Tech Support Forum - View Single Post

robmop · 11-13-2008, 08:56 PM

Combo fix results:

ComboFix 08-11-12.01 - Dell User 2008-11-13 22:39:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.83 [GMT -5:00]
Running from: c:\documents and settings\Dell User\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\semajosu.dll
c:\windows\system32\yanohide.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\delesa.dat
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\ifosotyz.com
c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\onutepu.reg
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-13 18:26 . 2008-11-13 18:26 268 --ah----- C:\sqmdata08.sqm
2008-11-13 18:26 . 2008-11-13 18:26 244 --ah----- C:\sqmnoopt08.sqm
2008-11-13 18:15 . 2008-11-13 18:15 120 ---hs---- c:\windows\system32\ehepabep.ini
2008-11-13 00:43 . 2008-11-13 00:43 268 --ah----- C:\sqmdata07.sqm
2008-11-13 00:43 . 2008-11-13 00:43 244 --ah----- C:\sqmnoopt07.sqm
2008-11-12 22:32 . 2008-11-12 22:32 268 --ah----- C:\sqmdata06.sqm
2008-11-12 22:32 . 2008-11-12 22:32 244 --ah----- C:\sqmnoopt06.sqm
2008-11-12 22:28 . 2008-11-12 22:28 268 --ah----- C:\sqmdata05.sqm
2008-11-12 22:28 . 2008-11-12 22:28 244 --ah----- C:\sqmnoopt05.sqm
2008-11-12 21:31 . 2008-11-12 21:35 250 --a------ c:\windows\gmer.ini
2008-11-12 20:57 . 2008-11-12 20:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-12 20:57 . 2008-11-12 20:57 95 --a------ c:\windows\wininit.ini
2008-11-12 20:11 . 2008-11-12 20:11 <DIR> d-------- c:\documents and settings\Administrator
2008-11-12 20:09 . 2008-11-12 20:09 268 --ah----- C:\sqmdata04.sqm
2008-11-12 20:09 . 2008-11-12 20:09 244 --ah----- C:\sqmnoopt04.sqm
2008-11-12 08:18 . 2008-11-12 08:18 268 --ah----- C:\sqmdata03.sqm
2008-11-12 08:18 . 2008-11-12 08:18 244 --ah----- C:\sqmnoopt03.sqm
2008-11-11 23:39 . 2008-11-11 23:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-11 23:39 . 2008-11-12 08:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 23:25 . 2008-11-11 23:25 268 --ah----- C:\sqmdata02.sqm
2008-11-11 23:25 . 2008-11-11 23:25 244 --ah----- C:\sqmnoopt02.sqm
2008-11-11 23:01 . 2008-11-11 23:01 268 --ah----- C:\sqmdata01.sqm
2008-11-11 23:01 . 2008-11-11 23:01 244 --ah----- C:\sqmnoopt01.sqm
2008-11-11 22:58 . 2008-11-13 18:24 <DIR> dr------- c:\program files\Norton Support
2008-11-11 21:53 . 2008-11-11 21:53 268 --ah----- C:\sqmdata00.sqm
2008-11-11 21:53 . 2008-11-11 21:53 244 --ah----- C:\sqmnoopt00.sqm
2008-11-10 21:44 . 2008-11-10 21:44 <DIR> d--hs---- C:\found.000
2008-11-09 16:04 . 2008-11-09 16:04 <DIR> d-------- c:\program files\Symantec
2008-11-09 16:04 . 2008-11-09 16:07 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-09 16:04 . 2008-11-09 16:04 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-09 16:04 . 2008-11-09 16:04 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-09 16:04 . 2008-11-09 16:04 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-11-09 16:04 . 2008-11-09 16:04 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-09 16:04 . 2008-11-09 16:04 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Windows Sidebar
2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Norton AntiVirus
2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\program files\NortonInstaller
2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-09 16:02 . 2008-11-09 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-11-09 16:01 . 2008-11-09 16:01 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-08 22:13 . 2008-11-08 22:13 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2008-11-08 13:51 . 2008-11-08 13:51 18,673 --a------ c:\windows\velefygova.lib
2008-11-08 13:51 . 2008-11-08 13:51 17,229 --a------ c:\documents and settings\Dell User\Application Data\eber.dat
2008-11-08 13:51 . 2008-11-08 13:51 16,308 --a------ c:\windows\zodicy.inf
2008-11-08 13:51 . 2008-11-08 13:51 15,443 --a------ c:\windows\risur.sys
2008-11-08 13:51 . 2008-11-08 13:51 14,575 --a------ c:\documents and settings\All Users\Application Data\axyma.dll
2008-11-08 13:51 . 2008-11-08 13:51 13,875 --a------ c:\windows\ijydewijyw.com
2008-11-08 13:51 . 2008-11-08 13:51 12,917 --a------ c:\documents and settings\Dell User\Application Data\vocih.com
2008-11-08 13:51 . 2008-11-08 13:51 12,711 --a------ c:\windows\wysyfil.inf
2008-11-08 13:51 . 2008-11-08 13:51 11,975 --a------ c:\windows\ulefy.lib
2008-11-08 13:51 . 2008-11-08 13:51 10,370 --a------ c:\windows\bynarem.inf
2008-11-08 13:51 . 2008-11-08 13:51 10,235 --a------ c:\documents and settings\Dell User\Application Data\ecurahawov.bat
2008-11-08 13:51 . 2008-11-08 13:51 10,224 --a------ c:\windows\aqitixyjyr.com
2008-11-08 11:05 . 2008-11-08 11:05 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-08 10:58 . 2008-11-08 10:58 <DIR> d--hs---- c:\documents and settings\Dell User\PrivacIE
2008-11-08 10:53 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll
2008-11-07 22:27 . 2008-11-07 22:27 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\Dell User\Application Data\Malwarebytes
2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 22:09 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 22:09 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-02 17:27 . 2008-11-02 17:26 31,744 --a------ c:\windows\system32\351aT70U.exe
2008-10-23 18:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-18 18:19 . 2008-10-18 19:55 <DIR> d-------- C:\Daddys Europe Pics
2008-10-18 14:51 . 2008-10-18 16:25 <DIR> d-------- C:\Mamas Europe Pictures
2008-10-17 18:32 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-17 18:32 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-17 18:32 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-17 18:32 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-17 18:32 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-17 18:32 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 23:15 92,724 ----a-w c:\windows\system32\yanohide.dll.vir
2008-11-13 23:15 85,044 --sha-w c:\windows\system32\pebapehe.dll
2008-11-12 12:09 92,212 --sha-w c:\windows\system32\zowirewa.dll
2008-11-11 01:47 --------- d-----w c:\program files\PokerStars
2008-11-08 18:51 17,060 ----a-w c:\program files\Common Files\ikaf.db
2008-11-08 18:51 13,223 ----a-w c:\program files\Common Files\agylob._sy
2008-11-08 15:34 --------- d-----w c:\program files\Google
2008-11-07 01:48 --------- d-----w c:\program files\TMG
2008-11-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-09-27 01:30 --------- d-----w c:\documents and settings\Dell User\Application Data\LimeWire
2008-09-21 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-21 13:22 --------- d-----w c:\program files\Lavasoft
2008-09-21 13:22 --------- d-----w c:\documents and settings\Dell User\Application Data\Lavasoft
2008-09-21 13:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-09-21 13:15 --------- d-----w c:\documents and settings\Dell User\Application Data\Move Networks
2008-09-21 04:43 --------- d-----w c:\program files\MSN Messenger
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
2008-11-09 13:30 522224 --a------ c:\program files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-11-09 475136]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-12 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-11-09 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-11-09 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-11-09 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081110.001\IDSxpx86.sys [2008-11-09 274808]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2002-04-11 16194]
R3 Ich;Ich;c:\windows\system32\DRIVERS\Ich.sys [2002-01-13 65916]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\DRIVERS\WG511ICB.sys [2005-02-16 352256]
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\At1.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At10.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-08 c:\windows\Tasks\At11.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-08 c:\windows\Tasks\At12.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-02 c:\windows\Tasks\At13.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At14.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At15.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At16.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At17.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At18.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-09 c:\windows\Tasks\At19.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At2.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-10 c:\windows\Tasks\At20.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At21.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At22.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-13 c:\windows\Tasks\At23.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-13 c:\windows\Tasks\At24.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At3.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At4.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At5.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At6.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At7.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At8.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]

2008-11-12 c:\windows\Tasks\At9.job
- c:\windows\system32\351aT70U.exe [2008-11-02 17:26]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2c9081fb-6817-49e3-8d06-80b6abc86da0} - c:\windows\system32\hozegupo.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yanohide.dll
SSODL-SSODL-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yanohide.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\5dmyrmy4.default\
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 22:45:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wuauclt.exe.wusetup.300962.bak 53448 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.307211.bak 1811656 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-13 22:52:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 03:52:09

Pre-Run: 2,727,362,560 bytes free
Post-Run: 2,809,360,384 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

264 --- E O F --- 2008-10-24 00:03:19

11-13-2008, 08:56 PM	#3 (permalink)
robmop Registered User Join Date: Nov 2008 Posts: 6 OS: xp professional	Re: trojans/malware Combo fix results: ComboFix 08-11-12.01 - Dell User 2008-11-13 22:39:23.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.83 [GMT -5:00] Running from: c:\documents and settings\Dell User\Desktop\ComboFix.exe * Created a new restore point . The following files were disabled during the run: c:\windows\system32\semajosu.dll c:\windows\system32\yanohide.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\bold.log c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\delesa.dat c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\ifosotyz.com c:\documents and settings\Dell User\Local Settings\Temporary Internet Files\onutepu.reg c:\windows\wiaserviv.log . ((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 ))))))))))))))))))))))))))))))) . 2008-11-13 18:26 . 2008-11-13 18:26 268 --ah----- C:\sqmdata08.sqm 2008-11-13 18:26 . 2008-11-13 18:26 244 --ah----- C:\sqmnoopt08.sqm 2008-11-13 18:15 . 2008-11-13 18:15 120 ---hs---- c:\windows\system32\ehepabep.ini 2008-11-13 00:43 . 2008-11-13 00:43 268 --ah----- C:\sqmdata07.sqm 2008-11-13 00:43 . 2008-11-13 00:43 244 --ah----- C:\sqmnoopt07.sqm 2008-11-12 22:32 . 2008-11-12 22:32 268 --ah----- C:\sqmdata06.sqm 2008-11-12 22:32 . 2008-11-12 22:32 244 --ah----- C:\sqmnoopt06.sqm 2008-11-12 22:28 . 2008-11-12 22:28 268 --ah----- C:\sqmdata05.sqm 2008-11-12 22:28 . 2008-11-12 22:28 244 --ah----- C:\sqmnoopt05.sqm 2008-11-12 21:31 . 2008-11-12 21:35 250 --a------ c:\windows\gmer.ini 2008-11-12 20:57 . 2008-11-12 20:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-11-12 20:57 . 2008-11-12 20:57 95 --a------ c:\windows\wininit.ini 2008-11-12 20:11 . 2008-11-12 20:11 <DIR> d-------- c:\documents and settings\Administrator 2008-11-12 20:09 . 2008-11-12 20:09 268 --ah----- C:\sqmdata04.sqm 2008-11-12 20:09 . 2008-11-12 20:09 244 --ah----- C:\sqmnoopt04.sqm 2008-11-12 08:18 . 2008-11-12 08:18 268 --ah----- C:\sqmdata03.sqm 2008-11-12 08:18 . 2008-11-12 08:18 244 --ah----- C:\sqmnoopt03.sqm 2008-11-11 23:39 . 2008-11-11 23:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-11 23:39 . 2008-11-12 08:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-11 23:25 . 2008-11-11 23:25 268 --ah----- C:\sqmdata02.sqm 2008-11-11 23:25 . 2008-11-11 23:25 244 --ah----- C:\sqmnoopt02.sqm 2008-11-11 23:01 . 2008-11-11 23:01 268 --ah----- C:\sqmdata01.sqm 2008-11-11 23:01 . 2008-11-11 23:01 244 --ah----- C:\sqmnoopt01.sqm 2008-11-11 22:58 . 2008-11-13 18:24 <DIR> dr------- c:\program files\Norton Support 2008-11-11 21:53 . 2008-11-11 21:53 268 --ah----- C:\sqmdata00.sqm 2008-11-11 21:53 . 2008-11-11 21:53 244 --ah----- C:\sqmnoopt00.sqm 2008-11-10 21:44 . 2008-11-10 21:44 <DIR> d--hs---- C:\found.000 2008-11-09 16:04 . 2008-11-09 16:04 <DIR> d-------- c:\program files\Symantec 2008-11-09 16:04 . 2008-11-09 16:07 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-11-09 16:04 . 2008-11-09 16:04 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2008-11-09 16:04 . 2008-11-09 16:04 60,808 --a------ c:\windows\system32\S32EVNT1.DLL 2008-11-09 16:04 . 2008-11-09 16:04 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys 2008-11-09 16:04 . 2008-11-09 16:04 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-11-09 16:04 . 2008-11-09 16:04 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\windows\system32\drivers\NAV 2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Windows Sidebar 2008-11-09 16:03 . 2008-11-09 16:03 <DIR> d-------- c:\program files\Norton AntiVirus 2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\program files\NortonInstaller 2008-11-09 16:02 . 2008-11-09 16:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-11-09 16:02 . 2008-11-09 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-11-09 16:01 . 2008-11-09 16:01 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files 2008-11-08 22:13 . 2008-11-08 22:13 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner 2008-11-08 13:51 . 2008-11-08 13:51 18,673 --a------ c:\windows\velefygova.lib 2008-11-08 13:51 . 2008-11-08 13:51 17,229 --a------ c:\documents and settings\Dell User\Application Data\eber.dat 2008-11-08 13:51 . 2008-11-08 13:51 16,308 --a------ c:\windows\zodicy.inf 2008-11-08 13:51 . 2008-11-08 13:51 15,443 --a------ c:\windows\risur.sys 2008-11-08 13:51 . 2008-11-08 13:51 14,575 --a------ c:\documents and settings\All Users\Application Data\axyma.dll 2008-11-08 13:51 . 2008-11-08 13:51 13,875 --a------ c:\windows\ijydewijyw.com 2008-11-08 13:51 . 2008-11-08 13:51 12,917 --a------ c:\documents and settings\Dell User\Application Data\vocih.com 2008-11-08 13:51 . 2008-11-08 13:51 12,711 --a------ c:\windows\wysyfil.inf 2008-11-08 13:51 . 2008-11-08 13:51 11,975 --a------ c:\windows\ulefy.lib 2008-11-08 13:51 . 2008-11-08 13:51 10,370 --a------ c:\windows\bynarem.inf 2008-11-08 13:51 . 2008-11-08 13:51 10,235 --a------ c:\documents and settings\Dell User\Application Data\ecurahawov.bat 2008-11-08 13:51 . 2008-11-08 13:51 10,224 --a------ c:\windows\aqitixyjyr.com 2008-11-08 11:05 . 2008-11-08 11:05 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-08 10:58 . 2008-11-08 10:58 <DIR> d--hs---- c:\documents and settings\Dell User\PrivacIE 2008-11-08 10:53 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll 2008-11-07 22:27 . 2008-11-07 22:27 <DIR> d-------- c:\program files\Trend Micro 2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\Dell User\Application Data\Malwarebytes 2008-11-07 22:09 . 2008-11-07 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-07 22:09 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-07 22:09 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-02 17:27 . 2008-11-02 17:26 31,744 --a------ c:\windows\system32\351aT70U.exe 2008-10-23 18:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-18 18:19 . 2008-10-18 19:55 <DIR> d-------- C:\Daddys Europe Pics 2008-10-18 14:51 . 2008-10-18 16:25 <DIR> d-------- C:\Mamas Europe Pictures 2008-10-17 18:32 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-17 18:32 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-17 18:32 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-17 18:32 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-17 18:32 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-17 18:32 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-13 23:15 92,724 ----a-w c:\windows\system32\yanohide.dll.vir 2008-11-13 23:15 85,044 --sha-w c:\windows\system32\pebapehe.dll 2008-11-12 12:09 92,212 --sha-w c:\windows\system32\zowirewa.dll 2008-11-11 01:47 --------- d-----w c:\program files\PokerStars 2008-11-08 18:51 17,060 ----a-w c:\program files\Common Files\ikaf.db 2008-11-08 18:51 13,223 ----a-w c:\program files\Common Files\agylob._sy 2008-11-08 15:34 --------- d-----w c:\program files\Google 2008-11-07 01:48 --------- d-----w c:\program files\TMG 2008-11-07 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2008-09-27 01:30 --------- d-----w c:\documents and settings\Dell User\Application Data\LimeWire 2008-09-21 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2008-09-21 13:22 --------- d-----w c:\program files\Lavasoft 2008-09-21 13:22 --------- d-----w c:\documents and settings\Dell User\Application Data\Lavasoft 2008-09-21 13:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-09-21 13:15 --------- d-----w c:\documents and settings\Dell User\Application Data\Move Networks 2008-09-21 04:43 --------- d-----w c:\program files\MSN Messenger 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}] 2008-11-09 13:30 522224 --a------ c:\program files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512] "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360] "WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-11-09 475136] "nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-12 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\WINDOWS\\system32\\logonui.exe"= "c:\\WINDOWS\\system32\\winlogon.exe"= "c:\\WINDOWS\\system32\\lsass.exe"= "c:\\WINDOWS\\system32\\services.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"= R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-11-09 309296] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-11-09 254512] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-11-09 362544] R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081110.001\IDSxpx86.sys [2008-11-09 274808] R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ] R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2002-04-11 16194] R3 Ich;Ich;c:\windows\system32\DRIVERS\Ich.sys [2002-01-13 65916] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\DRIVERS\WG511ICB.sys [2005-02-16 352256] . Contents of the 'Scheduled Tasks' folder 2008-11-12 c:\windows\Tasks\At1.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At10.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-08 c:\windows\Tasks\At11.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-08 c:\windows\Tasks\At12.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-02 c:\windows\Tasks\At13.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-09 c:\windows\Tasks\At14.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-09 c:\windows\Tasks\At15.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-09 c:\windows\Tasks\At16.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-09 c:\windows\Tasks\At17.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-09 c:\windows\Tasks\At18.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-09 c:\windows\Tasks\At19.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At2.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-10 c:\windows\Tasks\At20.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At21.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At22.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-13 c:\windows\Tasks\At23.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-13 c:\windows\Tasks\At24.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At3.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At4.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At5.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At6.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At7.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At8.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] 2008-11-12 c:\windows\Tasks\At9.job - c:\windows\system32\351aT70U.exe [2008-11-02 17:26] . - - - - ORPHANS REMOVED - - - - BHO-{2c9081fb-6817-49e3-8d06-80b6abc86da0} - c:\windows\system32\hozegupo.dll SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yanohide.dll SSODL-SSODL-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yanohide.dll . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\5dmyrmy4.default\ FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-13 22:45:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\wuauclt.exe.wusetup.300962.bak 53448 bytes executable c:\windows\system32\wuaueng.dll.wusetup.307211.bak 1811656 bytes executable scan completed successfully hidden files: 2 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1" . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe c:\windows\system32\nvsvc32.exe c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe c:\windows\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-11-13 22:52:18 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-14 03:52:09 Pre-Run: 2,727,362,560 bytes free Post-Run: 2,809,360,384 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 264 --- E O F --- 2008-10-24 00:03:19