Thread: Trojan.Vundo found, occasional pop-ups
View Single Post
Old 01-24-2008, 06:31 PM   #8 (permalink)
ejr5033
Registered User
 
Join Date: Jul 2007
Posts: 12
OS: WinXP


Re: Trojan.Vundo found, occasional pop-ups
I am very sorry that it took so long to respond to this, but for some reason I didn't get the email saying that I had received a response. I'll make sure that I didn't accidentally lose my subscription to this thread.

Anyway, here's the ComboFix.txt:

ComboFix 08-01-20.1 - Eric Reese 2008-01-24 14:47:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1369 [GMT -5:00]
Running from: C:\Documents and Settings\Eric Reese\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eric Reese\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\drivers\qmpjayhdebjt.sys
C:\WINDOWS\system32\fgdmkprr.ini
C:\WINDOWS\system32\ssttr.dll_tobedeleted_old
C:\WINDOWS\system32\sstts.dll_tobedeleted_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\drivers\qmpjayhdebjt.sys
C:\WINDOWS\system32\fgdmkprr.ini
C:\WINDOWS\system32\ssttr.dll_tobedeleted_old
C:\WINDOWS\system32\sstts.dll_tobedeleted_old

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-22 22:02 . 2008-01-22 22:02 <DIR> d-------- C:\Program Files\AutoMacroRecorder
2008-01-22 22:02 . 2008-01-22 22:02 109,440 --a------ C:\WINDOWS\system32\drivers\KbdCap.sys
2008-01-22 20:54 . 2004-02-23 00:00 150,528 --a------ C:\WINDOWS\system32\TLBINF32.DLL
2008-01-22 20:54 . 2004-09-02 09:56 102,912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-22 20:54 . 2005-02-01 03:46 20,480 --a------ C:\WINDOWS\system32\re324224.exe
2008-01-21 12:05 . 2008-01-21 12:05 <DIR> d-------- C:\Program Files\mIRC
2008-01-21 12:05 . 2008-01-21 12:19 <DIR> d-------- C:\Documents and Settings\Eric Reese\Application Data\mIRC
2008-01-21 03:22 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-21 03:22 . 2008-01-15 21:51 220 --a------ C:\Boot.bak
2008-01-19 16:34 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-01-19 16:34 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-01-19 16:34 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-01-18 14:45 . 2008-01-18 14:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 12:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-17 10:32 . 2008-01-17 10:32 126 --a------ C:\WINDOWS\mdm.ini
2008-01-17 10:30 . 2008-01-17 10:30 <DIR> d-------- C:\Program Files\Web Publish
2008-01-17 10:15 . 2008-01-17 10:15 <DIR> d-------- C:\Program Files\SourceTec
2008-01-17 10:15 . 2008-01-17 10:15 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-01-16 00:02 . 2008-01-17 23:08 253 --a------ C:\WINDOWS\w32demo8.ini
2008-01-15 23:34 . 2008-01-15 23:34 604 --a------ C:\WINDOWS\system32\drivers\Syser.cfg
2008-01-15 23:34 . 2008-01-15 23:34 541 --a------ C:\WINDOWS\system32\drivers\ModExSym.lst
2008-01-15 23:34 . 2008-01-15 23:34 184 --a------ C:\WINDOWS\system32\drivers\SyserColor.cfg
2008-01-15 23:30 . 2008-01-15 23:30 <DIR> d-------- C:\WINDOWS\system32\drivers\plugin
2008-01-15 23:30 . 2008-01-17 12:19 <DIR> d-------- C:\Program Files\Syser
2008-01-15 23:30 . 2007-11-15 07:20 1,229,056 --a------ C:\WINDOWS\system32\drivers\Syser.sys
2008-01-15 23:30 . 2007-07-02 12:15 933,888 --a------ C:\WINDOWS\system32\drivers\Wisp.dat
2008-01-15 23:30 . 2007-11-15 07:18 869,376 --a------ C:\WINDOWS\system32\drivers\SysLang.sys
2008-01-15 23:30 . 2007-06-28 21:49 401,408 --a------ C:\WINDOWS\system32\drivers\Syser.dat
2008-01-15 23:30 . 2007-06-28 21:49 297,121 --a------ C:\WINDOWS\system32\drivers\APIDef.lib
2008-01-15 23:30 . 2007-11-15 07:18 23,936 --a------ C:\WINDOWS\system32\drivers\SysBoot.sys
2008-01-15 23:30 . 2007-11-15 07:18 11,520 --a------ C:\WINDOWS\system32\drivers\SDbgMsg.sys
2008-01-15 21:50 . 2008-01-15 21:50 <DIR> d-------- C:\Program Files\NuMega
2008-01-15 18:03 . 2008-01-15 18:05 <DIR> d-------- C:\Program Files\Chaos SD
2008-01-15 10:37 . 2008-01-17 12:38 321 --a------ C:\WINDOWS\WPE_PRO.INI
2008-01-14 23:20 . 2008-01-14 23:20 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-14 23:18 . 2008-01-16 17:21 <DIR> d-------- C:\Program Files\VentSrv
2008-01-14 14:59 . 2008-01-14 16:44 321 --a------ C:\WINDOWS\WPE PRO.INI
2008-01-13 22:32 . 2008-01-13 22:32 <DIR> d-------- C:\Documents and Settings\Eric Reese\Application Data\Secret of the Solstice
2008-01-13 20:25 . 2007-12-26 17:30 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2008-01-13 20:25 . 2007-12-26 17:30 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-01-13 17:51 . 2008-01-13 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-13 17:50 . 2008-01-13 17:51 <DIR> d-------- C:\Program Files\Canon
2008-01-13 17:46 . 2008-01-13 17:46 <DIR> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 19:46 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-22 01:28 --------- d-----w C:\Program Files\Warcraft III
2008-01-21 06:22 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\uTorrent
2008-01-21 00:11 --------- d-----w C:\Program Files\Outspark
2008-01-21 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-01-19 21:39 155,995 ----a-w C:\WINDOWS\java\Packages\6LBFPRTV.ZIP
2008-01-18 20:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-18 18:46 --------- d-----w C:\Program Files\iTunes
2008-01-18 18:43 --------- d-----w C:\Program Files\Google
2008-01-18 18:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 18:41 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-18 18:40 --------- d-----w C:\Program Files\Bonjour
2008-01-18 18:40 --------- d-----w C:\Program Files\AIM6
2008-01-18 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-17 16:21 --------- d-----w C:\Program Files\SealOnlineUSA
2008-01-17 04:00 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-17 01:43 --------- d-----w C:\Program Files\Torrent Episode Downloader
2008-01-16 22:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 22:21 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\Viewpoint
2008-01-15 04:21 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\Ventrilo
2007-12-14 03:29 --------- d-----w C:\Program Files\Cheat Engine
2007-12-13 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-08 09:12 --------- d-----w C:\Program Files\DivX
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-26 05:49 --------- d-----w C:\Program Files\MSBuild
2007-11-26 05:28 --------- d-----w C:\Program Files\Common Files\Real
2007-11-25 23:22 --------- d-----w C:\Documents and Settings\Eric Reese\Application Data\GetRightToGo
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2005-09-24 16:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_14.10.01.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-20-2008\ERDNT.EXE
+ 2008-01-20 22:50:28 8,536,064 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-20-2008\Users\00000001\NTUSER.DAT
+ 2008-01-20 22:50:28 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-20-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-21-2008\ERDNT.EXE
+ 2008-01-21 07:13:10 8,540,160 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-21-2008\Users\00000001\NTUSER.DAT
+ 2008-01-21 07:13:11 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-21-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-22-2008\ERDNT.EXE
+ 2008-01-22 16:14:31 8,540,160 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-22-2008\Users\00000001\NTUSER.DAT
+ 2008-01-22 16:14:32 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-22-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-24-2008\ERDNT.EXE
+ 2008-01-24 13:07:20 8,564,736 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-24-2008\Users\00000001\NTUSER.DAT
+ 2008-01-24 13:07:20 249,856 ----a-w C:\WINDOWS\ERDNT\AutoBackup\1-24-2008\Users\00000002\UsrClass.dat
- 2008-01-20 18:54:02 1,114,112 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 19:47:06 1,114,112 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 18:54:02 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 19:47:06 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 18:54:02 1,118,208 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 19:47:06 1,118,208 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 18:54:02 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 19:47:06 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 18:54:02 8,523,776 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 19:47:06 8,564,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-20 18:54:02 249,856 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 19:47:06 249,856 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2006-03-03 01:49:14 69,632 ----a-w C:\WINDOWS\system32\HPZipm12.exe
+ 2007-08-09 07:27:52 73,728 ----a-w C:\WINDOWS\system32\HPZipm12.exe
- 2006-03-03 01:49:14 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
+ 2007-08-09 07:27:52 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 11:04 68856]
"Aim6"="" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 10:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 12:18 472776]
"nwiz"="nwiz.exe" [2006-04-15 13:26 1519616 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 06:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 00:46 761948]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54 102400]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 10:18 49152]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:34 213936]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 17:34 86960]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 10:28 180224]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 10:03 40960]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14 53408]
"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40 124656]
"SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:34 213936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-15 13:26 7561216]

C:\Documents and Settings\Eric Reese\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 11:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 12:39:30 73728]
VPN Client.lnk - C:\WINDOWS\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-04-20 15:00:09 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkih]

R0 SDbgMsg;SDbgMsg;C:\WINDOWS\system32\drivers\SDbgMsg.sys [2007-11-15 07:18]
R0 SyserBoot;SyserBoot;C:\WINDOWS\system32\drivers\SysBoot.sys [2007-11-15 07:18]
R0 SyserLanguage;SyserLanguage;C:\WINDOWS\system32\drivers\SysLang.sys [2007-11-15 07:18]
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2008-01-22 22:02]
S0 nmfilter;DriverStudio Device Filter;C:\WINDOWS\system32\DRIVERS\nmfilter.sys []
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 13:05]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\ERICRE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 DADriv1;DADriv1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\DAEngine\DAK32.sys [2007-07-12 16:55]
S3 gel90xne;gel90xne;C:\DOCUME~1\ERICRE~1\LOCALS~1\Temp\gel90xne.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Moonlight\IlvMoney1105.sys []
S3 puma1;puma1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\PumaByZé\puma.sys []
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 13:05]
S3 Revolution1;Revolution1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\Rev Engine\SHAK3.sys [2007-07-01 22:26]
S3 Sex1;Sex1;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Sex Engine\Sex.sys []
S3 SoRa1;SoRa1;C:\Documents and Settings\Eric Reese\Desktop\Desktop Folders\Things I use\Cheat Engines\SoRa Engine 2.3\SoRa23.sys [2007-07-20 12:39]
S3 sora121;sora121;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\SoRa Engine2.90\sora12.sys []
S3 SPCommand;SPCommand.sys;C:\WINDOWS\system32\drivers\Plugin\i386\SPCommand.sys [2007-11-15 07:19]
S3 spuce1;spuce1;C:\Documents and Settings\Eric Reese\Desktop\Things I use\Cheat Engines\Spuc3 Engine\spuce.sys []
S3 Syser;Syser;C:\WINDOWS\system32\drivers\Syser.sys [2007-11-15 07:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 01:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-18 20:00:56 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 14:54:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xL??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 14:54:43
ComboFix-quarantined-files.txt 2008-01-24 19:54:41
ComboFix2.txt 2008-01-20 19:10:18
ComboFix3.txt 2008-01-18 00:46:59
ComboFix4.txt 2007-07-16 16:26:10
.
2008-01-19 21:35:03 --- E O F ---

HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:07 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AE3C68DE-CB59-4921-8C79-0E828DAAFE3B} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D785E699-0B52-41EB-954C-0C5AE809A6B8} - (no file)
O2 - BHO: (no name) - {FFF29BE4-24AC-4E31-B99B-45238B764111} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: opnnkih - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12742 bytes

And the ESET Online scanner:

Win32/BHO.G trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\awumclfa.dll.vir
ejr5033 is offline