Tech Support Forum - View Single Post - Possible Malware/Spyware problems or something else?

Bartster76 · 12-06-2008, 08:34 AM

ComboFix 08-12-05.06 - Josh 2008-12-06 10:20:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.989 [GMT -5:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\Josh\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Josh\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\asayabaj.ini
c:\windows\system32\asegusen.ini
c:\windows\system32\bidefapi.dll
c:\windows\system32\epulinaf.ini
c:\windows\system32\eyukulut.ini
c:\windows\system32\fanilupe.dll
c:\windows\system32\fesonebe.dll
c:\windows\system32\fotagehi.dll
c:\windows\system32\gejiliku.dll
c:\windows\system32\girazozi.dll
c:\windows\system32\gisimoko.dll
c:\windows\system32\gokojula.dll
c:\windows\system32\gubiyeli.dll
c:\windows\system32\gufevisa.dll
c:\windows\system32\haweguma.dll
c:\windows\system32\ilebisow.ini
c:\windows\system32\ilefiguv.ini
c:\windows\system32\ileyibug.ini
c:\windows\system32\iwotunay.ini
c:\windows\system32\iyomiyif.ini
c:\windows\system32\izozarig.ini
c:\windows\system32\jabayasa.dll
c:\windows\system32\jakolara.dll
c:\windows\system32\jewomito.dll
c:\windows\system32\kokagofi.dll
c:\windows\system32\kovewoso.dll
c:\windows\system32\lajoreju.dll
c:\windows\system32\mokahodi.dll
c:\windows\system32\nesugesa.dll
c:\windows\system32\nunajimo.dll
c:\windows\system32\pigubeja.dll
c:\windows\system32\posiviwu.dll
c:\windows\system32\rekowuwu.dll
c:\windows\system32\rufozeri.dll
c:\windows\system32\satigofu.dll
c:\windows\system32\sewowuva.dll
c:\windows\system32\tarazuru.dll
c:\windows\system32\torovoni.dll
c:\windows\system32\tulukuye.dll
c:\windows\system32\ufogitas.ini
c:\windows\system32\ujerojal.ini
c:\windows\system32\uwuwoker.ini
c:\windows\system32\vugifeli.dll
c:\windows\system32\wosibeli.dll
c:\windows\system32\x4
c:\windows\system32\yanutowi.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
hxxp://updates.pitt.edu
.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 11:19 . 2008-12-05 11:29 250 --a------ c:\windows\gmer.ini
2008-12-04 22:54 . 2008-12-05 11:14 <DIR> d-------- c:\documents and settings\Josh\.housecall6.6
2008-12-01 05:42 . 2008-12-01 05:42 2,713 ---hs---- c:\windows\system32\dugiwise.exe
2008-11-30 23:25 . 2008-11-30 23:25 <DIR> d-------- C:\$WIN_NT$.~BT
2008-11-30 23:00 . 2007-03-15 11:03 478,292 -ra------ C:\txtsetup.sif
2008-11-30 23:00 . 2004-08-04 05:00 260,272 -ra------ C:\$LDR$
2008-11-28 17:45 . 2008-12-02 01:33 412 --a------ c:\windows\wininit.ini
2008-11-27 16:07 . 2008-11-27 19:00 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Google
2008-11-25 02:09 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\Josh\Application Data\U3
2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\windows\system32\mp
2008-11-23 00:36 . 2008-11-23 01:12 <DIR> d-------- c:\windows\system32\ID2
2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\windows\system32\gp2
2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\windows\system32\dim
2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\temp\FT62
2008-11-23 00:36 . 2008-11-23 00:36 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-23 00:36 . 2008-11-23 00:36 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 00:36 . 2008-11-23 00:36 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-12 07:35 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 07:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-08 11:57 . 2008-11-08 19:36 <DIR> d-------- c:\documents and settings\Josh\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 15:22 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-05 16:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-27 16:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-27 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-10-27 02:48 --------- d-----w c:\documents and settings\Josh\Application Data\Malwarebytes
2008-10-27 02:48 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-27 02:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-27 01:31 --------- d-----w c:\program files\Applications
2008-10-25 23:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Talkback
2008-10-24 13:19 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-06 03:07 --------- d-----w c:\program files\DivX
2005-07-12 18:20 1,445,888 ----a-w c:\program files\WinsockFix.exe
2008-05-15 19:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\READREG" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-12-18 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-10 5513216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"AsioReg"="CTASIO.DLL" [2003-11-13 c:\windows\system32\CTASIO.DLL]
"CTHelper"="CTHELPER.EXE" [2004-03-11 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R rpcnetp;rpcnetp; []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-18 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-18 99376]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2006-08-27 20160]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-05-27 115952]
S3 usb20l;SMC EZ Networking Compact 10/100 USB 2.0 Adapter;c:\windows\system32\DRIVERS\SMC2209.sys [2006-08-27 10624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561c06a3-85bb-11dd-aa32-ccb3e208258f}]
\Shell\AutoRun\command - WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea4b8320-babf-11dd-aa46-0019b9795f3b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - RPCNETP
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3e7e3805-5542-42a6-981e-4ed807641979} - c:\windows\system32\gufevisa.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\espu83qj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.bloomberg.com/?b=0&Intro=intro3
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 10:26:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\rpcnetp.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-06 10:31:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 15:30:59

Pre-Run: 98,321,657,856 bytes free
Post-Run: 98,395,602,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Pro" /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"

251 --- E O F --- 2008-11-27 08:00:36

12-06-2008, 08:34 AM	#3 (permalink)
Bartster76 Registered User Join Date: Dec 2008 Posts: 5 OS: XP	Re: Possible Malware/Spyware problems or something else? ComboFix 08-12-05.06 - Josh 2008-12-06 10:20:48.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.989 [GMT -5:00] Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk c:\documents and settings\Josh\Local Settings\Temporary Internet Files\bestwiner.stt c:\documents and settings\Josh\Local Settings\Temporary Internet Files\fbk.sts c:\windows\system32\asayabaj.ini c:\windows\system32\asegusen.ini c:\windows\system32\bidefapi.dll c:\windows\system32\epulinaf.ini c:\windows\system32\eyukulut.ini c:\windows\system32\fanilupe.dll c:\windows\system32\fesonebe.dll c:\windows\system32\fotagehi.dll c:\windows\system32\gejiliku.dll c:\windows\system32\girazozi.dll c:\windows\system32\gisimoko.dll c:\windows\system32\gokojula.dll c:\windows\system32\gubiyeli.dll c:\windows\system32\gufevisa.dll c:\windows\system32\haweguma.dll c:\windows\system32\ilebisow.ini c:\windows\system32\ilefiguv.ini c:\windows\system32\ileyibug.ini c:\windows\system32\iwotunay.ini c:\windows\system32\iyomiyif.ini c:\windows\system32\izozarig.ini c:\windows\system32\jabayasa.dll c:\windows\system32\jakolara.dll c:\windows\system32\jewomito.dll c:\windows\system32\kokagofi.dll c:\windows\system32\kovewoso.dll c:\windows\system32\lajoreju.dll c:\windows\system32\mokahodi.dll c:\windows\system32\nesugesa.dll c:\windows\system32\nunajimo.dll c:\windows\system32\pigubeja.dll c:\windows\system32\posiviwu.dll c:\windows\system32\rekowuwu.dll c:\windows\system32\rufozeri.dll c:\windows\system32\satigofu.dll c:\windows\system32\sewowuva.dll c:\windows\system32\tarazuru.dll c:\windows\system32\torovoni.dll c:\windows\system32\tulukuye.dll c:\windows\system32\ufogitas.ini c:\windows\system32\ujerojal.ini c:\windows\system32\uwuwoker.ini c:\windows\system32\vugifeli.dll c:\windows\system32\wosibeli.dll c:\windows\system32\x4 c:\windows\system32\yanutowi.dll ----- BITS: Possible infected sites ----- hxxp://77.74.48.105 hxxp://updates.pitt.edu . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-05 11:19 . 2008-12-05 11:29 250 --a------ c:\windows\gmer.ini 2008-12-04 22:54 . 2008-12-05 11:14 <DIR> d-------- c:\documents and settings\Josh\.housecall6.6 2008-12-01 05:42 . 2008-12-01 05:42 2,713 ---hs---- c:\windows\system32\dugiwise.exe 2008-11-30 23:25 . 2008-11-30 23:25 <DIR> d-------- C:\$WIN_NT$.~BT 2008-11-30 23:00 . 2007-03-15 11:03 478,292 -ra------ C:\txtsetup.sif 2008-11-30 23:00 . 2004-08-04 05:00 260,272 -ra------ C:\$LDR$ 2008-11-28 17:45 . 2008-12-02 01:33 412 --a------ c:\windows\wininit.ini 2008-11-27 16:07 . 2008-11-27 19:00 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Google 2008-11-25 02:09 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\Josh\Application Data\U3 2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\windows\system32\mp 2008-11-23 00:36 . 2008-11-23 01:12 <DIR> d-------- c:\windows\system32\ID2 2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\windows\system32\gp2 2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\windows\system32\dim 2008-11-23 00:36 . 2008-11-23 00:36 <DIR> d-------- c:\temp\FT62 2008-11-23 00:36 . 2008-11-23 00:36 115,016 --a------ c:\windows\system32\MSINET.OCX 2008-11-23 00:36 . 2008-11-23 00:36 29,184 --a------ c:\windows\system32\MSINET.oca 2008-11-23 00:36 . 2008-11-23 00:36 2,407 --a------ c:\windows\system32\MSINET.DEP 2008-11-12 07:35 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 07:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-08 11:57 . 2008-11-08 19:36 <DIR> d-------- c:\documents and settings\Josh\Application Data\Move Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 15:22 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-05 16:24 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-05 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-27 16:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-27 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\lvuvc.hs 2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\logiflt.iad 2008-10-27 02:48 --------- d-----w c:\documents and settings\Josh\Application Data\Malwarebytes 2008-10-27 02:48 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-10-27 02:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-10-27 01:31 --------- d-----w c:\program files\Applications 2008-10-25 23:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Talkback 2008-10-24 13:19 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-06 03:07 --------- d-----w c:\program files\DivX 2005-07-12 18:20 1,445,888 ----a-w c:\program files\WinsockFix.exe 2008-05-15 19:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-26 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DevconDefaultDB"="c:\windows\READREG" [X] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-12-18 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-10 5513216] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704] "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "AsioReg"="CTASIO.DLL" [2003-11-13 c:\windows\system32\CTASIO.DLL] "CTHelper"="CTHELPER.EXE" [2004-03-11 c:\windows\system32\CTHELPER.EXE] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\ooVoo\\ooVoo.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R rpcnetp;rpcnetp; [] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-18 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-18 99376] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2006-08-27 20160] S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-05-27 115952] S3 usb20l;SMC EZ Networking Compact 10/100 USB 2.0 Adapter;c:\windows\system32\DRIVERS\SMC2209.sys [2006-08-27 10624] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561c06a3-85bb-11dd-aa32-ccb3e208258f}] \Shell\AutoRun\command - WD_Windows_Tools\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea4b8320-babf-11dd-aa46-0019b9795f3b}] \Shell\AutoRun\command - E:\LaunchU3.exe -a Newly Created Service - RPCNETP . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - ORPHANS REMOVED - - - - BHO-{3e7e3805-5542-42a6-981e-4ed807641979} - c:\windows\system32\gufevisa.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msn.com uDefault_Search_URL = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/ mStart Page = hxxp://www.msn.com mSearch Bar = hxxp://www.google.com/ mSearchMigratedDefaultURL = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local mSearchURL = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FireFox -: Profile - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\espu83qj.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.bloomberg.com/?b=0&Intro=intro3 . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 10:26:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(960) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe c:\program files\Maxtor\Utils\SyncServices.exe c:\windows\system32\rpcnet.exe c:\windows\system32\rpcnetp.exe c:\program files\Dell AIO Printer A920\dlbkbmon.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-12-06 10:31:29 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-06 15:30:59 Pre-Run: 98,321,657,856 bytes free Post-Run: 98,395,602,944 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [Boot Loader] Timeout=2 Default=c:\$win_nt$.~bt\BOOTSECT.DAT [Operating Systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Pro" /fastdetect c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup" 251 --- E O F --- 2008-11-27 08:00:36