I ran VundoFix.exe and it found nothing.
Soon thereafter, I was attacked again by winfixer...
Norton asked if I wanted to remove, Yes i said...
But it is still there...
I ran ComboFix after reading a thread and my results follow...
My initial attack date was 9-23-2006 so the programs below look suspicious...
C:\WINDOWS\SYSTEM32\gebca.exe
C:\WINDOWS\SYSTEM32\dpvLPR.dll
Any suggestions on how to proceed?
Thanks , Phil
Phil Stone - 06-09-27 14:10:19.09 Service Pack 2
ComboFix 06.09.27 - Running from: "C:\Documents and Settings\Phil Stone\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-08-27 to 2006-09-27 ))))))))))))))))))))))))))))))))))
2006-09-23 07:22 23,474 --a------ C:\WINDOWS\SYSTEM32\gebca.exe
2006-09-23 07:22 16,934 --a------ C:\WINDOWS\SYSTEM32\dpvLPR.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-27 00:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-25 19:06 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-24 09:54 -------- d-------- C:\Program Files\Pure Networks
2006-09-23 10:36 -------- d-------- C:\Program Files\Enigma Software Group
2006-09-23 08:42 28672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2006-09-22 17:51 -------- d-------- C:\Program Files\Symantec
2006-09-22 17:39 -------- d-------- C:\Program Files\Norton SystemWorks
2006-09-15 22:04 48816 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-09-15 22:04 109744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-09-12 11:04 -------- d-------- C:\Documents and Settings\Phil Stone\Application Data\Google
2006-09-12 08:30 -------- d-------- C:\Program Files\Google
2006-09-05 13:13 -------- d-------- C:\Documents and Settings\Phil Stone\Application Data\Symantec
2006-09-05 13:08 -------- d-------- C:\Program Files\Common Files
2006-09-05 13:07 10344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
2006-09-02 18:06 -------- d-------- C:\Program Files\Java
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-13 03:02 -------- d-------- C:\Program Files\Internet Explorer
2006-08-07 16:02 534208 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2006-07-31 11:20 -------- d-------- C:\Program Files\America Online 9.0a
2006-07-30 15:41 -------- d---s---- C:\Documents and Settings\Phil Stone\Application Data\Microsoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Iomega Automatic Backup Pro"="\"C:\\Program Files\\Iomega\\Automatic Backup Pro\\LiveSystem.exe\" -s"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"EPSON Stylus Photo RX500"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2K1.EXE /P24 \"EPSON Stylus Photo RX500\" /O6 \"USB001\" /M \"Stylus Photo RX500\""
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1135343532\\ee\\AOLSoftware.exe"
"eFax 4.1"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"QD FastAndSafe"=""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dpvLPR
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Phil Stone.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Wed 09/27/2006 14:11:37.25
ComboFix.txt