Strange Virus or Malware

This is for a compuer attached to our corporate network.
We are running OfficeScan Version: 8.0 Service Pack 1 Build: 3243 All of the pattern files are up to date.

Computer is XP SP3 with the most recent Msft Updates

On the problem computer, the user is complaining that the pointer is constantly displaying the hour glass. Occasionally the pointer will jump across the screen while nobody is touching the mouse. (Logitec optical mouse with the latest drivers) Occasionally it will even select and open shortcuts on the desktop. I uninstalled all of the speech recognition options in Office XP. I performed a thorough virus/spyware scan. It found and cleaned several cookies in addition to the following Viruses:

7/10/2009 20:43:22 HZ-MIAMI TROJ_FAKEAV.AYK sysguard.exe Scan Now Quarantined View
7/10/2009 20:18:40 HZ-MIAMI TROJ_INJECT.ANB ~TM3E.tmp Scan Now Quarantined View
7/10/2009 20:17:51 HZ-MIAMI TROJ_FAKEAV.AYK install[1].exe Scan Now Quarantined View

I ran HiJackThis and cleaned accordingly from the advice I received from this site. www.hijackthis.de

The mouse pointer problem still exists. While viewing active processes, I noticed one that should not be there JYAD73.exe. When I searched the computer for this EXE, the file resided in the C:/windows/temp folder. As soon as I terminate the process it is removed from this folder. The process remains dormant until the computer is rebooted (Sorry I only rebooted didn't try logging out) Once we log in after rebooting, there is a new "six random character.exe" process running that is located in C:/windows/temp. I am stuck and don't know what to do to correct the problem(s).

The computer is obviously infected but I am unsure how to detect and clean the culprit. Here is the most recent HiJackThis log. (Remember I already removed some entries. but I don't have copies of those log files any longer.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:49 PM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Orl\VNC\WinVNC.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\QO5F37.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DataFab\PDFBlaster\DFConfigPDF.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.14.3:8080;https=192.168.14.3:8080;ftp=192.168.14.3:8080;gopher=192.168.14.3:8080;socks=192.168.14.3:8080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PDFBlaster Control Panel.lnk = C:\Program Files\DataFab\PDFBlaster\DFConfigPDF.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = finelinehomes.com
O17 - HKLM\Software\..\Telephony: DomainName = finelinehomes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{10C6D10C-EB9F-4E06-82EF-98D9BBF51F5A}: NameServer = 192.168.10.10,192.168.14.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = finelinehomes.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{10C6D10C-EB9F-4E06-82EF-98D9BBF51F5A}: NameServer = 192.168.10.10,192.168.14.8
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WinVNC - UltraVNC - C:\Program Files\Orl\VNC\WinVNC.exe
O23 - Service: winvnc (winvnc.exe) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 7602 bytes


I would greatly appreciate any direction you can provide. (I may be slow to respond I am going to be out for an extended weekend but I will try to monitor this thread and perform the suggested procedures.)

Thanks,
Rick

Hello RavenRick58,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

• If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  
• If you have any cracked/pirated software in your computer delete them or we will not help you.
  
• Only follow advise from Geek Police Staff and not a regular member.
  
• Do NOT run any tool without Geek Police supervision as it could hinder your system useless.
  

• Open HijackThis.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Thanks for the help Origin. Sorry it took so long to get back to you. I was out of the office on a long weekend. I ran the procedures as you outlined above. Below are the contents of the MBAM log.

The rogue file setting up in C:/windows/temp was still there before I ran the process. This time it was named HL6680.exe. After running the process above and rebooting, the file was named QRD903.exe


Malwarebytes' Anti-Malware 1.39
Database version: 2474
Windows 5.1.2600 Service Pack 3

7/21/2009 2:40:59 PM
mbam-log-2009-07-21 (14-40-59).txt

Scan type: Quick Scan
Objects scanned: 123292
Time elapsed: 9 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

Here is the logfile from combofix:

ComboFix 09-07-22.01 - ckemmerer 07/22/2009 15:54.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.222 [GMT -4:00]
Running from: \\43-hz-florida\it installs\Spyware removal\Combofix\Combo-Fix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {6A7A062E-44A9-456C-B7BB-F9943136EA7D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Installer\1b90c45d.msi
c:\windows\Installer\1b90c463.msi
c:\windows\Installer\24d45f7f.msi
c:\windows\Installer\292ac354.msi
c:\windows\Installer\292ac35a.msi
c:\windows\Installer\292ac360.msi
c:\windows\Installer\34d60.msp
c:\windows\Installer\394bf.msp
c:\windows\Installer\3954f.msp
c:\windows\system32\drivers\fad.sys

----- BITS: Possible infected sites -----

hxxp://mail
c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-21 21:35 . 2009-07-21 21:35 -------- d-----w- c:\windows\LastGood
2009-07-21 18:26 . 2009-07-21 18:26 -------- d-----w- c:\documents and settings\ckemmerer\Application Data\Malwarebytes
2009-07-21 18:26 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-21 18:26 . 2009-07-21 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-21 18:26 . 2009-07-21 18:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-21 18:26 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-16 18:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\ckemmerer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-16 18:41 . 2009-07-16 18:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-16 18:39 . 2009-07-16 18:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-16 18:39 . 2009-07-17 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-16 18:39 . 2009-07-17 11:04 -------- d-----w- c:\program files\NOS
2009-07-16 18:24 . 2009-07-16 18:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-16 18:23 . 2009-07-16 18:23 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 18:44 . 2003-03-17 21:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-19 05:08 . 2004-12-27 19:58 -------- d-----w- c:\program files\Trend Micro
2009-06-18 18:47 . 2009-06-19 05:18 142992 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-18 18:47 . 2009-06-18 18:47 76688 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-06-18 16:30 . 2009-06-18 16:30 -------- d-----w- c:\windows\Fonts\log
2009-06-16 14:36 . 2002-08-29 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2003-05-13 14:28 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 18:15 . 2009-05-29 16:01 2371 ----a-w- c:\windows\icons.cmd
2009-05-29 15:58 . 2009-05-29 15:58 -------- d-----w- c:\program files\Orl
2009-05-29 15:37 . 2009-05-29 15:34 -------- d-----w- c:\program files\ultravnc
2009-05-07 15:32 . 2002-08-29 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-02-18 20:19 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 21:36 . 2009-04-27 21:36 60744 ----a-w- c:\windows\JAVA\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-06 684032]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-09-18 77824]
"Prism Deploy Client"="c:\program files\Prism Deploy\Client\PTClient.exe" [2006-07-27 2117632]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-01-02 165888]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-06-18 718120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-16 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PDFBlaster Control Panel.lnk - c:\program files\DataFab\PDFBlaster\DFConfigPDF.exe [2005-2-10 2864864]
Scanner File Utility.lnk - c:\program files\Kyocera Mita\FileUtility\NsCatCom.exe [2005-11-23 311296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= bckgzm.exe
"2"= chkrzm.exe
"3"= freecell.exe
"4"= hrtzzm.exe
"5"= mshearts.exe
"6"= pinball.exe
"7"= rvsezm.exe
"8"= shvlzm.exe
"9"= sol.exe
"10"= spider.exe
"11"= winmine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 15:01 8704 ----a-w- c:\windows\SYSTEM32\PCANotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Channel Deployer;Channel Deployer;c:\program files\Common Files\New Boundary\PrismXL\channeldeploy.sys [6/1/2005 8:26 AM 65536]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [2/7/2007 2:12 PM 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [2/7/2007 2:12 PM 212480]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/27/2009 7:16 PM 36368]
R2 winvnc.exe;winvnc;c:\program files\ultravnc\winvnc.exe [4/3/2009 7:07 PM 1693128]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/27/2009 7:16 PM 225296]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [6/18/2009 1:37 PM 652552]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {10C6D10C-EB9F-4E06-82EF-98D9BBF51F5A} = 192.168.10.10,192.168.14.8
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 16:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-07-22 16:03
ComboFix-quarantined-files.txt 2009-07-22 20:02

Pre-Run: 18,375,102,464 bytes free
Post-Run: 18,523,037,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

147 --- E O F --- 2009-07-22 00:03

Are there any additional steps to ensure the problem has been removed?

Bump

Are there additional steps after running the ComboFix program? The user has indicated that the cursor still flashes and displays the hour glass like there is disk activity.

Rick

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
proquota.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here are the resutls of the SystemLook scan.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:37 on 03/08/2009 by ckemmerer (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\I386\PROQUOTA.EXE --a--- 45056 bytes [19:14 24/02/2003] [11:00 29/08/2002] B2A23CE7706D4B4A7D192761CD3DB3E1
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe -----c 50176 bytes [11:12 09/10/2008] [07:56 04/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\ServicePackFiles\i386\proquota.exe ------ 50176 bytes [07:56 04/08/2004] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

Hello.

Now open a new notepad file.
Input this into the notepad file:

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe | c:\windows\system32\proquota.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

I keep receiving an error message that the post is too large. Is there somewhere that I should upload the log file?

To help expedite the process, I will break-up the log file.

ComboFix 09-08-03.02 - ckemmerer 08/03/2009 15:37.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.245 [GMT -4:00]
Running from: c:\documents and settings\ckemmerer\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\ckemmerer\Desktop\cfscript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {6A7A062E-44A9-456C-B7BB-F9943136EA7D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://mail
.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-03 19:37 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-03 19:37 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-21 18:26 . 2009-07-21 18:26 -------- d-----w- c:\documents and settings\ckemmerer\Application Data\Malwarebytes
2009-07-21 18:26 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-21 18:26 . 2009-07-21 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-21 18:26 . 2009-07-21 18:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-21 18:26 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-16 18:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\ckemmerer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-16 18:41 . 2009-07-16 18:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-16 18:39 . 2009-07-16 18:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-16 18:39 . 2009-07-17 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-16 18:39 . 2009-07-17 11:04 -------- d-----w- c:\program files\NOS
2009-07-16 18:24 . 2009-07-16 18:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-16 18:23 . 2009-07-16 18:23 -------- d-----w- c:\program files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 18:44 . 2003-03-17 21:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-29 16:12 . 2005-02-18 20:19 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-19 05:08 . 2004-12-27 19:58 -------- d-----w- c:\program files\Trend Micro
2009-06-18 18:47 . 2009-06-19 05:18 142992 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-18 18:47 . 2009-06-18 18:47 76688 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-06-18 16:30 . 2009-06-18 16:30 -------- d-----w- c:\windows\Fonts\log
2009-06-16 14:36 . 2002-08-29 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2003-05-13 14:28 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 18:15 . 2009-05-29 16:01 2371 ----a-w- c:\windows\icons.cmd
2009-05-07 15:32 . 2002-08-29 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-22_20.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-29 11:23 . 2009-07-29 11:23 16384 c:\windows\Temp\Perflib_Perfdata_6b8.dat
- 2002-08-29 11:00 . 2009-04-29 04:56 44544 c:\windows\SYSTEM32\pngfilt.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\pngfilt.dll
- 2007-08-13 22:54 . 2009-04-29 04:55 52224 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2007-08-13 22:54 . 2009-06-29 16:12 52224 c:\windows\SYSTEM32\msfeedsbs.dll
- 2002-08-29 11:00 . 2009-04-29 04:55 27648 c:\windows\SYSTEM32\jsproxy.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 27648 c:\windows\SYSTEM32\jsproxy.dll
+ 2007-08-13 22:39 . 2009-06-29 11:07 13824 c:\windows\SYSTEM32\ieudinit.exe
- 2007-08-13 22:39 . 2009-04-28 09:05 13824 c:\windows\SYSTEM32\ieudinit.exe
- 2002-08-29 11:00 . 2009-04-29 04:55 44544 c:\windows\SYSTEM32\iernonce.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\iernonce.dll
- 2002-08-29 11:00 . 2009-04-28 09:05 70656 c:\windows\SYSTEM32\ie4uinit.exe
+ 2002-08-29 11:00 . 2009-06-29 11:07 70656 c:\windows\SYSTEM32\ie4uinit.exe
- 2007-08-13 22:36 . 2009-04-29 04:55 63488 c:\windows\SYSTEM32\icardie.dll
+ 2007-08-13 22:36 . 2009-06-29 16:12 63488 c:\windows\SYSTEM32\icardie.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 44544 c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
- 2007-12-07 02:21 . 2009-04-29 04:55 52224 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2007-12-07 02:21 . 2009-06-29 16:12 52224 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 27648 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 27648 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
- 2007-12-06 11:00 . 2009-04-28 09:05 13824 c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
+ 2007-12-06 11:00 . 2009-06-29 11:07 13824 c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
+ 2007-08-13 22:39 . 2009-06-29 16:12 44544 c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
- 2007-08-13 22:39 . 2009-04-29 04:55 44544 c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
+ 2009-02-20 18:09 . 2009-06-29 16:12 78336 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll
- 2009-02-20 18:09 . 2009-04-29 04:55 78336 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll
- 2007-08-13 22:39 . 2009-04-28 09:05 70656 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2007-08-13 22:39 . 2009-06-29 11:07 70656 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2007-12-07 02:21 . 2009-04-29 04:55 63488 c:\windows\SYSTEM32\DLLCACHE\icardie.dll
+ 2007-12-07 02:21 . 2009-06-29 16:12 63488 c:\windows\SYSTEM32\DLLCACHE\icardie.dll
+ 2009-06-29 16:12 . 2009-06-29 16:12 17408 c:\windows\SYSTEM32\DLLCACHE\corpol.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 27648 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll
+ 2009-07-29 11:20 . 2009-04-28 09:05 13824 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe
+ 2009-07-29 11:20 . 2009-04-29 04:55 44544 c:\windows\ie7updates\KB972260-IE7\iernonce.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll
+ 2009-07-29 11:20 . 2009-04-28 09:05 70656 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe
+ 2009-07-29 11:20 . 2009-04-29 04:55 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll
+ 2009-07-29 11:20 . 2008-04-14 00:11 35328 c:\windows\ie7updates\KB972260-IE7\corpol.dll
+ 2008-01-12 04:30 . 2009-08-01 05:43 186880 c:\windows\TIREMOTE\TIAgentConfig.exe
- 2008-01-12 04:30 . 2009-07-18 05:34 186880 c:\windows\TIREMOTE\TIAgentConfig.exe
- 2002-08-29 11:00 . 2009-04-29 04:56 233472 c:\windows\SYSTEM32\webcheck.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 233472 c:\windows\SYSTEM32\webcheck.dll
- 2002-08-29 11:00 . 2009-04-29 04:56 105984 c:\windows\SYSTEM32\url.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 105984 c:\windows\SYSTEM32\url.dll
- 2002-08-29 11:00 . 2009-04-29 04:56 102912 c:\windows\SYSTEM32\occache.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 102912 c:\windows\SYSTEM32\occache.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 671232 c:\windows\SYSTEM32\mstime.dll
- 2002-08-29 11:00 . 2009-04-29 04:56 671232 c:\windows\SYSTEM32\mstime.dll
- 2002-08-29 11:00 . 2009-04-29 04:56 193024 c:\windows\SYSTEM32\msrating.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 193024 c:\windows\SYSTEM32\msrating.dll
- 2002-08-29 11:00 . 2009-04-29 04:56 477696 c:\windows\SYSTEM32\mshtmled.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 477696 c:\windows\SYSTEM32\mshtmled.dll
+ 2007-08-13 22:54 . 2009-06-29 16:12 459264 c:\windows\SYSTEM32\msfeeds.dll
- 2007-08-13 22:54 . 2009-04-29 04:55 459264 c:\windows\SYSTEM32\msfeeds.dll
+ 2007-08-13 22:34 . 2009-06-29 16:12 268288 c:\windows\SYSTEM32\iertutil.dll
- 2007-08-13 22:34 . 2009-04-29 04:55 268288 c:\windows\SYSTEM32\iertutil.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 385024 c:\windows\SYSTEM32\iedkcs32.dll
- 2002-08-29 11:00 . 2009-04-29 04:55 385024 c:\windows\SYSTEM32\iedkcs32.dll
+ 2007-07-11 16:27 . 2009-06-29 16:12 380928 c:\windows\SYSTEM32\ieapfltr.dll
+ 2002-08-29 11:00 . 2009-06-29 08:33 161792 c:\windows\SYSTEM32\ieakui.dll
- 2002-08-29 11:00 . 2009-04-25 05:26 161792 c:\windows\SYSTEM32\ieakui.dll
- 2002-08-29 11:00 . 2009-04-29 04:55 230400 c:\windows\SYSTEM32\ieaksie.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 230400 c:\windows\SYSTEM32\ieaksie.dll
- 2002-08-29 11:00 . 2009-04-29 04:55 153088 c:\windows\SYSTEM32\ieakeng.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 153088 c:\windows\SYSTEM32\ieakeng.dll
- 2004-08-04 07:56 . 2009-04-29 04:55 133120 c:\windows\SYSTEM32\extmgr.dll
+ 2004-08-04 07:56 . 2009-06-29 16:12 133120 c:\windows\SYSTEM32\extmgr.dll
- 2002-08-29 11:00 . 2009-04-29 04:55 214528 c:\windows\SYSTEM32\dxtrans.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 214528 c:\windows\SYSTEM32\dxtrans.dll
- 2002-08-29 11:00 . 2009-04-29 04:55 347136 c:\windows\SYSTEM32\dxtmsft.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 347136 c:\windows\SYSTEM32\dxtmsft.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 827392 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 827392 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2007-08-13 22:54 . 2009-06-29 16:12 233472 c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
- 2007-08-13 22:54 . 2009-04-29 04:56 233472 c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
+ 2007-08-13 22:44 . 2009-06-29 16:12 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll
- 2007-08-13 22:44 . 2009-04-29 04:56 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll
+ 2007-08-13 22:44 . 2009-06-29 16:12 102912 c:\windows\SYSTEM32\DLLCACHE\occache.dll
- 2007-08-13 22:44 . 2009-04-29 04:56 102912 c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 671232 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 671232 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 193024 c:\windows\SYSTEM32\DLLCACHE\msrating.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 193024 c:\windows\SYSTEM32\DLLCACHE\msrating.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 477696 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 477696 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
- 2007-12-07 02:21 . 2009-04-29 04:55 459264 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2007-12-07 02:21 . 2009-06-29 16:12 459264 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2007-08-13 22:43 . 2009-06-29 08:35 634632 c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
+ 2007-12-07 02:21 . 2009-06-29 16:12 268288 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-12-07 02:21 . 2009-04-29 04:55 268288 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-08-13 22:39 . 2009-04-29 04:55 385024 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2007-08-13 22:39 . 2009-06-29 16:12 385024 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2007-12-07 02:21 . 2009-06-29 16:12 380928 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2007-08-13 21:56 . 2009-06-29 08:33 161792 c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
- 2007-08-13 21:56 . 2009-04-25 05:26 161792 c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
- 2007-08-13 22:39 . 2009-04-29 04:55 230400 c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2007-08-13 22:39 . 2009-06-29 16:12 230400 c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
- 2007-08-13 22:39 . 2009-04-29 04:55 153088 c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2007-08-13 22:39 . 2009-06-29 16:12 153088 c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 133120 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 133120 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 214528 c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 214528 c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 347136 c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 347136 c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2007-08-13 22:39 . 2009-04-29 04:55 124928 c:\windows\SYSTEM32\DLLCACHE\advpack.dll
+ 2007-08-13 22:39 . 2009-06-29 16:12 124928 c:\windows\SYSTEM32\DLLCACHE\advpack.dll
+ 2002-08-29 11:00 . 2009-06-29 16:12 124928 c:\windows\SYSTEM32\advpack.dll
- 2002-08-29 11:00 . 2009-04-29 04:55 124928 c:\windows\SYSTEM32\advpack.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 827392 c:\windows\ie7updates\KB972260-IE7\wininet.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 233472 c:\windows\ie7updates\KB972260-IE7\webcheck.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 105984 c:\windows\ie7updates\KB972260-IE7\url.dll
+ 2009-07-29 11:20 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll
+ 2009-07-29 11:20 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe
+ 2009-07-29 11:20 . 2009-04-29 04:56 102912 c:\windows\ie7updates\KB972260-IE7\occache.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 671232 c:\windows\ie7updates\KB972260-IE7\mstime.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 193024 c:\windows\ie7updates\KB972260-IE7\msrating.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 477696 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll
+ 2009-07-29 11:20 . 2009-04-25 05:27 636088 c:\windows\ie7updates\KB972260-IE7\iexplore.exe
+ 2009-07-29 11:20 . 2009-04-29 04:55 268288 c:\windows\ie7updates\KB972260-IE7\iertutil.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 385024 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll
+ 2009-07-29 11:20 . 2009-04-25 05:26 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 230400 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 153088 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 133120 c:\windows\ie7updates\KB972260-IE7\extmgr.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 347136 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 124928 c:\windows\ie7updates\KB972260-IE7\advpack.dll
+ 2004-12-07 21:37 . 2009-06-29 16:12 1159680 c:\windows\SYSTEM32\urlmon.dll
- 2004-12-07 21:37 . 2009-04-29 04:56 1159680 c:\windows\SYSTEM32\urlmon.dll
+ 2005-01-27 20:35 . 2009-07-19 13:33 3597824 c:\windows\SYSTEM32\mshtml.dll
+ 2007-08-13 22:54 . 2009-07-19 13:32 6067200 c:\windows\SYSTEM32\ieframe.dll
+ 2007-02-12 20:10 . 2009-06-29 08:33 2452872 c:\windows\SYSTEM32\ieapfltr.dat
+ 2006-05-10 05:23 . 2009-06-29 16:12 1159680 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 1159680 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2006-05-19 15:08 . 2009-07-19 13:33 3597824 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2007-12-07 02:21 . 2009-07-19 13:32 6067200 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2007-04-17 09:32 . 2009-06-29 08:33 2452872 c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
+ 2009-07-29 11:20 . 2009-04-29 04:56 1159680 c:\windows\ie7updates\KB972260-IE7\urlmon.dll
+ 2009-07-29 11:20 . 2009-04-29 04:56 3596288 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
+ 2009-07-29 11:20 . 2009-04-29 04:55 6066176 c:\windows\ie7updates\KB972260-IE7\ieframe.dll
+ 2009-07-29 11:20 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat
.
-- Snapshot reset to current date --
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-06 684032]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-09-18 77824]
"Prism Deploy Client"="c:\program files\Prism Deploy\Client\PTClient.exe" [2006-07-27 2117632]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-01-02 165888]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-06-18 718120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-16 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PDFBlaster Control Panel.lnk - c:\program files\DataFab\PDFBlaster\DFConfigPDF.exe [2005-2-10 2864864]
Scanner File Utility.lnk - c:\program files\Kyocera Mita\FileUtility\NsCatCom.exe [2005-11-23 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 15:01 8704 ----a-w- c:\windows\SYSTEM32\PCANotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Channel Deployer;Channel Deployer;c:\program files\Common Files\New Boundary\PrismXL\channeldeploy.sys [6/1/2005 8:26 AM 65536]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [2/7/2007 2:12 PM 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [2/7/2007 2:12 PM 212480]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/27/2009 7:16 PM 36368]
R2 winvnc.exe;winvnc;c:\program files\ultravnc\winvnc.exe [4/3/2009 7:07 PM 1693128]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/27/2009 7:16 PM 225296]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [6/18/2009 1:37 PM 652552]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {10C6D10C-EB9F-4E06-82EF-98D9BBF51F5A} = 192.168.10.10,192.168.14.8
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 15:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\COMRes.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-08-03 15:46
ComboFix-quarantined-files.txt 2009-08-03 19:46
ComboFix2.txt 2009-07-22 20:03

Pre-Run: 18,107,559,936 bytes free
Post-Run: 18,218,258,432 bytes free

272 --- E O F --- 2009-07-29 11:21

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

I ran the ComboFix uninstall. The user is still complaining that the hourglass is flashing next to the arrow when the System Idol Process is at 99%.

Okay, just close it and delete the C:\Qoobox folder manually.
How is the machine running now?

Sorry it took so long to reply to your response. I was away from the office for a few days. The user is stating that there have been NO changes with the cursor.

What exactly is wrong with the cursor?

The hourglass flickers as if there is disc activity. (The System Idle Process is at 99%) While it does not keep the user from working, it is a nusiance.

Additionally...while it has not happened in a while (we may have fixed the problem in one of the previous steps in the email) the cursor would randomly move across the screen, occasionally selecting and opening desktop shortcuts. I have disabled the Microsoft Office speech to text program. We also removed the USB optical mouse and replaced it with an old PS2 ball mouse and the same cursor problems were present. The drivers for the optical mouse are the latest version as well.

This may not be an AV/Spyware problem. I simply cannot find anything hardware/software/settings realted.