Tech Support Forum - View Single Post

sirav · 11-16-2008, 10:54 PM

Thanks for the continued support Chemist. All done as directed. The file was successfully submitted to Combofix as you said would occur. Logs follow:

Add-Remove Programs.txt

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
AOL Australia
AOL|7 Broadband Demo
AutoUpdate
Belkin Automatic Power Management Software
Canon MF Toolbox 4.9.1.1.mf03
Canon MF4100 Series
Canon MX310 series
CC_ccProxyExt
ccCommon
ccPxyCore
Common-Use Signing Interface
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
ConvertXtoDVD 2.2.3.258
CSI Management Utility
Dell Support 3.1
Dell System Restore
Digital Line Detect
DivX
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
ECI Client v5.0
foobar2000 v0.9.5.5
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Java 2 Runtime Environment, SE v1.4.2_03
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (3.0.4)
MSRedist
MSXML 4.0 SP2 (KB936181)
MYOB Accountants Office Tax v11.0.0
MYOB Accounting Plus v13
MYOB Accounting Plus v13.5
MYOB Accounting Plus v14
MYOB Accounting Plus v15
MYOB Accounting Plus v16
MYOB Accounting Plus v17
MYOB Accounting Plus v18
MYOB AssetManager Pro v2.0.1
MYOB CompanyFileManager
MYOB ODBC Direct v7
MYOB ODBC Direct v8 AUS
MYOB PowerPay v8.5.2
MYOB Premier v10
MYOB Premier v11
MYOB Premier v12
NetWaiting
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
PowerDVD 5.5
QNAP Finder
QuickBooks Pro 2008-09
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC
Super Flexible File Synchronizer v4.42b
SupportSoft Assisted Service
Symantec Network Drivers Update
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB951072-v2)
Viewpoint Media Player (Remove Only)
Vuze
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
WinZip

Combofix Quarantined Files.txt

2008-09-17 12:29:02 A------- 87,608 C:\Qoobox\Quarantine\C\Documents and Settings\Varis\Application Data\inst.exe.vir
2008-11-06 17:50:17 A------- 104,448 C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo.exe.vir
2008-11-06 17:50:44 A------- 104,448 C:\Qoobox\Quarantine\C\xih9.cmd.vir
2008-11-13 17:41:35 A------- 378 C:\Qoobox\Quarantine\catchme.log
2008-11-13 19:08:18 A------- 7,287 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-13 19:08:37 A------- 437 C:\Qoobox\Quarantine\M\autorun.inf.vir
2008-11-13 19:08:37 A------- 104,448 C:\Qoobox\Quarantine\M\xih9.cmd.vir
2008-11-13 19:08:55 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-13 19:08:55 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-13 19:08:55 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-14 02:42:29 A------- 437 C:\Qoobox\Quarantine\C\autorun.inf.vir
2008-11-14 10:21:58 A------- 437 C:\Qoobox\Quarantine\K\autorun.inf.vir

Combofix.txt

ComboFix 08-11-16.04 - Varis 2008-11-17 14:36:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.541 [GMT 9:00]
Running from: c:\documents and settings\Varis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Varis\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-14 15:33 . 2008-11-14 15:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-14 15:33 . 2008-11-14 15:33 <DIR> d-------- c:\documents and settings\Varis\Application Data\Malwarebytes
2008-11-14 15:33 . 2008-11-14 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-14 15:33 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-14 15:33 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-14 10:05 . 2008-11-14 10:05 2,584 --a------ C:\autorun.PNF
2008-11-13 14:12 . 2008-11-13 14:12 105 --a------ c:\windows\mapiuid.ini
2008-11-03 11:23 . 2008-11-03 11:23 <DIR> d-------- c:\program files\MSECache
2008-10-27 12:13 . 2008-10-27 12:13 <DIR> d-------- c:\program files\Common Files\supportsoft
2008-10-27 12:13 . 2006-07-21 13:40 1,933,312 --a------ c:\windows\system32\cdintf251.dll
2008-10-27 12:10 . 2008-10-27 12:10 <DIR> d-------- c:\windows\Intuit
2008-10-27 12:10 . 2008-10-27 12:10 <DIR> d-------- c:\program files\Common Files\AnswerWorks 4.0
2008-10-27 12:09 . 2008-10-27 12:09 <DIR> d-------- c:\program files\Intuit
2008-10-27 12:09 . 2008-10-27 12:11 <DIR> d-------- c:\program files\Common Files\Intuit
2008-10-27 12:09 . 2008-10-27 12:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2008-10-27 12:09 . 2008-10-27 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\COMMON FILES
2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\ThirdParty
2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\Support
2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\RTL
2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\resources
2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\QBTimer
2008-10-27 12:06 . 2008-10-27 12:07 <DIR> d-------- c:\temp\QBooks
2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\nz_prod
2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\nz
2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\images
2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\flash_images
2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\aus_prod
2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\aus
2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\asia
2008-10-27 12:06 . 2008-10-27 12:07 <DIR> d-------- C:\TEMP
2008-10-24 10:54 . 2008-10-24 10:54 <DIR> d-------- c:\documents and settings\Varis\Application Data\ImgBurn
2008-10-24 10:53 . 2008-10-24 10:53 <DIR> d-------- c:\program files\ImgBurn
2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\system32\scripting
2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\system32\en
2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\system32\bits
2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\l2schemas
2008-10-22 09:32 . 2008-10-22 09:32 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 04:35 --------- d-----w c:\program files\Accountants Office
2008-11-17 00:34 --------- d-----w c:\program files\Belkin Automatic Power Management Software
2008-11-17 00:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-13 04:42 --------- d-----w c:\program files\ECIClientV5
2008-11-12 07:50 --------- d-----w c:\program files\Norton Internet Security
2008-11-11 06:23 --------- d-----w c:\documents and settings\Varis\Application Data\foobar2000
2008-11-07 02:03 --------- d-----w c:\program files\foobar2000
2008-11-03 04:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 04:30 --------- d-----w c:\documents and settings\Varis\Application Data\Azureus
2008-10-14 07:10 --------- d-----w c:\program files\SuperFlexible
2008-10-14 07:10 --------- d-----w c:\documents and settings\Varis\Application Data\SuperFlexibleSynchronizer
2008-10-14 07:10 --------- d-----w c:\documents and settings\All Users\Application Data\SuperFlexibleSynchronizer
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 04:33 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2008-10-01 04:32 --------- d--h--w c:\program files\CanonBJ
2008-09-26 06:05 --------- d-----w c:\documents and settings\Varis\Application Data\CyberLink
2008-09-26 05:55 --------- d-----w c:\program files\DVD Decrypter
2008-09-19 06:54 --------- d-----w c:\documents and settings\Varis\Application Data\Canon
2008-09-19 04:55 --------- d-----w c:\program files\Canon
2008-09-17 09:23 --------- d-----w c:\documents and settings\Varis\Application Data\Sonic
2008-09-17 09:22 --------- d-----w c:\documents and settings\Varis\Application Data\Leadertech
2008-09-17 07:48 --------- d-----w c:\documents and settings\Varis\Application Data\Vso
2008-09-17 05:23 --------- d-----w c:\program files\DivX
2008-09-17 03:29 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-09-17 03:29 47,360 ----a-w c:\documents and settings\Varis\Application Data\pcouffin.sys
2008-09-17 03:29 --------- d-----w c:\program files\VSO
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-08 06:21 60,156 ----a-w c:\windows\system32\jspWinNm.DLL
2008-09-08 06:21 56,320 ----a-w c:\windows\system32\smemory.dll
2008-09-08 06:21 53,248 ----a-w c:\windows\system32\jspWinRni.DLL
2008-09-08 06:21 51,200 ----a-w c:\windows\system32\TrayIcon12.dll
2008-09-08 06:21 45,056 ----a-w c:\windows\system32\jspWin.dll
2008-09-08 06:21 35,992 ----a-w c:\windows\system32\jspWinRnia.DLL
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.PNF -- Not a PE file.
MD5: cbb0e040082ee5932a910319a07f08b2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 49512]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-09-08 100056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-08 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"BelkinAPM"="c:\program files\Belkin Automatic Power Management Software\BelkinAPM.exe" [2008-09-08 112640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [11/16/2005 3:10:29 PM 32842]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [11/16/2005 3:09:58 PM 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2/18/1999 5:05:56 AM 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [4/29/2008 10:44:54 PM 969792]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [9/9/2008 11:13:02 AM 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008-09\\QBDBMgrN.exe"=

R2 BelkinAPM;BelkinAPM;c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM []
R3 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor []
R3 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI []
S3 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager []
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Varis.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 13:47]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 14:37:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-17 14:38:29
ComboFix-quarantined-files.txt 2008-11-17 05:38:25
ComboFix2.txt 2008-11-14 01:22:47
ComboFix3.txt 2008-11-13 16:15:27
ComboFix4.txt 2008-11-13 13:07:53
ComboFix5.txt 2008-11-17 05:35:11

Pre-Run: 95,981,604,864 bytes free
Post-Run: 95,971,241,984 bytes free

169 --- E O F --- 2008-10-22 00:41:49

New Hijackthis.txt

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:45:09 PM, on 17/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\BELKIN~1\BELKIN~1.EXE
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\Hijack This 2.0\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BelkinAPM - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~1.EXE
O23 - Service: BelkinAPMmanager - ZeroG Software - C:\PROGRA~1\BELKIN~1\BE8806~1.EXE
O23 - Service: BelkinAPMmonitor - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 8308 bytes
_______

Thanks again Chemist.

11-16-2008, 10:54 PM	#7 (permalink)
sirav Registered User Join Date: Nov 2008 Posts: 9 OS: XP SP3	Re: Trojan.Packed.NsAnti Thanks for the continued support Chemist. All done as directed. The file was successfully submitted to Combofix as you said would occur. Logs follow: Add-Remove Programs.txt Acrobat.com Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9 AOL Australia AOL\|7 Broadband Demo AutoUpdate Belkin Automatic Power Management Software Canon MF Toolbox 4.9.1.1.mf03 Canon MF4100 Series Canon MX310 series CC_ccProxyExt ccCommon ccPxyCore Common-Use Signing Interface Compatibility Pack for the 2007 Office system Conexant D850 56K V.9x DFVc Modem ConvertXtoDVD 2.2.3.258 CSI Management Utility Dell Support 3.1 Dell System Restore Digital Line Detect DivX DivX Player DivX Web Player DVD Decrypter (Remove Only) ECI Client v5.0 foobar2000 v0.9.5.5 High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Windows XP (KB952287) ImgBurn Intel(R) Graphics Media Accelerator Driver Intel(R) PRO Network Connections Drivers Intel(R) PROSet for Wired Connections Java 2 Runtime Environment, SE v1.4.2_03 LiveReg (Symantec Corporation) LiveUpdate 3.0 (Symantec Corporation) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 Disc 2 Microsoft Office 2000 Small Business Microsoft Works 7.0 Modem Helper Mozilla Firefox (3.0.4) MSRedist MSXML 4.0 SP2 (KB936181) MYOB Accountants Office Tax v11.0.0 MYOB Accounting Plus v13 MYOB Accounting Plus v13.5 MYOB Accounting Plus v14 MYOB Accounting Plus v15 MYOB Accounting Plus v16 MYOB Accounting Plus v17 MYOB Accounting Plus v18 MYOB AssetManager Pro v2.0.1 MYOB CompanyFileManager MYOB ODBC Direct v7 MYOB ODBC Direct v8 AUS MYOB PowerPay v8.5.2 MYOB Premier v10 MYOB Premier v11 MYOB Premier v12 NetWaiting Norton AntiSpam Norton AntiVirus 2005 Norton Internet Security Norton Internet Security 2005 (Symantec Corporation) Norton Security Center Norton WMI Update PowerDVD 5.5 QNAP Finder QuickBooks Pro 2008-09 QuickTime RealPlayer Basic Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Sonic MyDVD LE Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager SPBBC Super Flexible File Synchronizer v4.42b SupportSoft Assisted Service Symantec Network Drivers Update Symantec Script Blocking Installer SymNet Update for Windows XP (KB951072-v2) Viewpoint Media Player (Remove Only) Vuze WebCyberCoach 3.2 Dell WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Media Format Runtime Windows XP Service Pack 3 WinRAR archiver WinZip Combofix Quarantined Files.txt 2008-09-17 12:29:02 A------- 87,608 C:\Qoobox\Quarantine\C\Documents and Settings\Varis\Application Data\inst.exe.vir 2008-11-06 17:50:17 A------- 104,448 C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo.exe.vir 2008-11-06 17:50:44 A------- 104,448 C:\Qoobox\Quarantine\C\xih9.cmd.vir 2008-11-13 17:41:35 A------- 378 C:\Qoobox\Quarantine\catchme.log 2008-11-13 19:08:18 A------- 7,287 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-11-13 19:08:37 A------- 437 C:\Qoobox\Quarantine\M\autorun.inf.vir 2008-11-13 19:08:37 A------- 104,448 C:\Qoobox\Quarantine\M\xih9.cmd.vir 2008-11-13 19:08:55 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-11-13 19:08:55 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-11-13 19:08:55 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-11-14 02:42:29 A------- 437 C:\Qoobox\Quarantine\C\autorun.inf.vir 2008-11-14 10:21:58 A------- 437 C:\Qoobox\Quarantine\K\autorun.inf.vir Combofix.txt ComboFix 08-11-16.04 - Varis 2008-11-17 14:36:04.7 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.541 [GMT 9:00] Running from: c:\documents and settings\Varis\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Varis\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\gasretyw0.dll c:\windows\system32\gasretyw1.dll c:\windows\system32\kamsoft.exe . ((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 ))))))))))))))))))))))))))))))) . 2008-11-14 15:33 . 2008-11-14 15:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-14 15:33 . 2008-11-14 15:33 <DIR> d-------- c:\documents and settings\Varis\Application Data\Malwarebytes 2008-11-14 15:33 . 2008-11-14 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-14 15:33 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-14 15:33 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-14 10:05 . 2008-11-14 10:05 2,584 --a------ C:\autorun.PNF 2008-11-13 14:12 . 2008-11-13 14:12 105 --a------ c:\windows\mapiuid.ini 2008-11-03 11:23 . 2008-11-03 11:23 <DIR> d-------- c:\program files\MSECache 2008-10-27 12:13 . 2008-10-27 12:13 <DIR> d-------- c:\program files\Common Files\supportsoft 2008-10-27 12:13 . 2006-07-21 13:40 1,933,312 --a------ c:\windows\system32\cdintf251.dll 2008-10-27 12:10 . 2008-10-27 12:10 <DIR> d-------- c:\windows\Intuit 2008-10-27 12:10 . 2008-10-27 12:10 <DIR> d-------- c:\program files\Common Files\AnswerWorks 4.0 2008-10-27 12:09 . 2008-10-27 12:09 <DIR> d-------- c:\program files\Intuit 2008-10-27 12:09 . 2008-10-27 12:11 <DIR> d-------- c:\program files\Common Files\Intuit 2008-10-27 12:09 . 2008-10-27 12:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit 2008-10-27 12:09 . 2008-10-27 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\COMMON FILES 2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\ThirdParty 2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\Support 2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\RTL 2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\resources 2008-10-27 12:07 . 2008-10-27 12:07 <DIR> d-------- c:\temp\QBTimer 2008-10-27 12:06 . 2008-10-27 12:07 <DIR> d-------- c:\temp\QBooks 2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\nz_prod 2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\nz 2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\images 2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\flash_images 2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\aus_prod 2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\aus 2008-10-27 12:06 . 2008-10-27 12:06 <DIR> d-------- c:\temp\asia 2008-10-27 12:06 . 2008-10-27 12:07 <DIR> d-------- C:\TEMP 2008-10-24 10:54 . 2008-10-24 10:54 <DIR> d-------- c:\documents and settings\Varis\Application Data\ImgBurn 2008-10-24 10:53 . 2008-10-24 10:53 <DIR> d-------- c:\program files\ImgBurn 2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\system32\scripting 2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\system32\en 2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\system32\bits 2008-10-22 09:35 . 2008-10-22 09:35 <DIR> d-------- c:\windows\l2schemas 2008-10-22 09:32 . 2008-10-22 09:32 <DIR> d-------- c:\windows\ServicePackFiles . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-17 04:35 --------- d-----w c:\program files\Accountants Office 2008-11-17 00:34 --------- d-----w c:\program files\Belkin Automatic Power Management Software 2008-11-17 00:10 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-11-13 04:42 --------- d-----w c:\program files\ECIClientV5 2008-11-12 07:50 --------- d-----w c:\program files\Norton Internet Security 2008-11-11 06:23 --------- d-----w c:\documents and settings\Varis\Application Data\foobar2000 2008-11-07 02:03 --------- d-----w c:\program files\foobar2000 2008-11-03 04:38 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-22 04:30 --------- d-----w c:\documents and settings\Varis\Application Data\Azureus 2008-10-14 07:10 --------- d-----w c:\program files\SuperFlexible 2008-10-14 07:10 --------- d-----w c:\documents and settings\Varis\Application Data\SuperFlexibleSynchronizer 2008-10-14 07:10 --------- d-----w c:\documents and settings\All Users\Application Data\SuperFlexibleSynchronizer 2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-10-01 04:33 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ 2008-10-01 04:32 --------- d--h--w c:\program files\CanonBJ 2008-09-26 06:05 --------- d-----w c:\documents and settings\Varis\Application Data\CyberLink 2008-09-26 05:55 --------- d-----w c:\program files\DVD Decrypter 2008-09-19 06:54 --------- d-----w c:\documents and settings\Varis\Application Data\Canon 2008-09-19 04:55 --------- d-----w c:\program files\Canon 2008-09-17 09:23 --------- d-----w c:\documents and settings\Varis\Application Data\Sonic 2008-09-17 09:22 --------- d-----w c:\documents and settings\Varis\Application Data\Leadertech 2008-09-17 07:48 --------- d-----w c:\documents and settings\Varis\Application Data\Vso 2008-09-17 05:23 --------- d-----w c:\program files\DivX 2008-09-17 03:29 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys 2008-09-17 03:29 47,360 ----a-w c:\documents and settings\Varis\Application Data\pcouffin.sys 2008-09-17 03:29 --------- d-----w c:\program files\VSO 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys 2008-09-08 06:21 60,156 ----a-w c:\windows\system32\jspWinNm.DLL 2008-09-08 06:21 56,320 ----a-w c:\windows\system32\smemory.dll 2008-09-08 06:21 53,248 ----a-w c:\windows\system32\jspWinRni.DLL 2008-09-08 06:21 51,200 ----a-w c:\windows\system32\TrayIcon12.dll 2008-09-08 06:21 45,056 ----a-w c:\windows\system32\jspWin.dll 2008-09-08 06:21 35,992 ----a-w c:\windows\system32\jspWinRnia.DLL 2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll 2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe 2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe 2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.PNF -- Not a PE file. MD5: cbb0e040082ee5932a910319a07f08b2 ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688] "SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 49512] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-09-08 100056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-08 77824] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "BelkinAPM"="c:\program files\Belkin Automatic Power Management Software\BelkinAPM.exe" [2008-09-08 112640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [11/16/2005 3:10:29 PM 32842] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [11/16/2005 3:09:58 PM 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2/18/1999 5:05:56 AM 65588] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [4/29/2008 10:44:54 PM 969792] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [9/9/2008 11:13:02 AM 122880] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2008-09\\QBDBMgrN.exe"= R2 BelkinAPM;BelkinAPM;c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM [] R3 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [] R3 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [] S3 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [] . Contents of the 'Scheduled Tasks' folder 2008-11-07 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Varis.job - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 13:47] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-17 14:37:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-11-17 14:38:29 ComboFix-quarantined-files.txt 2008-11-17 05:38:25 ComboFix2.txt 2008-11-14 01:22:47 ComboFix3.txt 2008-11-13 16:15:27 ComboFix4.txt 2008-11-13 13:07:53 ComboFix5.txt 2008-11-17 05:35:11 Pre-Run: 95,981,604,864 bytes free Post-Run: 95,971,241,984 bytes free 169 --- E O F --- 2008-10-22 00:41:49 New Hijackthis.txt** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:45:09 PM, on 17/11/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\BELKIN~1\BELKIN~1.EXE C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Messenger\msmsgs.exe C:\Downloads\Hijack This 2.0\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunServices: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: BelkinAPM - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~1.EXE O23 - Service: BelkinAPMmanager - ZeroG Software - C:\PROGRA~1\BELKIN~1\BE8806~1.EXE O23 - Service: BelkinAPMmonitor - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE O23 - Service: BelkinAPMRMI - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8308 bytes _______ Thanks again Chemist.