Likely Infection/Unable to run mbam

[emreebar]

The order of events: I downloaded wintoflash.exe in order to make a bootable flash drive to fix something on another computer. It was saved automatically to the 'downloads' folder. I went there to open it and surprise! There was a "facebook spy monitor" program installed (the date of installation was listed as 2/19/11. At first I was furious-thinking that my husband was trying to spy on me . But as I kept googling this program, it seemed more and more likely that it was a virus. I attempted to run the version of mbam already installed and it wouldn't open. No errors or anything, just wouldn't open. I tried to install it again from cnet; it errored out with the "createprocess failed; code 2" error. I tried the fixes listed on this forum; renaming the file, downloading a randomly generated renamed file, etc. I have been unsuccessful in getting it to run, although I can install it. I ran the dds and gmer scans. I did not run the defogger as this computer does not have an optical drive. Here is the text from the dds.text log. The ark.text and attach.txt files have been zipped and attached Attach.zip as requested. Thanks in advance for your help! It is much appreciated!

DDS (Ver_10-12-12.02) - NTFSx86

Run by Administrator at 2:25:19.65 on Tue 02/22/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.471 [GMT -6:00]

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} - hxxp://cvaltiris.oreck.local/Altiris/NS/NSCap/Bin/Win32/x86/AeXClientBootstrap.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: ravebavi.dll c:\windows\system32\majudusu.dll c:\windows\system32\yumafofa.dll c:\windows\system32\gukowema.dll,rahuziti.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: huwezeraw - {1e9e8118-fa43-467a-bc55-ed70ec933011} - c:\windows\system32\majudusu.dll

STS: kupuhivus: {1e9e8118-fa43-467a-bc55-ed70ec933011} - c:\windows\system32\majudusu.dll

LSA: Notification Packages = scecli miyagame.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\dklsp3w7.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.com

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-16 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-16 108392]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-6-16 2440120]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-6-16 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-24 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110221.019\NAVENG.SYS [2011-2-21 86008]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110221.019\NAVEX15.SYS [2011-2-21 1360760]

S0 cerc6;cerc6; [x]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

=============== Created Last 30 ================

2011-02-22 07:39:29 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2011-02-22 07:35:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-22 07:35:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-22 07:35:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-22 06:57:10 -------- d-----w- c:\program files\Malwarebytes

2011-02-20 18:34:02 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Apple

2011-02-20 18:30:21 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Google

2011-02-20 17:39:57 165376 ----a-w- c:\windows\system32\unrar.dll

2011-02-20 17:39:55 839680 ----a-w- c:\windows\system32\lameACM.acm

2011-02-20 17:39:54 810496 ----a-w- c:\windows\system32\xvidcore.dll

2011-02-20 17:39:54 237568 ----a-w- c:\windows\system32\yv12vfw.dll

2011-02-20 17:39:54 183808 ----a-w- c:\windows\system32\xvidvfw.dll

2011-02-20 17:39:54 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-02-20 17:39:53 80896 ----a-w- c:\windows\system32\ff_vfw.dll

2011-02-20 17:39:49 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-02-20 15:14:09 -------- d-----w- C:\flashdrivefiles

2011-02-20 03:38:53 1519616 ----a-w- c:\windows\system32\6.dat

2011-02-20 03:38:53 132880 ----a-w- c:\windows\system32\2.dat

2011-02-20 03:05:32 48 ----a-w- c:\windows\CwbRmDir.bat

2011-02-20 02:57:14 -------- d-----w- c:\windows\system32\appmgmt

2011-01-24 23:52:17 -------- d-----w- c:\windows\system32\NtmsData

2011-01-24 23:49:39 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Apple Computer

2011-01-24 23:49:10 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Symantec

==================== Find3M ====================

2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr

2009-09-09 15:00:06 52736 --sha-w- c:\windows\system32\rahuziti.dll

============= FINISH: 2:25:55.98 ===============

[MrCharlie]

Welcome to the forum, see if you can do this:

Download ComboFix from one of these locations..........

but rename it to iexplore.exe before saving it to your desktop.

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE<-------
  They may interfere with the running of ComboFix.
  Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have SP3, use the SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks

and Please disable Autorun ASAP!.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

5.Give ComboFix at least 20-30 minutes to finish if needed.

--------------------------

If not......

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

[emreebar]

Thanks so much for your help!!! I was just now coming to post that I actually managed to fix it sometime in the wee hours-around 4 a.m. I'll detail my process in case some of this information may be helpful for some reason. I googled some of the file names associated with the "facebookspymonitor" program and found a threat report that was almost exactly the same, except substitute "facebookspymonitor" wherever it says "Spyware Cleaner 2009". The registry keys and urls requesting info were exactly the same as the ones in this link: Threat Expert Report but, again, substitute "facebookspymonitor" where it says "Spyware Cleaner 2009". So I deleted all of the listed registry keys and then did a search and deleted any remaining files or folders associated with "facebookspymonitor". I still was unable to run mbam. I started reading the dds.text info and saw that file "rahuziti.dll", which I googled and found to be malware. For some reason, I was able to run a quick scan of Symantec at that point. It quarantined and cleaned rahuziti.dll. Here is the log from that scan:

Once it rebooted, I attempted to run mbam and it was successful. Yay! The log from that scan is:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5838

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

2/22/2011 3:47:09 AM

mbam-log-2011-02-22 (03-47-09).txt

Scan type: Quick scan

Objects scanned: 150423

Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\tesavohi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I rebooted, scanned again, and it came up clean. Awesome! So, it seems that, for the moment, crisis has been averted. Again, thank you for your help!

[MrCharlie]

OK, I strongly suggest you run ComboFix as outlined, there's more to this infection than the one file MB found.

MrC

[emreebar]

I'll do that and get back to you with those logs. Thanks:)

[emreebar]

Er...I just found a problem. This system is a hand-me-down from my husband's job. It already had Symantec installed on it. Since it was installed by his company, we're the "client" and don't have permissions to disable it. Is there any workaround for that? Should I just leave it enabled and run ComboFix anyway?

[MrCharlie]

Try running it in safemode with network support:

http://www.bleepingcomputer.com/tutorials/tutorial61.html

MrC

[emreebar]

I went through the steps but even using safe mode with network support, when it came to the part with the recovery console and needed to connect to the internet to do that part, it said that it couldn't connect. So I proceeded anyway and here is the log:

ComboFix 11-02-22.01 - Administrator 02/22/2011 20:03:13.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.769 [GMT -6:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Client.ini

.

((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))

.

2011-02-23 01:18 . 2011-02-23 01:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-02-22 09:22 . 2011-02-22 09:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-22 07:39 . 2011-02-22 07:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-02-22 07:35 . 2011-02-22 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-22 07:35 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-22 07:35 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-20 18:34 . 2011-02-20 18:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple

2011-02-20 18:31 . 2011-02-20 18:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2011-02-20 18:31 . 2011-02-21 03:05 -------- d-----w- c:\documents and settings\laura_h

2011-02-20 18:30 . 2011-02-22 15:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2011-02-20 18:29 . 2011-02-20 18:30 -------- d-----w- c:\program files\Google

2011-02-20 17:39 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll

2011-02-20 17:39 . 2008-09-24 19:41 839680 ----a-w- c:\windows\system32\lameACM.acm

2011-02-20 17:39 . 2010-12-07 18:40 183808 ----a-w- c:\windows\system32\xvidvfw.dll

2011-02-20 17:39 . 2010-12-07 18:22 810496 ----a-w- c:\windows\system32\xvidcore.dll

2011-02-20 17:39 . 2010-11-03 19:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll

2011-02-20 17:39 . 2010-01-17 16:18 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-02-20 17:39 . 2011-01-28 08:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll

2011-02-20 17:39 . 2011-02-20 17:40 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-02-20 15:14 . 2011-02-20 15:15 -------- d-----w- C:\flashdrivefiles

2011-02-20 03:49 . 2011-02-20 03:49 -------- d-----w- c:\documents and settings\Home

2011-02-20 03:38 . 2007-06-08 22:15 1519616 ----a-w- c:\windows\system32\6.dat

2011-02-20 03:38 . 2004-03-09 21:45 132880 ----a-w- c:\windows\system32\2.dat

2011-02-20 03:31 . 2011-02-20 03:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-02-20 03:05 . 2011-02-20 03:05 48 ----a-w- c:\windows\CwbRmDir.bat

2011-01-24 23:52 . 2011-01-24 23:52 -------- d-----w- c:\windows\system32\NtmsData

2011-01-24 23:49 . 2011-02-20 18:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2011-01-24 23:49 . 2011-01-24 23:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-16 115560]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1806243579-1018971774-1845911597-11078\Scripts\Logon\0\0]

"Script"=Authenticate.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/24/2011 6:26 PM 102448]

S0 cerc6;cerc6; [x]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/16/2009 2:34 PM 23888]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 6:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} - hxxp://cvaltiris.oreck.local/Altiris/NS/NSCap/Bin/Win32/x86/AeXClientBootstrap.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dklsp3w7.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{1e9e8118-fa43-467a-bc55-ed70ec933011} - c:\windows\system32\majudusu.dll

SSODL-huwezeraw-{1e9e8118-fa43-467a-bc55-ed70ec933011} - c:\windows\system32\majudusu.dll

SafeBoot-Symantec Antvirus

MSConfigStartUp-Push Client - c:\documents and settings\laura_h\Local Settings\Application Data\ATT Connect\Participant\pull.exe

MSConfigStartUp-yolatatal - c:\windows\system32\majudusu.dll

AddRemove-AltirisAgent - c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe

AddRemove-{92F2A534-C3E4-4B18-BEBD-329F5E848C8B} - c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-22 20:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(868)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-02-22 20:11:59 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-23 02:11

Pre-Run: 70,099,345,408 bytes free

Post-Run: 70,546,345,984 bytes free

- - End Of File - - 50DCC229EF06BA090B2BCC2BAFC386D3

[MrCharlie]

OK, not too bad....ComboFix cleaned up a bunch of stuff and the rest of it looks Good!

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. That will cleanup all the logs and tools we used.

--------------------------

If you have any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[emreebar]

Done, done, and done! Again, thanks SO much for your help! I appreciate it!

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.