Tech Support Forum - View Single Post - Possible Malware/Spyware problems or something else?

Bartster76 · 12-06-2008, 11:54 AM

Here are the two logs you requested:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 14:27:54
Records in database: 1440355
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 48674
Threat name: 15
Infected objects: 34
Suspicious objects: 0
Duration of the scan: 00:50:10

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00000\49F8EC3B.VBN Infected: Trojan.Win32.VB.gyz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00003\49F8EC5B.VBN Infected: Trojan-Downloader.Win32.Agent.akwa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00005\49F8EF31.VBN Infected: Trojan.Win32.VB.gyz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00007\49F8EF5C.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00008\49F8EF91.VBN Infected: Trojan.Win32.VB.gyz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000A\49F8EFA7.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000B\49F8F181.VBN Infected: Trojan.Win32.VB.gyz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000D\49F8F199.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000E\49F8F2F2.VBN Infected: Trojan.Win32.VB.gyz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00010\49F8F309.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02280000\4B2AD882.VBN Infected: Trojan-Downloader.Win32.Agent.ajca 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02280001\4B2AD88C.VBN Infected: Trojan-Downloader.Win32.Agent.ajca 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0000\4B2E6B33.VBN Infected: Trojan-Downloader.Win32.Agent.aiyu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0001\4B2E6B3D.VBN Infected: Trojan-Downloader.Win32.Agent.aiyu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0002\4B2E6D94.VBN Infected: Trojan-Downloader.Win32.Agent.aogd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0003\4B2E6DA3.VBN Infected: Trojan-Downloader.Win32.Agent.aogd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0004\4B2E6EC3.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.qyk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0005\4B2E6EDF.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.qyk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB80000\4FB98BB9.VBN Infected: Trojan-Downloader.Win32.Zlob.abes 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10600000\59735148.VBN Infected: Trojan-GameThief.Win32.Magania.amis 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10600001\59735161.VBN Infected: Trojan.Win32.Monder.aard 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gejiliku.dll.vir Infected: Trojan.Win32.Monder.aavx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\girazozi.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jewomito.dll.vir Infected: Trojan.Win32.Monder.aaua 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nunajimo.dll.vir Infected: Trojan.Win32.Monder.aavx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rekowuwu.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rufozeri.dll.vir Infected: Trojan.Win32.Monder.aaua 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\satigofu.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tarazuru.dll.vir Infected: Trojan.Win32.Monder.aaua 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\torovoni.dll.vir Infected: Trojan.Win32.Monder.aavx 1

The selected area was scanned.

ComboFix 08-12-05.06 - Josh 2008-12-06 12

13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1403 [GMT -5:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows\system32\dim
c:\windows\system32\dugiwise.exe
c:\windows\system32\gp2
c:\windows\system32\ID2
c:\windows\system32\mp
c:\windows\system32\mp\kstamv3.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 11:19 . 2008-12-05 11:29 250 --a------ c:\windows\gmer.ini
2008-12-04 22:54 . 2008-12-05 11:14 <DIR> d-------- c:\documents and settings\Josh\.housecall6.6
2008-11-30 23:25 . 2008-11-30 23:25 <DIR> d-------- C:\$WIN_NT$.~BT
2008-11-30 23:00 . 2007-03-15 11:03 478,292 -ra------ C:\txtsetup.sif
2008-11-30 23:00 . 2004-08-04 05:00 260,272 -ra------ C:\$LDR$
2008-11-28 17:45 . 2008-12-02 01:33 412 --a------ c:\windows\wininit.ini
2008-11-27 16:07 . 2008-11-27 19:00 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Google
2008-11-25 02:09 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\Josh\Application Data\U3
2008-11-23 00:36 . 2008-11-23 00:36 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-23 00:36 . 2008-11-23 00:36 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 00:36 . 2008-11-23 00:36 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-12 07:35 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 07:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-08 11:57 . 2008-11-08 19:36 <DIR> d-------- c:\documents and settings\Josh\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 17:04 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-06 15:44 47,104 ----a-w c:\windows\system32\rpcnet.exe
2008-12-06 15:44 47,104 ----a-w c:\windows\system32\rpcnet.dll
2008-12-06 15:44 17,408 ----a-w c:\windows\system32\rpcnetp.exe
2008-12-06 15:27 17,408 ----a-w c:\windows\system32\rpcnetp.dll
2008-12-05 16:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-27 16:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-27 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-10-27 02:48 --------- d-----w c:\documents and settings\Josh\Application Data\Malwarebytes
2008-10-27 02:48 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-27 02:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-27 01:31 --------- d-----w c:\program files\Applications
2008-10-25 23:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Talkback
2008-10-24 13:19 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-06 03:07 --------- d-----w c:\program files\DivX
2008-10-02 22:36 32,256 ----a-w c:\windows\system32\identprv.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2005-07-12 18:20 1,445,888 ----a-w c:\program files\WinsockFix.exe
2008-05-15 19:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_10.29.58.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-01 04:46:57 72,554 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-06 15:32:14 72,554 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-01 04:46:57 445,096 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-06 15:32:14 445,096 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\READREG" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-12-18 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-10 5513216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"AsioReg"="CTASIO.DLL" [2003-11-13 c:\windows\system32\CTASIO.DLL]
"CTHelper"="CTHELPER.EXE" [2004-03-11 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-18 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-18 99376]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2006-08-27 20160]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-05-27 115952]
S3 usb20l;SMC EZ Networking Compact 10/100 USB 2.0 Adapter;c:\windows\system32\DRIVERS\SMC2209.sys [2006-08-27 10624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561c06a3-85bb-11dd-aa32-ccb3e208258f}]
\Shell\AutoRun\command - WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea4b8320-babf-11dd-aa46-0019b9795f3b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\espu83qj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.bloomberg.com/?b=0&Intro=intro3
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 12:07:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-06 12:08:26
ComboFix-quarantined-files.txt 2008-12-06 17:08:03
ComboFix2.txt 2008-12-06 15:31:32

Pre-Run: 98,381,955,072 bytes free
Post-Run: 98,363,273,216 bytes free

180 --- E O F --- 2008-11-27 08:00:36

12-06-2008, 11:54 AM	#7 (permalink)
Bartster76 Registered User Join Date: Dec 2008 Posts: 5 OS: XP	Re: Possible Malware/Spyware problems or something else? Here are the two logs you requested: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, December 6, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, December 06, 2008 14:27:54 Records in database: 1440355 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 48674 Threat name: 15 Infected objects: 34 Suspicious objects: 0 Duration of the scan: 00:50:10 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00000\49F8EC3B.VBN Infected: Trojan.Win32.VB.gyz 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00003\49F8EC5B.VBN Infected: Trojan-Downloader.Win32.Agent.akwa 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00005\49F8EF31.VBN Infected: Trojan.Win32.VB.gyz 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00007\49F8EF5C.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00008\49F8EF91.VBN Infected: Trojan.Win32.VB.gyz 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000A\49F8EFA7.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000B\49F8F181.VBN Infected: Trojan.Win32.VB.gyz 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000D\49F8F199.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F0000E\49F8F2F2.VBN Infected: Trojan.Win32.VB.gyz 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00010\49F8F309.VBN Infected: Trojan-Downloader.Win32.Agent.aoep 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02280000\4B2AD882.VBN Infected: Trojan-Downloader.Win32.Agent.ajca 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02280001\4B2AD88C.VBN Infected: Trojan-Downloader.Win32.Agent.ajca 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0000\4B2E6B33.VBN Infected: Trojan-Downloader.Win32.Agent.aiyu 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0001\4B2E6B3D.VBN Infected: Trojan-Downloader.Win32.Agent.aiyu 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0002\4B2E6D94.VBN Infected: Trojan-Downloader.Win32.Agent.aogd 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0003\4B2E6DA3.VBN Infected: Trojan-Downloader.Win32.Agent.aogd 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0004\4B2E6EC3.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.qyk 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0005\4B2E6EDF.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.qyk 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB80000\4FB98BB9.VBN Infected: Trojan-Downloader.Win32.Zlob.abes 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10600000\59735148.VBN Infected: Trojan-GameThief.Win32.Magania.amis 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10600001\59735161.VBN Infected: Trojan.Win32.Monder.aard 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.f 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.390 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.f 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.390 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\gejiliku.dll.vir Infected: Trojan.Win32.Monder.aavx 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\girazozi.dll.vir Infected: Trojan.Win32.Monder.aamw 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\jewomito.dll.vir Infected: Trojan.Win32.Monder.aaua 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\nunajimo.dll.vir Infected: Trojan.Win32.Monder.aavx 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rekowuwu.dll.vir Infected: Trojan.Win32.Monder.aamw 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rufozeri.dll.vir Infected: Trojan.Win32.Monder.aaua 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\satigofu.dll.vir Infected: Trojan.Win32.Monder.aamw 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\tarazuru.dll.vir Infected: Trojan.Win32.Monder.aaua 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\torovoni.dll.vir Infected: Trojan.Win32.Monder.aavx 1 The selected area was scanned. ComboFix 08-12-05.06 - Josh 2008-12-06 1213.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1403 [GMT -5:00] Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\temp\FT62 c:\temp\FT62\teTU.log c:\windows\system32\dim c:\windows\system32\dugiwise.exe c:\windows\system32\gp2 c:\windows\system32\ID2 c:\windows\system32\mp c:\windows\system32\mp\kstamv3.exe . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-05 11:19 . 2008-12-05 11:29 250 --a------ c:\windows\gmer.ini 2008-12-04 22:54 . 2008-12-05 11:14 <DIR> d-------- c:\documents and settings\Josh\.housecall6.6 2008-11-30 23:25 . 2008-11-30 23:25 <DIR> d-------- C:\$WIN_NT$.~BT 2008-11-30 23:00 . 2007-03-15 11:03 478,292 -ra------ C:\txtsetup.sif 2008-11-30 23:00 . 2004-08-04 05:00 260,272 -ra------ C:\$LDR$ 2008-11-28 17:45 . 2008-12-02 01:33 412 --a------ c:\windows\wininit.ini 2008-11-27 16:07 . 2008-11-27 19:00 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Google 2008-11-25 02:09 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\Josh\Application Data\U3 2008-11-23 00:36 . 2008-11-23 00:36 115,016 --a------ c:\windows\system32\MSINET.OCX 2008-11-23 00:36 . 2008-11-23 00:36 29,184 --a------ c:\windows\system32\MSINET.oca 2008-11-23 00:36 . 2008-11-23 00:36 2,407 --a------ c:\windows\system32\MSINET.DEP 2008-11-12 07:35 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 07:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-08 11:57 . 2008-11-08 19:36 <DIR> d-------- c:\documents and settings\Josh\Application Data\Move Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 17:04 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-06 15:44 47,104 ----a-w c:\windows\system32\rpcnet.exe 2008-12-06 15:44 47,104 ----a-w c:\windows\system32\rpcnet.dll 2008-12-06 15:44 17,408 ----a-w c:\windows\system32\rpcnetp.exe 2008-12-06 15:27 17,408 ----a-w c:\windows\system32\rpcnetp.dll 2008-12-05 16:24 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-05 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-27 16:00 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-27 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\lvuvc.hs 2008-11-23 02:10 0 ----a-w c:\windows\system32\drivers\logiflt.iad 2008-10-27 02:48 --------- d-----w c:\documents and settings\Josh\Application Data\Malwarebytes 2008-10-27 02:48 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-10-27 02:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-10-27 01:31 --------- d-----w c:\program files\Applications 2008-10-25 23:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Talkback 2008-10-24 13:19 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-06 03:07 --------- d-----w c:\program files\DivX 2008-10-02 22:36 32,256 ----a-w c:\windows\system32\identprv.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll 2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2005-07-12 18:20 1,445,888 ----a-w c:\program files\WinsockFix.exe 2008-05-15 19:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat . ((((((((((((((((((((((((((((( snapshot@2008-12-06_10.29.58.48 ))))))))))))))))))))))))))))))))))))))))) . - 2008-12-01 04:46:57 72,554 ----a-w c:\windows\system32\perfc009.dat + 2008-12-06 15:32:14 72,554 ----a-w c:\windows\system32\perfc009.dat - 2008-12-01 04:46:57 445,096 ----a-w c:\windows\system32\perfh009.dat + 2008-12-06 15:32:14 445,096 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-26 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DevconDefaultDB"="c:\windows\READREG" [X] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-12-18 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-01-10 5513216] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704] "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "AsioReg"="CTASIO.DLL" [2003-11-13 c:\windows\system32\CTASIO.DLL] "CTHelper"="CTHELPER.EXE" [2004-03-11 c:\windows\system32\CTHELPER.EXE] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\ooVoo\\ooVoo.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-18 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-18 99376] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2006-08-27 20160] S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-05-27 115952] S3 usb20l;SMC EZ Networking Compact 10/100 USB 2.0 Adapter;c:\windows\system32\DRIVERS\SMC2209.sys [2006-08-27 10624] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561c06a3-85bb-11dd-aa32-ccb3e208258f}] \Shell\AutoRun\command - WD_Windows_Tools\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea4b8320-babf-11dd-aa46-0019b9795f3b}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msn.com uDefault_Search_URL = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/ mStart Page = hxxp://www.msn.com mSearch Bar = hxxp://www.google.com/ mSearchMigratedDefaultURL = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local mSearchURL = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FireFox -: Profile - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\espu83qj.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.bloomberg.com/?b=0&Intro=intro3 . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 12:07:32 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(960) c:\windows\system32\Ati2evxx.dll . Completion time: 2008-12-06 12:08:26 ComboFix-quarantined-files.txt 2008-12-06 17:08:03 ComboFix2.txt 2008-12-06 15:31:32 Pre-Run: 98,381,955,072 bytes free Post-Run: 98,363,273,216 bytes free 180 --- E O F --- 2008-11-27 08:00:36