Thread: Hijacking Help
View Single Post
Old 10-16-2008, 10:49 AM   #7 (permalink)
carguy209
Registered User
 
Join Date: Oct 2008
Posts: 17
OS: XP Pro SP2


Re: Hijacking Help
Ok, I was delayed in my follow up to your last instructions, then I discovered that someone had opened an email attachment on this computer, further soiling the system. What an idiot!! Anyway I ran Combo fix again like I did the first time, then again with the script you gave. Both logs will be attached. Then the Java updates, ATF session, and finally the Kaspersky scan which found 39 objects..YIKES! I ran another Hijack this and here are all the results:

ComboFix 08-10-09.06 - Administrator 2008-10-16 9:27:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.216 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Cookies\mixobo.bin
C:\Documents and Settings\Administrator\Cookies\ucuxyn._dl
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\asezan.pif
C:\Documents and Settings\Administrator\Start Menu\Programs\XP_AntiSpyware
C:\Documents and Settings\Administrator\Start Menu\Programs\XP_AntiSpyware\Uninstall.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
C:\Program Files\Microsoft Common
C:\Program Files\Microsoft Common\wuauclt.exe
C:\Program Files\XP_AntiSpyware
C:\Program Files\XP_AntiSpyware\AVEngn.dll
C:\Program Files\XP_AntiSpyware\data\daily.cvd
C:\Program Files\XP_AntiSpyware\htmlayout.dll
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\XP_AntiSpyware\pthreadVC2.dll
C:\Program Files\XP_AntiSpyware\Uninstall.exe
C:\Program Files\XP_AntiSpyware\wscui.cpl
C:\Program Files\XP_AntiSpyware\XP_Antispyware.cfg
C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\DelSelf.bat

.
((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.

2008-10-16 05:31 . 2008-10-14 23:14 211,984 --a------ C:\WINDOWS\system32\_scui.cpl
2008-10-16 05:31 . 2008-10-16 05:31 19,776 --a------ C:\WINDOWS\eweqeju.sys
2008-10-16 05:31 . 2008-10-16 05:31 19,268 --a------ C:\Program Files\Common Files\ifuzeh.reg
2008-10-16 05:31 . 2008-10-16 05:31 18,832 --a------ C:\WINDOWS\kevyruv.reg
2008-10-16 05:31 . 2008-10-16 05:31 18,439 --a------ C:\WINDOWS\system32\dijoritizi.inf
2008-10-16 05:31 . 2008-10-16 05:31 17,973 --a------ C:\Documents and Settings\All Users\Application Data\wadufadig.com
2008-10-16 05:31 . 2008-10-16 05:31 16,444 --a------ C:\WINDOWS\gohyzexezu.lib
2008-10-16 05:31 . 2008-10-16 05:31 16,198 --a------ C:\Program Files\Common Files\vefeqifef.exe
2008-10-16 05:31 . 2008-10-16 05:31 15,449 --a------ C:\Documents and Settings\Administrator\Application Data\edewyva.dll
2008-10-16 05:31 . 2008-10-16 05:31 13,842 --a------ C:\WINDOWS\uqihunud.reg
2008-10-16 05:31 . 2008-10-16 05:31 13,112 --a------ C:\WINDOWS\system32\ikewus.dl
2008-10-16 05:31 . 2008-10-16 05:31 12,194 --a------ C:\Documents and Settings\All Users\Application Data\ifadu.exe
2008-10-16 05:31 . 2008-10-16 05:31 10,454 --a------ C:\WINDOWS\uwudara.ban
2008-10-16 05:31 . 2008-10-16 05:31 10,127 --a------ C:\Documents and Settings\All Users\Application Data\agocyc.bin
2008-10-16 05:27 . 2008-10-16 05:27 71,710 --a------ C:\WINDOWS\system32\wini10602.exe
2008-10-15 03:02 . 2008-10-15 03:05 1,393 --a------ C:\WINDOWS\imsins.BAK
2008-10-06 16:38 . 2008-10-10 09:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-10-06 16:12 . 2008-10-06 16:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-06 15:53 . 2008-10-06 15:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-06 14:07 . 2008-10-06 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-10-06 13:52 . 2008-10-06 13:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-06 11:34 . 2008-10-06 11:34 <DIR> d-------- C:\Program Files\Defraggler
2008-10-06 11:33 . 2008-10-06 11:33 <DIR> d-------- C:\Program Files\CCleaner
2008-10-06 10:20 . 2008-10-06 10:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-06 10:20 . 2008-10-06 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-06 10:13 . 2008-10-06 10:13 0 --a------ C:\WINDOWS\vpc32.INI
2008-10-06 10:12 . 2008-10-06 10:10 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-10-06 10:12 . 2008-10-06 10:10 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-06 10:12 . 2008-10-06 10:10 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-06 10:11 . 2008-10-06 10:11 <DIR> d-------- C:\Program Files\Symantec_Client_Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 09:31 18,033 ----a-w C:\Program Files\Common Files\cylewelocy.db
2008-10-16 09:31 11,153 ----a-w C:\Program Files\Common Files\efekokis._sy
2008-10-06 17:45 --------- d-----w C:\Program Files\Google
2008-10-06 14:40 90,112 ----a-w C:\WINDOWS\DUMP26f0.tmp
2008-10-06 14:12 --------- d-----w C:\Program Files\Symantec
2008-10-06 14:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-10_ 9.56.57.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 09:08:35 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\advpack.dll
+ 2008-08-26 09:08:36 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtmsft.dll
+ 2008-08-26 09:08:36 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtrans.dll
+ 2008-08-26 09:08:36 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\extmgr.dll
+ 2008-08-26 09:08:36 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\icardie.dll
+ 2008-08-25 08:43:21 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ie4uinit.exe
+ 2008-08-26 09:08:36 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieakeng.dll
+ 2008-08-26 09:08:36 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieaksie.dll
+ 2008-08-23 05:54:50 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieakui.dll
+ 2007-07-01 03:31:33 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dat
+ 2008-08-26 09:08:36 380,928 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dll
+ 2008-08-26 09:08:37 388,608 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iedkcs32.dll
+ 2008-10-03 17:26:50 6,068,224 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieframe.dll
+ 2008-08-26 09:08:39 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iernonce.dll
+ 2008-08-26 09:08:39 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iertutil.dll
+ 2008-08-25 08:43:21 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieudinit.exe
+ 2008-08-23 05:56:16 635,848 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
+ 2008-08-26 09:08:40 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\jsproxy.dll
+ 2008-08-26 09:08:40 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeeds.dll
+ 2008-08-26 09:08:40 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeedsbs.dll
+ 2008-08-26 09:08:43 3,594,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
+ 2008-08-26 09:08:43 477,696 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtmled.dll
+ 2008-08-26 09:08:44 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msrating.dll
+ 2008-08-26 09:08:44 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mstime.dll
+ 2008-08-26 09:08:44 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\occache.dll
+ 2008-08-26 09:08:44 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\pngfilt.dll
+ 2008-08-26 09:08:44 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\url.dll
+ 2008-08-26 09:08:45 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\urlmon.dll
+ 2008-08-26 09:08:45 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\webcheck.dll
+ 2008-08-26 09:08:45 827,904 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\updspapi.dll
- 2007-02-28 09:08:48 2,136,064 -c----w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 -c----w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 -c----w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 -c----w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\advpack.dll
+ 2008-06-23 16:57:27 347,136 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtrans.dll
+ 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\extmgr.dll
+ 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\icardie.dll
+ 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakeng.dll
+ 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieaksie.dll
+ 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakui.dll
+ 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieframe.dll
+ 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iernonce.dll
+ 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iertutil.dll
+ 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieudinit.exe
+ 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
+ 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\jsproxy.dll
+ 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeeds.dll
+ 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2008-06-24 14:57:40 3,592,192 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtml.dll
+ 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtmled.dll
+ 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msrating.dll
+ 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mstime.dll
+ 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\occache.dll
+ 2008-06-23 16:57:40 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\url.dll
+ 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\urlmon.dll
+ 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\webcheck.dll
+ 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\wininet.dll
- 2008-09-11 07:04:40 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-10-15 07:04:21 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-09-11 07:04:40 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-10-15 07:04:21 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-09-11 07:04:40 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-10-15 07:04:21 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-09-11 07:04:40 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-10-15 07:04:21 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-09-11 07:04:40 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-10-15 07:04:21 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-09-11 07:04:40 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-10-15 07:04:21 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-09-11 07:04:40 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-10-15 07:04:21 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-09-11 07:04:40 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-10-15 07:04:22 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-09-11 07:04:40 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-10-15 07:04:21 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-09-11 07:04:40 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-10-15 07:04:21 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-09-11 07:04:40 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-10-15 07:04:22 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-09-11 07:04:39 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-10-15 07:04:20 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-09-11 07:04:39 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-10-15 07:04:20 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-08-26 07:24:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-10-10 13:45:45 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-16 09:27:20 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-10 13:45:45 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-16 09:27:20 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-16 09:27:20 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-08-26 07:24:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-06-23 16:57:27 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-08-26 07:24:28 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-08-26 07:24:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-08-23 05:54:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-08-26 07:24:29 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-08-26 07:24:29 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-06-23 09:20:52 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-08-23 05:56:15 635,848 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-06-24 14:57:40 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-27 08:24:32 3,593,216 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-08-26 07:24:30 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-08-26 07:24:30 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-02-28 09:08:48 2,136,064 -c----w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 -c----w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 -c----w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 -c----w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 -c----w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 -c----w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 -c----w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 -c----w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
- 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-08-26 07:24:30 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-06-23 16:57:40 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2006-08-14 10:34:41 332,928 -c--a-w C:\WINDOWS\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 -c--a-w C:\WINDOWS\system32\dllcache\srv.sys
- 2008-06-23 16:57:40 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-08-26 07:24:30 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-08-26 07:24:31 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-26 07:24:31 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-06-20 10:44:38 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
- 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-06-23 16:57:27 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-08-26 07:24:28 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-07-02 11:11:22 238,352 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-15 07:11:29 238,352 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-08-26 07:24:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-06-23 09:20:25 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2008-06-23 16:57:29 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2008-06-21 05:23:54 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-08-23 05:54:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-06-23 16:57:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-06-23 16:57:33 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-08-26 07:24:29 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-08-26 07:24:29 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-06-23 16:57:35 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2008-08-26 17:28:14 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-10-07 19:19:40 16,721,856 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-06-24 14:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-27 08:24:32 3,593,216 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-06-23 16:57:39 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2008-08-26 07:24:30 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2008-06-23 16:57:40 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2008-08-26 07:24:30 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2008-06-23 16:57:40 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-08-26 07:24:30 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-08-14 11:59:57 53,608 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-15 11:58:09 53,608 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-14 11:59:57 383,254 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-15 11:58:09 383,254 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-08-26 07:24:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-08-26 07:24:31 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCS NavBar"="C:\UCC\System\UcsNavBar.exe" [2007-10-30 319488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-18 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UCS NavBar"="C:\UCC\System\UcsNavBar.exe" [2007-10-30 319488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\UCC\\SYSTEM\\Umhwinmg.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 UCS Install NT Service;UCS Install NT Service;C:\UCC\Services\Ucsinsvc.exe [2008-03-26 61440]
S2 UCS Refresh Service;UCS Refresh Service;C:\UCC\Services\UcsrrSvc.exe [2005-06-09 77824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - AEC
*Newly Created Service* - ASYNCMAC
.
Contents of the 'Scheduled Tasks' folder

2008-10-16 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-brastk - C:\WINDOWS\system32\brastk.exe
HKLM-Run-XP Antispyware 2009 - C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g87miiq5.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 09:28:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-10-16 9:30:51
ComboFix-quarantined-files.txt 2008-10-16 13:30:46
ComboFix2.txt 2008-10-10 13:57:22

Pre-Run: 31,309,885,440 bytes free
Post-Run: 31,321,407,488 bytes free

419 --- E O F --- 2008-10-15 07:05:35


#2

ComboFix 08-10-09.06 - Administrator 2008-10-16 9:33:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.

2008-10-16 05:31 . 2008-10-14 23:14 211,984 --a------ C:\WINDOWS\system32\_scui.cpl
2008-10-16 05:31 . 2008-10-16 05:31 19,776 --a------ C:\WINDOWS\eweqeju.sys
2008-10-16 05:31 . 2008-10-16 05:31 19,268 --a------ C:\Program Files\Common Files\ifuzeh.reg
2008-10-16 05:31 . 2008-10-16 05:31 18,832 --a------ C:\WINDOWS\kevyruv.reg
2008-10-16 05:31 . 2008-10-16 05:31 18,439 --a------ C:\WINDOWS\system32\dijoritizi.inf
2008-10-16 05:31 . 2008-10-16 05:31 17,973 --a------ C:\Documents and Settings\All Users\Application Data\wadufadig.com
2008-10-16 05:31 . 2008-10-16 05:31 16,444 --a------ C:\WINDOWS\gohyzexezu.lib
2008-10-16 05:31 . 2008-10-16 05:31 16,198 --a------ C:\Program Files\Common Files\vefeqifef.exe
2008-10-16 05:31 . 2008-10-16 05:31 15,449 --a------ C:\Documents and Settings\Administrator\Application Data\edewyva.dll
2008-10-16 05:31 . 2008-10-16 05:31 13,842 --a------ C:\WINDOWS\uqihunud.reg
2008-10-16 05:31 . 2008-10-16 05:31 13,112 --a------ C:\WINDOWS\system32\ikewus.dl
2008-10-16 05:31 . 2008-10-16 05:31 12,194 --a------ C:\Documents and Settings\All Users\Application Data\ifadu.exe
2008-10-16 05:31 . 2008-10-16 05:31 10,454 --a------ C:\WINDOWS\uwudara.ban
2008-10-16 05:31 . 2008-10-16 05:31 10,127 --a------ C:\Documents and Settings\All Users\Application Data\agocyc.bin
2008-10-16 05:27 . 2008-10-16 05:27 71,710 --a------ C:\WINDOWS\system32\wini10602.exe
2008-10-15 03:02 . 2008-10-15 03:05 1,393 --a------ C:\WINDOWS\imsins.BAK
2008-10-06 16:38 . 2008-10-10 09:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-10-06 16:12 . 2008-10-06 16:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-06 15:53 . 2008-10-06 15:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-06 14:07 . 2008-10-06 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-10-06 13:52 . 2008-10-06 13:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-06 11:34 . 2008-10-06 11:34 <DIR> d-------- C:\Program Files\Defraggler
2008-10-06 11:33 . 2008-10-06 11:33 <DIR> d-------- C:\Program Files\CCleaner
2008-10-06 10:20 . 2008-10-06 10:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-06 10:20 . 2008-10-06 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-06 10:13 . 2008-10-06 10:13 0 --a------ C:\WINDOWS\vpc32.INI
2008-10-06 10:12 . 2008-10-06 10:10 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-10-06 10:12 . 2008-10-06 10:10 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-06 10:12 . 2008-10-06 10:10 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-06 10:11 . 2008-10-06 10:11 <DIR> d-------- C:\Program Files\Symantec_Client_Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 09:31 18,033 ----a-w C:\Program Files\Common Files\cylewelocy.db
2008-10-16 09:31 11,153 ----a-w C:\Program Files\Common Files\efekokis._sy
2008-10-06 17:45 --------- d-----w C:\Program Files\Google
2008-10-06 14:40 90,112 ----a-w C:\WINDOWS\DUMP26f0.tmp
2008-10-06 14:12 --------- d-----w C:\Program Files\Symantec
2008-10-06 14:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCS NavBar"="C:\UCC\System\UcsNavBar.exe" [2007-10-30 319488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-18 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UCS NavBar"="C:\UCC\System\UcsNavBar.exe" [2007-10-30 319488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\UCC\\SYSTEM\\Umhwinmg.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 UCS Install NT Service;UCS Install NT Service;C:\UCC\Services\Ucsinsvc.exe [2008-03-26 61440]
S2 UCS Refresh Service;UCS Refresh Service;C:\UCC\Services\UcsrrSvc.exe [2005-06-09 77824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-10-16 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 09:34:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\UCC\SYSTEM\Umhwinmg.exe
C:\UCC\SYSTEM\UmhWinUi.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-16 9:38:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 13:38:31
ComboFix2.txt 2008-10-16 13:30:53
ComboFix3.txt 2008-10-10 13:57:22

Pre-Run: 31,312,875,520 bytes free
Post-Run: 31,302,696,960 bytes free

127 --- E O F --- 2008-10-15 07:05:35


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, October 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, October 16, 2008 08:52:28
Records in database: 1315286
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 33350
Threat name: 15
Infected objects: 39
Suspicious objects: 0
Duration of the scan: 01:15:13


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Trojan-Spy.Win32.KeySpy.x 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\OLK42\Statement_JAN-OCT.zip Infected: Worm.Win32.AutoRun.qsf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AF40000.VBN Infected: Trojan-Mailfinder.Win32.Agent.sc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AF40001.VBN Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0000.VBN Infected: Rootkit.Win32.Agent.eeq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0001.VBN Infected: Rootkit.Win32.Agent.eeq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0002.VBN Infected: Rootkit.Win32.Clbd.kr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0003.VBN Infected: Rootkit.Win32.Clbd.kr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0004.VBN Infected: Rootkit.Win32.Agent.ehv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0005.VBN Infected: Rootkit.Win32.Agent.ehv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0006.VBN Infected: Backdoor.Win32.Agent.rfv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0007.VBN Infected: Backdoor.Win32.Agent.rfv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0008.VBN Infected: Backdoor.Win32.Agent.tcb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0009.VBN Infected: Backdoor.Win32.Agent.tcb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C000A.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C000B.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C000C.VBN Infected: Backdoor.Win32.TDSS.zj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C000D.VBN Infected: Backdoor.Win32.TDSS.zj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C000E.VBN Infected: Rootkit.Win32.Agent.eeq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C000F.VBN Infected: Rootkit.Win32.Agent.eeq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0010.VBN Infected: Rootkit.Win32.Clbd.kr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0011.VBN Infected: Rootkit.Win32.Clbd.kr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0012.VBN Infected: Rootkit.Win32.Agent.ehv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0013.VBN Infected: Rootkit.Win32.Agent.ehv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0014.VBN Infected: Backdoor.Win32.Agent.rfv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0015.VBN Infected: Backdoor.Win32.Agent.rfv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0016.VBN Infected: Backdoor.Win32.Agent.tcb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0017.VBN Infected: Backdoor.Win32.Agent.tcb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0018.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C0019.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C001A.VBN Infected: Backdoor.Win32.TDSS.zj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E0C001B.VBN Infected: Backdoor.Win32.TDSS.zj 1
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Qoobox\Quarantine\C\Program Files\Microsoft Common\wuauclt.exe.vir Infected: Worm.Win32.AutoRun.qsf 1
C:\Qoobox\Quarantine\C\Program Files\XP_AntiSpyware\Uninstall.exe.vir Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1
C:\Qoobox\Quarantine\C\Program Files\XP_AntiSpyware\wscui.cpl.vir Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.ba 1
C:\Qoobox\Quarantine\C\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe.vir Infected: Trojan.Win32.FraudPack.gfc 1
C:\WINDOWS\system32\wini10602.exe Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1
C:\WINDOWS\system32\_scui.cpl Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.ba 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:58 PM, on 10/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\UCC\Services\Ucsinsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\UCC\SYSTEM\Umhwinmg.exe
C:\UCC\SYSTEM\Umhwinui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [UCS NavBar] C:\UCC\System\UcsNavBar.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [UCS NavBar] C:\UCC\System\UcsNavBar.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6045C5E3-3653-4262-9E3E-0DA3A22A2C1D} (Crystal ActiveX Report Viewer Web Report Source 10.0) - https://web.crystalreports.dealercon...iveXViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121702207263
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121715727671
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://web.crystalreports.dealercon...iveXViewer.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/s...erSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FF47882-74B8-4310-BA2F-FB8208ED81D7}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FF47882-74B8-4310-BA2F-FB8208ED81D7}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS2\Services\Tcpip\..\{0FF47882-74B8-4310-BA2F-FB8208ED81D7}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UCS Install NT Service - UCS - C:\UCC\Services\Ucsinsvc.exe
O23 - Service: UCS Refresh Service - UCS - C:\UCC\Services\UcsrrSvc.exe

--
End of file - 4847 bytes


System behavior seems fine now that the pesky Antivirus XP crap is gone. Web browsing is normal as well. Thanks again for all that you are doing.
carguy209 is offline