Thread: Horrible infection.
View Single Post
Old 11-02-2008, 10:35 AM   #6 (permalink)
eddmead
Registered User
 
Join Date: Jul 2005
Posts: 38
OS: xp pro


Re: Horrible infection.
File was no good deleted it.

Computer is acting 110% better......no noticable problems

Logs requested:

ComboFix 08-11-01.06 - Shirly 2008-11-02 10:31:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.137 [GMT -5:00]
Running from: C:\Documents and Settings\Shirly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shirly\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\.security
C:\Documents and Settings\Shirly\Start Menu\Programs\Startup\DW_Start.lnk
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\.security
C:\WINDOWS\cor704836.exe
C:\WINDOWS\ee3362.exe
C:\WINDOWS\eo4.exe
C:\WINDOWS\h288.exe
C:\WINDOWS\j414.exe
C:\WINDOWS\lik02.exe
C:\WINDOWS\lomxeqsn.exe
C:\WINDOWS\mondrv411.exe
C:\WINDOWS\nc605007.exe
C:\WINDOWS\ndxq3074.exe
C:\WINDOWS\nohh06760.exe
C:\WINDOWS\qggu58826.exe
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\g79.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pcntttdl.exe
C:\WINDOWS\system32\rkwnw64l.exe
C:\WINDOWS\tj85.exe
C:\WINDOWS\tjyvb346054.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.security
C:\DOCUME~1\ALLUSE~1\Applic~1\pozgnihc
C:\DOCUME~1\ALLUSE~1\Applic~1\pozgnihc\binwvqne.exe
C:\Documents and Settings\Shirly\Application Data\Gool
C:\Program Files\Mjcore
C:\Program Files\Mjcore\Mjcore.dll
C:\Program Files\Webtools
C:\Program Files\Webtools\webtools.dll
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\.security
C:\WINDOWS\cor704836.exe
C:\WINDOWS\ee3362.exe
C:\WINDOWS\eo4.exe
C:\WINDOWS\h288.exe
C:\WINDOWS\j414.exe
C:\WINDOWS\lik02.exe
C:\WINDOWS\mondrv411.exe
C:\WINDOWS\nc605007.exe
C:\WINDOWS\ndxq3074.exe
C:\WINDOWS\nohh06760.exe
C:\WINDOWS\system32\ec2
C:\WINDOWS\system32\ec2\PDI5MDi2.exe
C:\WINDOWS\system32\EV02
C:\WINDOWS\system32\EV02\EV022328.exe
C:\WINDOWS\system32\fs3
C:\WINDOWS\system32\fs3\CL65CON2.exe
C:\WINDOWS\system32\g79.exe
C:\WINDOWS\system32\m3v
C:\WINDOWS\system32\PX
C:\WINDOWS\system32\PX\TP6567IV.exe
C:\WINDOWS\system32\TDSSqein.dll
C:\WINDOWS\system32\wi
C:\WINDOWS\system32\wi\UNTix526.exe
C:\WINDOWS\tj85.exe
C:\WINDOWS\tjyvb346054.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-11-02 10:21 . 2008-11-02 10:31 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-11-02 10:13 . 2008-11-02 10:12 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-11-02 10:13 . 2008-11-02 10:12 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-11-02 10:11 . 2008-11-02 10:11 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-11-02 10:11 . 2007-08-20 13:37 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-11-02 10:11 . 2007-08-20 13:26 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-11-02 10:11 . 2007-08-20 13:37 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2008-11-02 10:11 . 2007-08-20 13:38 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-11-02 10:11 . 2007-08-20 13:38 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-11-02 10:11 . 2007-08-20 13:38 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-11-02 10:11 . 2007-08-20 13:38 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-11-02 10:10 . 2008-11-02 10:11 <DIR> d-------- C:\Program Files\CA
2008-11-02 10:10 . 2008-11-02 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-11-02 09:26 . 2008-11-02 09:26 <DIR> d-------- C:\Program Files\BillP Studios
2008-11-02 09:26 . 2008-11-02 09:26 <DIR> d-------- C:\Documents and Settings\Shirly\Application Data\WinPatrol
2008-11-02 09:22 . 2008-11-02 09:22 91 --a------ C:\WINDOWS\wininit.ini
2008-11-02 08:58 . 2008-11-02 09:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-11-02 08:58 . 2008-11-02 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 08:55 . 1999-12-21 07:58 21,312 --a------ C:\WINDOWS\choice.exe
2008-11-02 08:54 . 2008-11-02 08:58 <DIR> d-------- C:\Program Files\SpywareGuard
2008-11-02 08:54 . 2008-11-02 08:54 <DIR> d-------- C:\ie-spyad
2008-11-02 08:53 . 2008-11-02 08:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-11-02 08:53 . 2008-11-02 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-02 08:32 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-31 18:47 . 2008-10-31 18:47 <DIR> d-------- C:\rsit
2008-10-31 18:42 . 2008-10-31 18:42 250 --a------ C:\WINDOWS\gmer.ini
2008-10-30 16:19 . 2008-10-30 16:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-29 18:54 . 2008-10-29 18:54 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-29 18:08 . 2008-10-29 18:08 <DIR> d-------- C:\Program Files\CleanUp!
2008-10-26 18:23 . 2008-10-26 18:23 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-10-22 22:27 . 2008-10-22 22:27 <DIR> d-------- C:\Documents and Settings\Shirly\Application Data\Simply Super Software
2008-10-22 22:27 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-10-22 22:27 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-10-22 22:27 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-10-22 22:27 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-10-22 22:27 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-10-21 18:18 . 2008-11-02 09:09 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-21 16:13 . 2008-10-21 16:13 <DIR> d-------- C:\Program Files\AVG
2008-10-21 16:13 . 2008-11-02 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 17:25 . 2008-10-21 15:19 <DIR> d-------- C:\Documents and Settings\Shirly\Contacts
2008-10-18 13:06 . 2008-10-18 13:06 <DIR> d-------- C:\Program Files\Fun Web Products
2008-10-17 15:41 . 2008-04-13 19:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-10-17 15:41 . 2008-04-13 13:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-17 15:41 . 2008-04-13 13:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-17 15:41 . 2001-08-17 21:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-10-17 14:05 . 2008-10-17 14:05 <DIR> d-------- C:\WINDOWS\PixArt
2008-10-17 14:05 . 2008-10-17 14:05 <DIR> d-------- C:\Program Files\Micro Innovations
2008-10-17 14:05 . 2008-10-17 14:05 <DIR> d-------- C:\Program Files\Common Files\PCCamera
2008-10-17 14:03 . 2008-10-19 20:37 12,548 --a------ C:\WINDOWS\EZMediaBox2.ini
2008-10-17 14:02 . 2008-10-17 14:02 <DIR> d-------- C:\Program Files\BestOn
2008-10-17 14:02 . 2008-07-18 21:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-10-17 14:02 . 2008-07-18 21:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-10-17 14:02 . 2008-07-18 21:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-10-16 20:52 . 2008-10-16 21:01 <DIR> d-------- C:\Program Files\MySpace
2008-10-16 19:50 . 2008-10-16 19:50 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-10-16 19:50 . 2008-10-16 19:50 <DIR> d-------- C:\Documents and Settings\zach\Contacts
2008-10-16 19:49 . 2008-10-16 19:49 <DIR> d-------- C:\Program Files\Real
2008-10-16 19:49 . 2008-10-16 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-10-16 19:47 . 2008-10-16 19:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-16 19:47 . 2008-10-16 19:50 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-10-16 19:47 . 2008-10-16 19:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-10-16 18:04 . 2008-10-26 18:59 <DIR> d-------- C:\Documents and Settings\Shirly\Application Data\LimeWire
2008-10-16 18:01 . 2008-10-16 18:01 <DIR> d-------- C:\WINDOWS\Sun
2008-10-16 18:01 . 2008-10-17 10:46 <DIR> d-------- C:\Program Files\Google
2008-10-16 18:00 . 2008-10-16 18:00 <DIR> d-------- C:\Program Files\Java
2008-10-16 18:00 . 2008-06-10 01:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-16 17:57 . 2008-10-16 17:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-16 17:08 . 2001-08-17 21:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-10-16 17:08 . 2001-08-17 21:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-10-16 17:08 . 2001-08-17 21:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-10-16 17:08 . 2001-08-17 21:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-10-16 17:08 . 2008-04-13 19:09 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-10-16 17:08 . 2001-08-17 13:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-10-16 17:08 . 2001-08-17 13:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-10-16 17:08 . 2008-04-13 19:09 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-10-16 17:08 . 2001-08-17 13:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-10-16 17:08 . 2001-08-17 13:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-10-16 17:08 . 2001-08-17 13:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-10-16 17:08 . 2001-08-17 13:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-10-16 16:43 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-16 16:43 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-16 16:42 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-16 16:42 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-16 16:42 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-16 16:42 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-14 13:54 . 2008-10-14 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-10-11 22:44 . 2008-10-11 22:44 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-11 20:57 . 2008-10-15 14:21 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-10-11 20:57 . 1998-10-29 13:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-10-11 20:56 . 2005-04-01 10:43 66,048 --a------ C:\WINDOWS\system32\drivers\EAPPkt.sys
2008-10-11 09:28 . 2008-10-21 16:14 <DIR> d-------- C:\Documents and Settings\zach
2008-10-10 18:50 . 2008-10-10 18:50 <DIR> d-------- C:\CloneDVDTemp
2008-10-10 18:19 . 2001-08-17 12:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-10-10 18:19 . 2001-08-17 12:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-10-10 18:19 . 2008-04-13 13:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-10-10 18:19 . 2008-04-13 13:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-10-10 14:41 . 2008-10-10 14:41 <DIR> d-------- C:\Program Files\SlySoft
2008-10-10 14:41 . 2008-10-10 14:41 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-10-10 14:40 . 2008-10-31 18:41 <DIR> d-------- C:\Documents and Settings\Shirly\Application Data\U3
2008-10-10 14:40 . 2008-04-13 13:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 19:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-17 19:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-02_ 8.13.45.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-02 15:11:17 10,134 ----a-r C:\WINDOWS\Installer\{609B0E8F-0E98-46BF-85F9-7123D1022D84}\ARPPRODUCTICON.exe
+ 2008-11-02 15:11:55 10,134 ----a-r C:\WINDOWS\Installer\{BDBAAB1B-B364-465E-931D-4E2E2F0E609A}\ARPPRODUCTICON.exe
+ 2008-09-06 04:30:42 241,704 -c----w C:\WINDOWS\system32\dllcache\wgaLogon.dll
+ 2008-09-06 04:29:58 917,032 -c----w C:\WINDOWS\system32\dllcache\WgaTray.exe
+ 2008-06-25 00:08:36 63,504 ----a-w C:\WINDOWS\system32\drivers\KmxAgent.sys
+ 2008-06-25 00:08:42 134,648 ----a-w C:\WINDOWS\system32\drivers\KmxCF.sys
+ 2008-06-25 00:08:42 88,816 ----a-w C:\WINDOWS\system32\drivers\KmxCfg.sys
+ 2008-06-25 00:08:46 45,584 ----a-w C:\WINDOWS\system32\drivers\KmxFile.sys
+ 2008-06-25 00:08:52 115,216 ----a-w C:\WINDOWS\system32\drivers\KmxFw.sys
+ 2008-06-25 00:08:56 66,576 ----a-w C:\WINDOWS\system32\drivers\KmxSbx.sys
+ 2008-06-25 00:08:58 93,712 ----a-w C:\WINDOWS\system32\drivers\KmxStart.sys
- 2008-03-20 2236 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-09-06 04:30:06 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2003-04-18 21:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2003-04-18 21:29:26 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
- 2008-04-14 00:12:01 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-10-15 16:34:24 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-06-25 00:10:44 117,264 ----a-w C:\WINDOWS\system32\UmxSbxExw.dll
+ 2008-06-25 00:10:46 256,528 ----a-w C:\WINDOWS\system32\UmxSbxw.dll
+ 2007-05-18 18:30:00 79,368 ----a-w C:\WINDOWS\system32\UmxWNP.dll
+ 2008-09-06 04:30:42 241,704 ------w C:\WINDOWS\system32\WgaLogon.dll
+ 2008-09-06 04:29:58 917,032 ------w C:\WINDOWS\system32\WgaTray.exe
+ 2008-11-02 15:11:49 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-11-02 15:11:50 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-12-11 503296]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 7311360]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-05-09 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-11-02 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-11-02 1193200]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-11-02 173296]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-11-02 259312]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Shirly\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rqbwxq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2008-06-24 93712]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2008-06-24 115216]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2008-06-24 134648]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2008-06-24 66576]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2008-06-24 88816]
R3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-16 189704]
S3 PAC207;Basic Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 162304]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CAISAFE
*Newly Created Service* - KMXAGENT
*Newly Created Service* - KMXCF
*Newly Created Service* - KMXCFG
*Newly Created Service* - KMXFILE
*Newly Created Service* - KMXFW
*Newly Created Service* - KMXSBX
*Newly Created Service* - KMXSTART
*Newly Created Service* - PPCTLPRIV
*Newly Created Service* - UMXAGENT
*Newly Created Service* - UMXFWHLP
*Newly Created Service* - UMXPOL
*Newly Created Service* - VET-FILT
*Newly Created Service* - VET-REC
*Newly Created Service* - VETEBOOT
*Newly Created Service* - VETEFILE
*Newly Created Service* - VETMONNT
*Newly Created Service* - VETMSGNT
.
Contents of the 'Scheduled Tasks' folder

2008-11-02 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Shirly at 10 11.job
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 21:10]

2008-11-02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 10:41:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-02 10:44:22
ComboFix-quarantined-files.txt 2008-11-02 15:44:04
ComboFix2.txt 2008-11-02 13:14:46

Pre-Run: 138,263,834,624 bytes free
Post-Run: 138,312,536,064 bytes free

322 --- E O F --- 2008-11-02 13:36:24




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 02, 2008 07:40:08
Records in database: 1367023
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 49789
Threat name: 14
Infected objects: 29
Suspicious objects: 0
Duration of the scan: 01:30:32


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\ALLUSE~1\APPLIC~1\pozgnihc\binwvqne.exe.vir Infected: Trojan-Downloader.Win32.Obfuscated.edh 1
C:\Qoobox\Quarantine\C\Documents and Settings\Shirly\Application Data\SpeedRunner\SpeedRunner.exe.vir Infected: Trojan-Downloader.Win32.Agent.alda 1
C:\Qoobox\Quarantine\C\Documents and Settings\Shirly\Application Data\SpeedRunner\SRUninstall.exe.vir Infected: Trojan-Downloader.Win32.Agent.aldb 1
C:\Qoobox\Quarantine\C\WINDOWS\ngwstxfd.dll.vir Infected: Trojan.Win32.Vapsup.mmd 1
C:\Qoobox\Quarantine\C\WINDOWS\qrbgltos.dll.vir Infected: Trojan.Win32.Vapsup.mma 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\aomkpr.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcDvwvs.dll.vir Infected: Trojan.Win32.Monderb.voe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fecmcmrp.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fs3\CL65CON2.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fs3\CL65CON2.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\g79.exe.vir Infected: Trojan-Clicker.Win32.Agent.btl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iIBUlKAp.dll.vir Infected: Trojan.Win32.Monderb.vut 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iifdCvwu.dll.vir Infected: Trojan.Win32.Monderb.voe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\imvkir.dll.vir Infected: Trojan.Win32.Monder.xjo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kadeqihh.dll.vir Infected: Trojan.Win32.Monder.xjo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnmlMDw.dll.vir Infected: Trojan.Win32.Monderb.voe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oPICTJAr.dll.vir Infected: Trojan.Win32.Monderb.vut 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnmmJcd.dll.vir Infected: Trojan.Win32.Monderb.voe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\PX\TP6567IV.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qqxxzc.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqbwxq.dll.vir Infected: Trojan.Win32.Monder.xjo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tllxdcdr.dll.vir Infected: Trojan.Win32.Monder.xjo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvTmNfG.dll.vir Infected: Trojan.Win32.Monderb.voe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUkJdCU.dll.vir Infected: Trojan.Win32.Monderb.voe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xlfgptge.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
D:\I386\APPS\APP17286\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP17286\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.
eddmead is offline