 2005-05-27 17:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-21 02:24 . 2005-05-04 15:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-21 02:17 . 2010-01-21 02:17 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-21 02:17 . 2010-01-21 02:17 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-20 05:31 . 2005-06-12 05:47 -------- d-----w- c:\program files\DivX
2010-01-14 04:20 . 2005-05-04 15:41 -------- d-----w- c:\program files\InstallShield Installation Information
2010-01-14 04:16 . 2009-09-24 02:46 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-13 02:52 . 2009-03-27 05:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 22:07 . 2009-03-27 05:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-03-27 05:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 1980-01-01 07:00 916480 ------w- c:\windows\system32\wininet.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2005-05-11 20:28 . 2005-06-20 05:04 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-05-11 20:28 . 2005-06-20 05:04 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-05-11 20:28 . 2005-06-20 05:04 159335 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-05-18 19:59 . 2004-02-04 20:29 61440 c:\program files\AIM\bak\aim.exe
2005-05-18 19:59 . 2004-02-04 20:29 61440 c:\program files\AIM\aim.exe

2004-08-13 23:17 . 2005-03-23 22:34 58992 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2009-10-01 20:14 . 2009-10-01 20:14 115560 c:\program files\Common Files\Symantec Shared\ccApp.exe

2007-03-15 00:05 . 2007-03-15 00:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe
2009-11-12 22:33 . 2009-11-12 22:33 141600 c:\program files\iTunes\iTunesHelper.exe

2007-02-16 15:54 . 2007-02-16 15:54 282624 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 05:08 . 2009-11-11 05:08 417792 c:\program files\QuickTime\QTTask.exe

2004-12-20 18:41 . 2004-12-20 18:41 33792 c:\program files\Winamp\bak\winampa.exe

2004-12-16 10:41 . 2004-12-16 10:41 90112 c:\qoobox\Quarantine\C\IBMTOOLS\utils\bak\ibmprc.exe.vir

2005-05-04 15:46 . 2004-12-12 04:00 344064 c:\qoobox\Quarantine\C\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe.vir

2004-08-06 09:10 . 2004-08-06 09:10 442368 c:\qoobox\Quarantine\C\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe.vir

2004-07-14 23:34 . 2004-07-14 23:34 36864 c:\qoobox\Quarantine\C\Program Files\IBM\Updater\bak\ucstartup.exe.vir

2007-02-21 16:17 . 2007-02-21 16:17 970752 c:\qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe.vir

2007-02-21 16:19 . 2007-02-21 16:19 819200 c:\qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe.vir

2007-10-01 06:37 . 2005-03-18 10:07 12 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\DISKCNW.ID.vir

2007-10-01 06:37 . 2005-03-18 10:07 9 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\DISKCNW.VER.vir

2007-10-01 06:37 . 2005-03-18 10:07 12 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\DISKCNW.vir

2007-10-01 23:31 . 2005-03-18 10:07 167936 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\MerlinC201.dll.vir

2007-10-01 06:37 . 2005-03-18 10:07 32768 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QcAthExt.dll.vir

2007-10-01 06:37 . 2005-03-18 10:07 151552 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCMurPI.dll.vir

2007-10-01 23:29 . 2005-03-18 10:07 1138688 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCON.DLL.vir

2007-10-01 06:37 . 2005-03-18 10:07 131072 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCSebPI.dll.vir

2007-10-01 06:37 . 2005-03-18 10:07 3072000 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCWIZARD.EXE.vir

2005-05-04 16:01 . 2005-03-18 10:07 86016 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCWLIcon.exe.vir

2005-05-04 16:01 . 2005-03-18 10:07 745472 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\bak\QCTray.exe.vir

2005-05-04 16:01 . 2005-03-18 10:07 745472 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\bak\QCTray.exe.vir

1980-01-01 07:00 . 2005-03-04 00:10 94208 c:\qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe.vir

2005-05-04 15:45 . 2004-11-24 09:10 212992 c:\qoobox\Quarantine\C\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe.vir

2005-05-04 15:41 . 2004-02-05 01:39 897024 c:\qoobox\Quarantine\C\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe.vir

1980-01-01 07:00 . 2004-08-04 12:00 15360 c:\qoobox\Quarantine\C\WINDOWS\system32\bak\ctfmon.exe.vir

2005-05-04 15:53 . 2004-09-02 08:05 127035 c:\qoobox\Quarantine\C\WINDOWS\system32\dla\bak\tfswctrl.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2004-02-04 61440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-01 115560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2004-02-04 20:29 61440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
2004-02-28 17:12 144896 ----a-w- c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2004-12-21 08:00 135168 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]
c:\progra~1\ThinkPad\CONNEC~1\bak\QCTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
c:\progra~1\ThinkPad\CONNEC~1\QCWLIcon.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
c:\program files\IBM\Updater\\ucstartup.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
c:\program files\Winamp\winampa.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19833:TCP"= 19833:TCP:*:Disabled:BitComet 19833 TCP
"19833:UDP"= 19833:UDP:*:Disabled:BitComet 19833 UDP

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [12/16/2004 2:03 AM 6912]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [5/4/2005 9:42 AM 14208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/20/2010 8:36 PM 102448]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [5/4/2005 9:42 AM 6016]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 {4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B};{4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B};c:\windows\system32\drivers\{4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B}.sys [1/21/2010 6:20 PM 0]
S1 2715DqgmF;2715DqgmF;\??\c:\windows\system32\drivers\2715DqgmF.sys --> c:\windows\system32\drivers\2715DqgmF.sys [?]
S1 aswSP;avast! Self Protection; [x]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/1/2009 2:14 PM 23888]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [5/4/2005 10:01 AM 12288]
S4 SDMainSvc;SDMainSvc;c:\program files\SpywareDetector\SDMainService.exe --> c:\program files\SpywareDetector\SDMainService.exe [?]
S4 SDService;SDService;c:\program files\SpywareDetector\SDService.exe --> c:\program files\SpywareDetector\SDService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-10-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-05-04 08:00]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Cheng\Application Data\Mozilla\Firefox\Profiles\w3n2b5p1.Default User\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-?????????
SafeBoot-???



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 18:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,5d,af,38,0a,96,f3,4f,b3,13,9e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,5d,af,38,0a,96,f3,4f,b3,13,9e,\

[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot\Minimal\
MmCaXtÔá¤ï(‡¤ß3‡]
@="Driver"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot\Network\
MmCaXtÔá¤ï(‡¤ß3‡]
@="Driver"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\
MmCaXtÔá¤ï(‡¤ß3‡]
"ImagePath"=expand:"\\??\\c:\\WINDOWS\\system32\\drivers\\\05?????????.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2420)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-02 18:31:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-03 00:31
ComboFix2.txt 2010-02-02 05:01

Pre-Run: 1,845,682,176 bytes free
Post-Run: 1,932,386,304 bytes free

- - End Of File - - B3424D887793669B682A8088FAA69D87

Hello cowboyhorn,

CF-SCRIPT
-------------
We need to execute a CF-script.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

[codebox]FCopy::
c:\program files\QuickTime\bak\qttask.exe | c:\program files\QuickTime\QTTask.exe
c:\program files\iTunes\bak\iTunesHelper.exe | c:\program files\iTunes\iTunesHelper.exe
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe | c:\program files\Common Files\Symantec Shared\ccApp.exe
c:\program files\AIM\bak\aim.exe | c:\program files\AIM\aim.exe

Folder::
c:\program files\Winamp\bak[/codebox]
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:

• Combofix.txt

Edited by elise025, 03 February 2010 - 02:42 AM.

Hello, are you still there?

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.610 [GMT -6:00]
Running from: c:\documents and settings\Cheng\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cheng\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-04 00:04 . 2010-02-04 00:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-27 07:50 . 2010-01-27 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-27 07:47 . 2010-01-27 07:47 -------- d-----w- c:\program files\Bonjour
2010-01-25 07:22 . 2010-01-25 07:22 -------- d-----w- c:\documents and settings\Cheng\Application Data\DivX
2010-01-25 06:28 . 2010-01-25 06:28 128 ----a-w- c:\documents and settings\Cheng\Local Settings\Application Data\fusioncache.dat
2010-01-22 14:14 . 2010-01-22 14:16 -------- dc-h--w- c:\windows\ie8
2010-01-22 04:03 . 2010-01-22 04:03 -------- d-----w- c:\windows\Sun
2010-01-22 00:44 . 2010-01-22 00:44 -------- d-----w- c:\documents and settings\Cheng\Application Data\AdobeUM
2010-01-22 00:20 . 2010-01-22 00:20 0 ----a-w- c:\windows\system32\drivers\{4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B}.sys
2010-01-21 17:51 . 2010-01-21 17:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-21 08:59 . 2010-01-21 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-21 08:32 . 2010-01-21 08:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-21 08:31 . 2010-01-21 08:31 -------- d-----w- c:\program files\Java
2010-01-21 02:25 . 2010-01-21 02:25 -------- d-----w- c:\documents and settings\Cheng\Local Settings\Application Data\Symantec
2010-01-21 02:17 . 2010-01-21 02:17 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-21 02:17 . 2010-01-21 02:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-21 02:13 . 2009-10-01 20:14 357704 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\System32\sysfer.dll
2010-01-21 02:12 . 2009-10-01 20:14 927096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\LUCHECK.EXE
2010-01-18 04:33 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-18 04:15 . 2010-01-21 08:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-01-18 04:14 . 2010-01-21 01:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 04:36 . 2008-04-08 17:09 -------- d-----w- c:\documents and settings\Cheng\Application Data\uTorrent
2010-01-28 01:20 . 2005-08-25 02:10 -------- d-----w- c:\documents and settings\Cheng\Application Data\Apple Computer
2010-01-28 01:16 . 2008-09-21 00:11 26224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-28 01:14 . 2005-08-10 05:13 -------- d-----w- c:\program files\QuickTime
2010-01-27 07:52 . 2007-04-04 05:20 -------- d-----w- c:\program files\iTunes
2010-01-27 07:51 . 2005-08-25 02:08 -------- d-----w- c:\program files\iPod
2010-01-27 07:51 . 2008-09-11 02:13 -------- d-----w- c:\program files\Common Files\Apple
2010-01-27 07:44 . 2008-10-24 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-27 07:34 . 2008-11-09 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-27 05:24 . 2005-06-02 01:01 -------- d-----w- c:\program files\mIRC
2010-01-22 03:22 . 2005-05-27 17:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-21 02:24 . 2005-05-04 15:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-21 02:24 . 2010-01-21 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-21 02:17 . 2010-01-21 02:12 -------- d-----w- c:\program files\Symantec
2010-01-21 02:17 . 2010-01-21 02:17 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-21 02:17 . 2010-01-21 02:17 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-20 05:31 . 2005-06-12 05:47 -------- d-----w- c:\program files\DivX
2010-01-14 04:20 . 2005-05-04 15:41 -------- d-----w- c:\program files\InstallShield Installation Information
2010-01-14 04:16 . 2009-09-24 02:46 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-13 02:52 . 2009-03-27 05:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 22:07 . 2009-03-27 05:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-03-27 05:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 1980-01-01 07:00 916480 ------w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 1980-01-01 07:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2005-05-11 20:28 . 2005-06-20 05:04 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-05-11 20:28 . 2005-06-20 05:04 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-05-11 20:28 . 2005-06-20 05:04 159335 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-02_04.53.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-07 08:38 . 2010-02-07 08:38 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-27 02:28 . 2010-02-02 02:03 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-07 08:38 . 2010-02-07 08:38 16384 c:\windows\temp\History\History.IE5\index.dat
- 2010-01-27 02:28 . 2010-02-02 02:03 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2010-02-07 08:38 . 2010-02-07 08:38 16384 c:\windows\temp\Cookies\index.dat
- 2010-01-27 02:28 . 2010-02-02 02:03 16384 c:\windows\temp\Cookies\index.dat
+ 2010-02-04 00:04 . 2010-02-04 00:04 49664 c:\windows\Installer\51b45f1.msi
+ 2010-02-04 00:04 . 2010-02-04 00:04 15710720 c:\windows\Installer\51b45f7.msp
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-05-18 19:59 . 2004-02-04 20:29 61440 c:\program files\AIM\bak\aim.exe
2005-05-18 19:59 . 2004-02-04 20:29 61440 c:\program files\AIM\aim.exe

2004-08-13 23:17 . 2005-03-23 22:34 58992 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2009-10-01 20:14 . 2009-10-01 20:14 115560 c:\program files\Common Files\Symantec Shared\ccApp.exe

2007-03-15 00:05 . 2007-03-15 00:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe
2009-11-12 22:33 . 2009-11-12 22:33 141600 c:\program files\iTunes\iTunesHelper.exe

2007-02-16 15:54 . 2007-02-16 15:54 282624 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 05:08 . 2009-11-11 05:08 417792 c:\program files\QuickTime\QTTask.exe

2004-12-20 18:41 . 2004-12-20 18:41 33792 c:\program files\Winamp\bak\winampa.exe

2004-12-16 10:41 . 2004-12-16 10:41 90112 c:\qoobox\Quarantine\C\IBMTOOLS\utils\bak\ibmprc.exe.vir

2005-05-04 15:46 . 2004-12-12 04:00 344064 c:\qoobox\Quarantine\C\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe.vir

2004-08-06 09:10 . 2004-08-06 09:10 442368 c:\qoobox\Quarantine\C\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe.vir

2004-07-14 23:34 . 2004-07-14 23:34 36864 c:\qoobox\Quarantine\C\Program Files\IBM\Updater\bak\ucstartup.exe.vir

2007-02-21 16:17 . 2007-02-21 16:17 970752 c:\qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe.vir

2007-02-21 16:19 . 2007-02-21 16:19 819200 c:\qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe.vir

2007-10-01 06:37 . 2005-03-18 10:07 12 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\DISKCNW.ID.vir

2007-10-01 06:37 . 2005-03-18 10:07 9 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\DISKCNW.VER.vir

2007-10-01 06:37 . 2005-03-18 10:07 12 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\DISKCNW.vir

2007-10-01 23:31 . 2005-03-18 10:07 167936 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\MerlinC201.dll.vir

2007-10-01 06:37 . 2005-03-18 10:07 32768 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QcAthExt.dll.vir

2007-10-01 06:37 . 2005-03-18 10:07 151552 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCMurPI.dll.vir

2007-10-01 23:29 . 2005-03-18 10:07 1138688 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCON.DLL.vir

2007-10-01 06:37 . 2005-03-18 10:07 131072 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCSebPI.dll.vir

2007-10-01 06:37 . 2005-03-18 10:07 3072000 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCWIZARD.EXE.vir

2005-05-04 16:01 . 2005-03-18 10:07 86016 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\QCWLIcon.exe.vir

2005-05-04 16:01 . 2005-03-18 10:07 745472 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\bak\QCTray.exe.vir

2005-05-04 16:01 . 2005-03-18 10:07 745472 c:\qoobox\Quarantine\C\Program Files\ThinkPad\ConnectUtilities\bak\bak\QCTray.exe.vir

1980-01-01 07:00 . 2005-03-04 00:10 94208 c:\qoobox\Quarantine\C\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe.vir

2005-05-04 15:45 . 2004-11-24 09:10 212992 c:\qoobox\Quarantine\C\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe.vir

2005-05-04 15:41 . 2004-02-05 01:39 897024 c:\qoobox\Quarantine\C\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe.vir

1980-01-01 07:00 . 2004-08-04 12:00 15360 c:\qoobox\Quarantine\C\WINDOWS\system32\bak\ctfmon.exe.vir

2005-05-04 15:53 . 2004-09-02 08:05 127035 c:\qoobox\Quarantine\C\WINDOWS\system32\dla\bak\tfswctrl.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2004-02-04 61440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-01 115560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2004-02-04 20:29 61440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
2004-02-28 17:12 144896 ----a-w- c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2004-12-21 08:00 135168 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]
c:\progra~1\ThinkPad\CONNEC~1\bak\QCTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
c:\progra~1\ThinkPad\CONNEC~1\QCWLIcon.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
c:\program files\IBM\Updater\\ucstartup.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
c:\program files\Winamp\winampa.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19833:TCP"= 19833:TCP:*:Disabled:BitComet 19833 TCP
"19833:UDP"= 19833:UDP:*:Disabled:BitComet 19833 UDP

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [12/16/2004 2:03 AM 6912]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [5/4/2005 9:42 AM 14208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/20/2010 8:36 PM 102448]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [5/4/2005 9:42 AM 6016]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 {4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B};{4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B};c:\windows\system32\drivers\{4DFA3219-0FFE-4ACA-AA10-0CE83C3BC60B}.sys [1/21/2010 6:20 PM 0]
S1 2715DqgmF;2715DqgmF;\??\c:\windows\system32\drivers\2715DqgmF.sys --> c:\windows\system32\drivers\2715DqgmF.sys [?]
S1 aswSP;avast! Self Protection; [x]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/1/2009 2:14 PM 23888]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [5/4/2005 10:01 AM 12288]
S4 SDMainSvc;SDMainSvc;c:\program files\SpywareDetector\SDMainService.exe --> c:\program files\SpywareDetector\SDMainService.exe [?]
S4 SDService;SDService;c:\program files\SpywareDetector\SDService.exe --> c:\program files\SpywareDetector\SDService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-10-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-05-04 08:00]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Cheng\Application Data\Mozilla\Firefox\Profiles\w3n2b5p1.Default User\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-?????????
SafeBoot-???



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 03:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,5d,af,38,0a,96,f3,4f,b3,13,9e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,5d,af,38,0a,96,f3,4f,b3,13,9e,\

[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot\Minimal\
MmCaXtÔá¤ï(‡¤ß3‡]
@="Driver"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot\Network\
MmCaXtÔá¤ï(‡¤ß3‡]
@="Driver"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\
MmCaXtÔá¤ï(‡¤ß3‡]
"ImagePath"=expand:"\\??\\c:\\WINDOWS\\system32\\drivers\\\05?????????.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-07 03:51:26
ComboFix-quarantined-files.txt 2010-02-07 09:51
ComboFix2.txt 2010-02-03 00:31
ComboFix3.txt 2010-02-02 05:01

Pre-Run: 1,763,647,488 bytes free
Post-Run: 1,752,023,040 bytes free

- - End Of File - - 772AC667E4C3C89F904812A4677853D4

Are you sure you ran the CFScript from my last post? The reason I ask is that it appears not to have done its job.

when I copied the text over to notepad, it didn't create the lines... it just put the script all on one line. should I create new lines where necesary?

Yes, make sure the script in Notepad looks exactly like the script in the codebox (i.e. lines, enters....).