I am finally done and the log is at the bottom of this post. Note that I had a slightly different experience from what was expected, see the green text, below. THANKS FOR YOUR TIME AND EXPERTISE!!! -Glostagal
*****************************
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: DONE
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.DONE
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". DONE
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. DONE
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. DONE
- **Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. THE LOG WAS OPENED BUT NO MESSAGE BOX
- Ensure you are connected to the internet and click OK on the message box. AS STATED, NO MSG BOX
- A browser will open. DID NOT HAPPEN
- Simply follow the instructions to copy/paste/send the requested file. NO INSTRUCTIONS APPEARED?
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. THE LOG WAS CREATED/DISPLAYED, AND IT IS BELOW
- CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. I DID NOT TOUCH MOUSE OR KEYBOARD EXCEPT AFTER REBOOT, WHEN I HAD TO LOG INTO WINDOWS
**********************
ComboFix 09-01-02.01 - Ellen Ford 2009-01-04 10:44:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.513 [GMT -5:00]
Running from: c:\documents and settings\Ellen Ford\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ellen Ford\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Tasks\cpdlklgj.job
.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.
2009-01-01 13:51 . 2009-01-01 13:51 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-01 13:48 . 2009-01-01 13:48 <DIR> d-------- c:\windows\ERUNT
2009-01-01 08:06 . 2009-01-02 17:14 <DIR> d-------- C:\SDFix
2008-12-31 22:46 . 2008-12-31 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-31 22:05 . 2008-12-31 22:04 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-25 06:34 . 2008-12-25 06:34 <DIR> d-------- c:\program files\Trend Micro
2008-12-24 12:17 . 2008-12-24 12:17 10,370 --a------ C:\SISTodo
2008-12-24 12:17 . 2008-12-24 12:17 102 --a------ C:\SISHashTodo
2008-12-23 15:54 . 2008-12-31 22:06 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-23 15:54 . 2008-12-23 15:54 <DIR> d-------- c:\documents and settings\Ellen Ford\Application Data\SUPERAntiSpyware.com
2008-12-23 15:54 . 2008-12-23 15:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-23 15:53 . 2008-12-23 15:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-14 16:58 . 2009-01-04 08:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:06 --------- d---a-w c:\documents and settings\Ellen Ford\Application Data\FileZilla
2009-01-01 03:58 --------- d---a-w c:\program files\Common Files\Symantec Shared
2009-01-01 03:03 --------- d---a-w c:\program files\Java
2008-12-30 15:05 --------- d-----w c:\program files\TeacherWorks
2008-12-14 23:00 --------- d---a-w c:\program files\Picasa2
2008-12-14 22:01 --------- d---a-w c:\program files\Google
2008-10-20 01:25 71,032 ------w c:\documents and settings\Ellen Ford\Application Data\GDIPFONTCACHEV1.DAT
2008-01-26 00:58 32,768 -csh--w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-01_21.18.03.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-01 18:48:52 4,153,344 ----a-w c:\windows\ERUNT\SDFIX\Users\
00000001\NTUSER.DAT
+ 2009-01-02 21:55:56 4,153,344 ----a-w c:\windows\ERUNT\SDFIX\Users\
00000001\NTUSER.DAT
- 2009-01-01 18:48:52 188,416 ----a-w c:\windows\ERUNT\SDFIX\Users\
00000002\UsrClass.dat
+ 2009-01-02 21:55:56 188,416 ----a-w c:\windows\ERUNT\SDFIX\Users\
00000002\UsrClass.dat
- 2009-01-02 02:11:11 214,794 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-04 15:49:01 214,790 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2009-01-02 02:15:48 102,752 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-04 15:53:45 102,752 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-02 02:15:48 517,286 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-04 15:53:45 517,286 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-04 15:48:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_508.dat
+ 2009-01-04 15:49:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_58c.dat
+ 2009-01-04 15:48:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ec.dat
+ 2009-01-04 15:48:56 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f4.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-06 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 512000]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-06 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-06 137752]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2008-03-21 211456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"stgclean"="c:\sdwork\w32main2.exe" [2008-04-07 272384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 136768]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"TpShocks"="TpShocks.exe" [2007-11-22 c:\windows\system32\TpShocks.exe]
"defergui"="c:/sdwork/defergui.exe" [2008-03-03 c:\sdwork\defergui.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-01-25 50688]
Kirby Alarm.lnk - c:\program files\Kirby Alarm\kirbyalarm.exe [2004-01-21 1366528]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-31 22:06 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 02:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 21:06 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 17:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\sdwork\\W32MAIN2.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-01-25 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-01-25 4224]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-01-25 4442]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-05-22 30336]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-01-25 57344]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2008-02-03 13952]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 gupdate1c95e377a8160a2;Google Update Service (gupdate1c95e377a8160a2);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-14 119280]
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea325f34-6f10-11dd-b5ba-001f3a0861bf}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2009-01-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2009-01-04 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-14 17:01]
2009-01-04 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-12-06 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.netvibes.com/|https://my.usf ... ameset.jspuInternet Settings,ProxyOverride = ;<local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ellen Ford\Application Data\Mozilla\Firefox\Profiles\141wpeq1.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.netvibes.com/|https://my.usf ... ameset.jspFF - plugin: c:\documents and settings\Ellen Ford\Application Data\Mozilla\Firefox\Profiles\141wpeq1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-04 10:54:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1856)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
- - - - - - - > 'lsass.exe'(1912)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\IPSSVC.EXE
c:\windows\system32\msdtc.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\mqsvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-04 10:59:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 15:59:00
ComboFix2.txt 2009-01-02 02:20:04
Pre-Run: 14,613,774,336 bytes free
Post-Run: 14,624,579,584 bytes free
256 --- E O F --- 2008-12-12 08:02:45