Tech Support Forum - View Single Post - Infected by vundo.gen.k (trojan) and pop ups abound

ericgarcb · 11-09-2008, 12:40 AM

Hello,

My computer seems to be running a lot quicker now. And I haven't seen or heard any pop-ups. The fresh logs are pasted below.

Thanks again,
Eric

ComboFix 08-11-07.01 - Edlaze500 2008-11-08 21:42:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.226 [GMT -5:00]
Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edlaze500\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntivirusPro2009
c:\program files\AntivirusPro2009\htmlayout.dll
c:\program files\AntivirusPro2009\pthreadVC2.dll
c:\program files\Common Files\elelahyp.reg
c:\windows\cvchost.exe
c:\windows\dl.exe
c:\windows\msstasks.exe
c:\windows\mssys.com
c:\windows\mstasks1.exe
c:\windows\mstaskss.exe
c:\windows\msxmidi.exe
c:\windows\reg33.exe
c:\windows\rocky.exe
c:\windows\system\wmscrop.exe
c:\windows\system32\cont_offersfortoday-remove.exe
c:\windows\system32\d2kpax.exe
c:\windows\system32\gopejlke.dll
c:\windows\system32\ied.exe
c:\windows\system32\loxydo.pif
c:\windows\system32\mcvowdhmpaic.exe
c:\windows\system32\miniport_mp.exe
c:\windows\system32\suwcamwo.dll
c:\windows\system32\tljcdpkpffbgtpt.dll
c:\windows\system32\winproc32.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-06 00:24 . 2008-11-08 11:39 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-06 00:24 . 2008-11-08 21:37 507,936 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-06 00:24 . 2008-11-08 11:39 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-06 00:24 . 2008-11-08 21:37 2,816 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-05 23:51 . 2008-11-08 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit
2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini
2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db
2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin
2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine
2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 06:57 --------- d-----w c:\program files\QuickTime
2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real
2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab
2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro
2008-11-02 05:31 --------- d-----w c:\program files\LimeWire
2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks
2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech
2008-09-05 20:55 77,824 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\WinVerifyTrust.dll
2008-09-05 20:55 159,744 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHButton.exe
2008-09-05 20:55 122,880 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\SearchCtrl.dll
2008-09-05 20:54 49,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHI18N.dll
2008-09-05 20:54 420,432 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\pchplugin.zip
2008-09-05 20:54 126,976 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\ContentUpdater.exe
2008-09-05 20:54 106,496 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PluginCtrl.dll
2008-09-05 20:53 1,306,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\motdeusr.zip
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe
2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe
2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632]
"Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744]
S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 21:48:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-08 21:53:21
ComboFix-quarantined-files.txt 2008-11-09 02:52:41
ComboFix2.txt 2008-11-08 08:13:04

Pre-Run: 10,739,957,760 bytes free
Post-Run: 10,741,198,848 bytes free

223 --- E O F --- 2008-10-24 22:01:58

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3597 (20081108)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=c163db1d8b2b6145a9137a5459c00ddc
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-09 05:21:01
# local_time=2008-11-09 12:21:01 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=720500
# found=7
# scan_time=8183
C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip Java/TrojanDownloader.OpenStream.NAA trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip Win32/Adware.GooochiBiz application (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip »ZIP »tljcdpkpffbgtpt.dll Win32/Adware.GooochiBiz application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkhysqg.dll.vir Win32/Adware.Virtumonde.NDF application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Win32/Adware.BHO.NEW application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv106.cpx.vir Win32/TrojanDownloader.Agent.OKY trojan (unable to clean - deleted) 00000000000000000000000000000000

_________________________________________________________________________________

Service
Service load: 0% 100%

File: erib.bin
Status: OK
MD5: cff28e70d27c3035809f8c2e9d9f012f
Packers detected: -

Scanner results
Scan taken on 09 Nov 2008 07:28:40 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

11-09-2008, 12:40 AM	#6 (permalink)
ericgarcb Registered User Join Date: Jan 2005 Posts: 30 OS: winxp	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hello, My computer seems to be running a lot quicker now. And I haven't seen or heard any pop-ups. The fresh logs are pasted below. Thanks again, Eric ComboFix 08-11-07.01 - Edlaze500 2008-11-08 21:42:08.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.226 [GMT -5:00] Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Edlaze500\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\AntivirusPro2009 c:\program files\AntivirusPro2009\htmlayout.dll c:\program files\AntivirusPro2009\pthreadVC2.dll c:\program files\Common Files\elelahyp.reg c:\windows\cvchost.exe c:\windows\dl.exe c:\windows\msstasks.exe c:\windows\mssys.com c:\windows\mstasks1.exe c:\windows\mstaskss.exe c:\windows\msxmidi.exe c:\windows\reg33.exe c:\windows\rocky.exe c:\windows\system\wmscrop.exe c:\windows\system32\cont_offersfortoday-remove.exe c:\windows\system32\d2kpax.exe c:\windows\system32\gopejlke.dll c:\windows\system32\ied.exe c:\windows\system32\loxydo.pif c:\windows\system32\mcvowdhmpaic.exe c:\windows\system32\miniport_mp.exe c:\windows\system32\suwcamwo.dll c:\windows\system32\tljcdpkpffbgtpt.dll c:\windows\system32\winproc32.exe c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))))) . 2008-11-06 00:24 . 2008-11-08 11:39 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat 2008-11-06 00:24 . 2008-11-08 21:37 507,936 --ahs---- c:\windows\system32\drivers\fidbox2.dat 2008-11-06 00:24 . 2008-11-08 11:39 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx 2008-11-06 00:24 . 2008-11-08 21:37 2,816 --ahs---- c:\windows\system32\drivers\fidbox2.idx 2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat 2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat 2008-11-05 23:51 . 2008-11-08 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat 2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit 2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini 2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db 2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin 2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine 2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys 2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys 2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-07 06:57 --------- d-----w c:\program files\QuickTime 2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real 2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab 2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro 2008-11-02 05:31 --------- d-----w c:\program files\LimeWire 2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks 2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech 2008-09-05 20:55 77,824 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\WinVerifyTrust.dll 2008-09-05 20:55 159,744 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHButton.exe 2008-09-05 20:55 122,880 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\SearchCtrl.dll 2008-09-05 20:54 49,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHI18N.dll 2008-09-05 20:54 420,432 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\pchplugin.zip 2008-09-05 20:54 126,976 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\ContentUpdater.exe 2008-09-05 20:54 106,496 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PluginCtrl.dll 2008-09-05 20:53 1,306,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\motdeusr.zip 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe 2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe 2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe 2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648] "WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472] "ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632] "Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088] "nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DIVXc32.dll "vidc.DIV4"= DIVXc32f.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\eMule\\emule.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592] R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920] S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648] S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744] S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ] Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-08 21:48:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-08 21:53:21 ComboFix-quarantined-files.txt 2008-11-09 02:52:41 ComboFix2.txt 2008-11-08 08:13:04 Pre-Run: 10,739,957,760 bytes free Post-Run: 10,741,198,848 bytes free 223 --- E O F --- 2008-10-24 22:01:58 # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3597 (20081108) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=c163db1d8b2b6145a9137a5459c00ddc # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-11-09 05:21:01 # local_time=2008-11-09 12:21:01 (-0500, Eastern Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=720500 # found=7 # scan_time=8183 C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip Java/TrojanDownloader.OpenStream.NAA trojan (deleted) 00000000000000000000000000000000 C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip Win32/Adware.GooochiBiz application (deleted) 00000000000000000000000000000000 C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip »ZIP »tljcdpkpffbgtpt.dll Win32/Adware.GooochiBiz application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkhysqg.dll.vir Win32/Adware.Virtumonde.NDF application (unable to clean - deleted) 00000000000000000000000000000000 C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Win32/Adware.BHO.NEW application (unable to clean - deleted) 00000000000000000000000000000000 C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv106.cpx.vir Win32/TrojanDownloader.Agent.OKY trojan (unable to clean - deleted) 00000000000000000000000000000000 _________________________________________________________________________________ Service Service load: 0% 100% File: erib.bin Status: OK MD5: cff28e70d27c3035809f8c2e9d9f012f Packers detected: - Scanner results Scan taken on 09 Nov 2008 07:28:40 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing