Welcome :)
* Please let me know if you have posted this log on another forum.

* Please let me know if you are an employee and this system is owned by your employer. If so, do you have permission to make changes to it?

* Please print or copy all instructions to Notepad in order to assist you when carrying out instructions. In some cases you may be working in Safemode and you will not have the internet available to read information. Please follow all instructions in sequence.

* If your reply does not fit in one post, please reply to yourself until all text is submitted. It may take several posts.

* Please disable realtime monitoring so it does not interfere while we are fixing your system. We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
* Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
* Click on Tools, General Settings
* Under Real-time protection options, deselect the Turn on real-time protection check box
* Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please download the latest version of VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\ vundofix.txt.)

• Double-click VundoFix.exe to run it.
• 
  
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files,
• click YES
  
• Once you click yes, your desktop will go blank as it starts removing
• Vundo.
  
• When completed, it will prompt that it will shutdown your computer,
• click OK.
  
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new
• HiJackThis log.
  

Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. ** If you get a warning about updating Java, do not do so until I can give you further instructions.

Good job! :) That's a step in the right direction.

Please download Combofix from here:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
** Take note that the link is case sensitive

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new HijackThis log.

Note:
Do not mouseclick Combofix's window while it is running. That may cause your system to stall/hang.
Do not proceed with the rest of the fix if you fail to run ComboFix.

Bugbatter, here you go.

VundoFix V6.5.8

Checking Java version...

Scan started at 8:26:40 AM 9/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\cvvbqmrr.dll
C:\WINDOWS\system32\rrmqbvvc.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cvvbqmrr.dll
C:\WINDOWS\system32\cvvbqmrr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rrmqbvvc.ini
C:\WINDOWS\system32\rrmqbvvc.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cvvbqmrr.dll
C:\WINDOWS\system32\cvvbqmrr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.8

Checking Java version...

Scan started at 9:59:31 AM 9/19/2007

Listing files found while scanning....

C:\windows\system32\bbmcnoeq.ini
C:\WINDOWS\system32\qeoncmbb.dll

VundoFix V6.5.8

Checking Java version...

Scan started at 12:00:58 PM 9/19/2007

Listing files found while scanning....

C:\windows\system32\bbmcnoeq.ini
C:\WINDOWS\system32\qeoncmbb.dll

Beginning removal...

Attempting to delete C:\windows\system32\bbmcnoeq.ini
C:\windows\system32\bbmcnoeq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qeoncmbb.dll
C:\WINDOWS\system32\qeoncmbb.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\qeoncmbb.dll
C:\WINDOWS\system32\qeoncmbb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:33 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
E:\program files\InoRpc.exe
E:\program files\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\program files\realmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\VERITAS NetBackup Professional\NBPClientush.exe
D:\Palm\Hotsync.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucop.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {50400EFA-F378-417A-00B7-E93EF422820D} - C:\Program Files\Messenger\qudanuza246.dll (file missing)
O2 - BHO: (no name) - {597860E2-97E8-4DFC-A26E-5CE008F2988A} - C:\WINDOWS\Fonts\nuidsk.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [meze] C:\Program Files\Windows NT\meze22011.exe
O4 - HKLM\..\Run: [Realtime Monitor] "E:\program files\realmon.exe" -s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\mcarolin\smss.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: NetBackup Professional Client.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O17 - HKLM\Software\..\Telephony: DomainName = AD.UCOP.EDU
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fccayya - fccayya.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rlsejmjt.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - E:\program files\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - E:\program files\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINDOWS\System32\Vmover.exe

--
End of file - 7343 bytes

Here you go Bug

ComboFix 07-09-18.4 - "mcarolin" 2007-09-19 13:00:56.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.220 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\D2
C:\WINDOWS\system32\ewbpgmod.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\tobdthpj.dll
C:\WINDOWS\system32\toylodae.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-19 12:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-19 10:39 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 10:38 2,060,363 ---hs---- C:\WINDOWS\SYSTEM32\yybeg.ini2
2007-09-19 10:38 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 10:38 d-------- C:\DOCUME~1\mcarolin\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 10:37 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:14 d-------- C:\Program Files\Trend Micro
2007-09-18 09:14 d-------- C:\Program Files\SpywareBlaster
2007-09-17 17:04 d-------- C:\Program Files\Windows Defender
2007-09-17 11:23 d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-10 08:47 d-------- C:\VundoFix Backups
2007-09-06 13:53 d-------- C:\Program Files\CA
2007-09-06 05:52 14,639 --a------ C:\WINDOWS\SYSTEM32\rt25.exe
2007-09-05 09:31 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-05 08:55 2,001,478 ---hs---- C:\WINDOWS\SYSTEM32\yybeg.bak2
2007-09-04 16:33 183 --a------ C:\DeleteAtReboot.bat
2007-09-04 16:20 2,036,234 ---hs---- C:\WINDOWS\SYSTEM32\yybeg.bak1
2007-09-04 16:15 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-04 16:14 d--hs---- C:\WINDOWS\U2V0aHM
2007-09-04 16:14 d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50400EFA-F378-417A-00B7-E93EF422820D}]
C:\Program Files\Messenger\qudanuza246.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{597860E2-97E8-4DFC-A26E-5CE008F2988A}]
C:\WINDOWS\Fonts\nuidsk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-09-27 10:51]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2003-12-16 12:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-02-11 09:30]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 07:53]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"meze"="C:\Program Files\Windows NT\meze22011.exe" []
"Realtime Monitor"="E:\program files\realmon.exe" [2007-01-16 21:27]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 09:02:02]
NetBackup Professional Client.lnk - C:\WINDOWS\Installer\{D9508947-9C87-4B45-9182-F032D92498F6}\NetBackupProfessionalClient3.03.exe [2004-05-27 09:56:23]
HotSync Manager.lnk - D:\Palm\Hotsync.exe [2004-06-09 14:16:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\dsun\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\mcarolin\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\sastech\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Eudora\EuShlExt.dll [2004-04-19 10:32 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccayya]
fccayya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=\\AD.UCOP.EDU\SysVol\AD.UCOP.EDU\scripts\uIRCie.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\EnableLiveUpdate.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\Machine_Startup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\GPOSurvey.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\AD.UCOP.EDU\sysvol\AD.UCOP.EDU\scripts\fixoffice.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1757981266-2146972089-8126\Scripts\Logon\0\0]
"Script"=\\AD.UCOP.EDU\SysVol\AD.UCOP.EDU\scripts\olinstall.cmd

R0 VSP;VSP;C:\WINDOWS\system32\drivers\vsp.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 NetAlrt;NetAlrt;\??\C:\WINDOWS\System32\drivers\NetAlrt.sys
R2 PlatAlrt;PlatAlrt;\??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
R2 VChangeLogSvc;VERITAS NetBackup Professional Persistent Change Journal Service;C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
S2 NBPClientSvc;VERITAS NetBackup Professional Client Service;E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
S3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
S3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 Vmover.exe;Quest Resource Updating Agent;C:\WINDOWS\System32\Vmover.exe
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys

*Newly Created Service* - DEFWATCH
*Newly Created Service* - NAVAP
*Newly Created Service* - NAVAPEL
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - NORTON_ANTIVIRUS_SERVER
*Newly Created Service* - SYMEVENT
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 20:15:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C63722AF-CE74-4B1F-96C7-22F38B762452}.job"
"2007-09-19 20:15:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{AE593A4F-53ED-4C61-AD4D-A836543AF1BE}.job"
"2007-09-19 16:57:28 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BA608B63-120B-457D-81F8-11249531FD73}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-09-19 20:07:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 13:05:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 13:20:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 13:19
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:17 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
E:\program files\InoRpc.exe
E:\program files\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\program files\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\VERITAS NetBackup Professional\NBPClientush.exe
D:\Palm\Hotsync.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucop.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {50400EFA-F378-417A-00B7-E93EF422820D} - C:\Program Files\Messenger\qudanuza246.dll (file missing)
O2 - BHO: (no name) - {597860E2-97E8-4DFC-A26E-5CE008F2988A} - C:\WINDOWS\Fonts\nuidsk.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [meze] C:\Program Files\Windows NT\meze22011.exe
O4 - HKLM\..\Run: [Realtime Monitor] "E:\program files\realmon.exe" -s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: NetBackup Professional Client.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O17 - HKLM\Software\..\Telephony: DomainName = AD.UCOP.EDU
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fccayya - fccayya.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - E:\program files\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - E:\program files\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINDOWS\System32\Vmover.exe

--
End of file - 6941 bytes

Message Edited by mark_ca on 09-19-2007 03:25 PM

Message Edited by mark_ca on 09-19-2007 03:25 PM

Things are definitely better so far. Hopefully once its all said and done I won't have to worry about this problem anymore.

Not done yet. We still have a few things to clean up.


Open Notepad and copy/paste the following bold text between the dotted lines into it. Do not copy the dotted lines.

-----------------------------------------------------------------------------------------------

File::
C:\WINDOWS\SYSTEM32\yybeg.ini2
C:\WINDOWS\SYSTEM32\yybeg.bak2
C:\WINDOWS\SYSTEM32\yybeg.bak1
C:\WINDOWS\SYSTEM32\rt25.exe


Folder::
C:\WINDOWS\U2V0aHM


Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Browser Helper Objects\{50400EFA-F378-417A-00B7-E93EF422820D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Browser Helper Objects\{597860E2-97E8-4DFC-A26E-5CE008F2988A}]



--------------------------------------------------------------------------------------------------------

Save this as CFScript.txt



Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced here: C:\ComboFix.txt

Please provide the contents of the new ComboFix log in your next reply along with a new HijackThis log, and let me know how things are running.

Bugbatter,

Some lines were deleted due to html code. I'm sure you figured it out from the last post too, just figured that I should let you know.

Bugbatter, the new combofix and hjt logs as requested. Running well so far. Thanks again for everything

ComboFix 07-09-18.4 - "mcarolin" 2007-09-20 8:25:00.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.206 [GMT -7:00]
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\yybeg.ini2
C:\WINDOWS\SYSTEM32\yybeg.bak2
C:\WINDOWS\SYSTEM32\yybeg.bak1
C:\WINDOWS\SYSTEM32\rt25.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\rt25.exe
C:\WINDOWS\SYSTEM32\yybeg.bak1
C:\WINDOWS\SYSTEM32\yybeg.bak2
C:\WINDOWS\SYSTEM32\yybeg.ini2
C:\WINDOWS\U2V0aHM

.
((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-19 12:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-19 10:39 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 10:38 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 10:38 d-------- C:\DOCUME~1\mcarolin\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 10:37 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:14 d-------- C:\Program Files\Trend Micro
2007-09-18 09:14 d-------- C:\Program Files\SpywareBlaster
2007-09-17 17:04 d-------- C:\Program Files\Windows Defender
2007-09-17 11:23 d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-10 08:47 d-------- C:\VundoFix Backups
2007-09-06 13:53 d-------- C:\Program Files\CA
2007-09-05 09:31 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-04 16:33 183 --a------ C:\DeleteAtReboot.bat
2007-09-04 16:15 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-04 16:14 d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-09-27 10:51]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2003-12-16 12:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-02-11 09:30]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 07:53]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"meze"="C:\Program Files\Windows NT\meze22011.exe" []
"Realtime Monitor"="E:\program files\realmon.exe" [2007-01-16 21:27]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 09:02:02]
NetBackup Professional Client.lnk - C:\WINDOWS\Installer\{D9508947-9C87-4B45-9182-F032D92498F6}\NetBackupProfessionalClient3.03.exe [2004-05-27 09:56:23]
HotSync Manager.lnk - D:\Palm\Hotsync.exe [2004-06-09 14:16:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\dsun\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\mcarolin\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\sastech\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Eudora\EuShlExt.dll [2004-04-19 10:32 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccayya]
fccayya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=\\AD.UCOP.EDU\SysVol\AD.UCOP.EDU\scripts\uIRCie.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\EnableLiveUpdate.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\Machine_Startup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\GPOSurvey.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\AD.UCOP.EDU\sysvol\AD.UCOP.EDU\scripts\fixoffice.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1757981266-2146972089-8126\Scripts\Logon\0\0]
"Script"=\\AD.UCOP.EDU\SysVol\AD.UCOP.EDU\scripts\olinstall.cmd

R0 VSP;VSP;C:\WINDOWS\system32\drivers\vsp.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 NetAlrt;NetAlrt;\??\C:\WINDOWS\System32\drivers\NetAlrt.sys
R2 PlatAlrt;PlatAlrt;\??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
R2 VChangeLogSvc;VERITAS NetBackup Professional Persistent Change Journal Service;C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
S2 NBPClientSvc;VERITAS NetBackup Professional Client Service;E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
S3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
S3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 Vmover.exe;Quest Resource Updating Agent;C:\WINDOWS\System32\Vmover.exe
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys

*Newly Created Service* - DEFWATCH
*Newly Created Service* - NAVAP
*Newly Created Service* - NAVAPEL
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - NORTON_ANTIVIRUS_SERVER
*Newly Created Service* - SYMEVENT
.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 15:25:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C63722AF-CE74-4B1F-96C7-22F38B762452}.job"
"2007-09-20 15:25:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{AE593A4F-53ED-4C61-AD4D-A836543AF1BE}.job"
"2007-09-19 16:57:28 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BA608B63-120B-457D-81F8-11249531FD73}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2007-09-20 09:07:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 08:26:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 8:27:35
C:\ComboFix-quarantined-files.txt ... 2007-09-20 08:27
C:\ComboFix2.txt ... 2007-09-19 13:20
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:27 AM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
E:\program files\InoRpc.exe
E:\program files\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\program files\realmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\VERITAS NetBackup Professional\NBPClientush.exe
D:\Palm\Hotsync.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucop.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [meze] C:\Program Files\Windows NT\meze22011.exe
O4 - HKLM\..\Run: [Realtime Monitor] "E:\program files\realmon.exe" -s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: NetBackup Professional Client.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O17 - HKLM\Software\..\Telephony: DomainName = AD.UCOP.EDU
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fccayya - fccayya.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - E:\program files\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - E:\program files\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINDOWS\System32\Vmover.exe

--
End of file - 6701 bytes

I'm not sure what was removed by the filter. If that happens in the future, simply leave the good text, so I can see the path to the files and insert [smut filter] where you removed the offensive text.

If you do not know what this is, let's have it analyzed at Virus Total.
C:\Program Files\Windows NT\ meze22011.exe
Go here:
http://www.virustotal.com/en/indexf.html

At the top of the page you will see:
Select file>Browse>Send
Just follow the prompts.
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

Open Notepad and copy/paste the following bold text between the dotted lines into it. Do not copy the dotted lines.

-----------------------------------------------------------------------------------------------


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccayya]


--------------------------------------------------------------------------------------------------------

Save this as CFScript.txt



Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

I don't need to see the ComboFix report this time. I'm sure that will take care of it. I would like to see a new HijackThis log and your report from VirusTotal, though. Let me know how things are running. Thanks.

Try this:
Configure to show all files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

After you are finished go back and rehide files.

Bugbatter,

I cannot find meze22011.exe in that folder. Strange, i did a windows browser search and nothing came up anywhere. Any guidance would be great

Bugbatter,

still no trace of meze22011

Bugbatter,

Should I wait till we figure out about this file before running combofix again?

Make sure your Windows Defender is still disabled.

Go ahead and run ComboFix with the script.

We'll fix that thing with HijackThis.
Please launch HijackThis and place a checkmark next to these:

O4 - HKLM\..\Run: [meze] C:\Program Files\Windows NT\meze22011.exe
O20 - Winlogon Notify: fccayya - fccayya.dll (file missing)
Close all windows except Hijackthis and click "Fix Checked". Close HJT and reboot.

It appears that you have no Java. Having an outdated or no version of Java would have made you susceptible to that Vundo.

Run Disk Cleanup in each user's profile:
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.

Please follow these steps:

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "Java Runtime Environment (JRE) 6u2 allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• 
  
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Official JAVA Installation Instructions if needed.

Close HijackThis and reboot.

Finally, please post a fresh HijackThis log and let me know how things are running.

Message Edited by Bugbatter on 09-20-2007 11:22 PM

Bugbatter,
Here are the new logs. I will use HJT to fix the files as you have instructed, then continue to update Java, etc.

ComboFix 07-09-18.4 - "mcarolin" 2007-09-21 8:32:56.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.181 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-19 12:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-19 10:39 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 10:38 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 10:38 d-------- C:\DOCUME~1\mcarolin\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 10:37 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:14 d-------- C:\Program Files\Trend Micro
2007-09-18 09:14 d-------- C:\Program Files\SpywareBlaster
2007-09-17 17:04 d-------- C:\Program Files\Windows Defender
2007-09-17 11:23 d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-10 08:47 d-------- C:\VundoFix Backups
2007-09-06 13:53 d-------- C:\Program Files\CA
2007-09-05 09:31 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-04 16:33 183 --a------ C:\DeleteAtReboot.bat
2007-09-04 16:15 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-04 16:14 d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-09-27 10:51]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2003-12-16 12:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-02-11 09:30]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 07:53]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"meze"="C:\Program Files\Windows NT\meze22011.exe" []
"Realtime Monitor"="E:\program files\realmon.exe" [2007-01-16 21:27]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 09:02:02]
NetBackup Professional Client.lnk - C:\WINDOWS\Installer\{D9508947-9C87-4B45-9182-F032D92498F6}\NetBackupProfessionalClient3.03.exe [2004-05-27 09:56:23]
HotSync Manager.lnk - D:\Palm\Hotsync.exe [2004-06-09 14:16:08]

C:\DOCUME~1\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\dsun\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\mcarolin\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

C:\DOCUME~1\sastech\STARTM~1\PROGRAMS\STARTUP\
DESKTOP.INI [2001-08-31 09:02:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Eudora\EuShlExt.dll [2004-04-19 10:32 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=\\AD.UCOP.EDU\SysVol\AD.UCOP.EDU\scripts\uIRCie.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\EnableLiveUpdate.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\Machine_Startup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=\\ad\SYSVOL\AD.UCOP.EDU\scripts\GPOSurvey.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\AD.UCOP.EDU\sysvol\AD.UCOP.EDU\scripts\fixoffice.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1757981266-2146972089-8126\Scripts\Logon\0\0]
"Script"=\\AD.UCOP.EDU\SysVol\AD.UCOP.EDU\scripts\olinstall.cmd

R0 VSP;VSP;C:\WINDOWS\system32\drivers\vsp.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 NetAlrt;NetAlrt;\??\C:\WINDOWS\System32\drivers\NetAlrt.sys
R2 PlatAlrt;PlatAlrt;\??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
R2 VChangeLogSvc;VERITAS NetBackup Professional Persistent Change Journal Service;C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
S2 NBPClientSvc;VERITAS NetBackup Professional Client Service;E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
S3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
S3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 Vmover.exe;Quest Resource Updating Agent;C:\WINDOWS\System32\Vmover.exe
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys

*Newly Created Service* - DEFWATCH
*Newly Created Service* - NAVAP
*Newly Created Service* - NAVAPEL
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - NORTON_ANTIVIRUS_SERVER
*Newly Created Service* - SYMEVENT
.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 15:35:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C63722AF-CE74-4B1F-96C7-22F38B762452}.job"
"2007-09-21 15:35:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{AE593A4F-53ED-4C61-AD4D-A836543AF1BE}.job"
"2007-09-20 17:38:18 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BA608B63-120B-457D-81F8-11249531FD73}.job"
"2007-09-21 09:07:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 08:34:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 8:35:20
C:\ComboFix-quarantined-files.txt ... 2007-09-21 08:35
C:\ComboFix3.txt ... 2007-09-19 13:20
C:\ComboFix2.txt ... 2007-09-20 08:27
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:09 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
E:\program files\InoRpc.exe
E:\program files\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\program files\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\VERITAS NetBackup Professional\NBPClientush.exe
D:\Palm\Hotsync.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucop.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [meze] C:\Program Files\Windows NT\meze22011.exe
O4 - HKLM\..\Run: [Realtime Monitor] "E:\program files\realmon.exe" -s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: NetBackup Professional Client.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O17 - HKLM\Software\..\Telephony: DomainName = AD.UCOP.EDU
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.UCOP.EDU
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - E:\program files\InoRpc.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - E:\program files\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - E:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
O23 - Service: Quest Resource Updating Agent (Vmover.exe) - Quest Software - C:\WINDOWS\System32\Vmover.exe

--
End of file - 6672 bytes