Tech Support Forum - View Single Post

Kirashio · 07-05-2009, 06:30 PM

Hello again, just got finished doing those things you asked me to, also deleted Azureus for good measure considering I hadn't used it in an age anyway. As for how my machine is running in general, it seems a fair bit faster, the windows automatic update system is prompting me to update again and I am able to download said updates, and the other programs which couldn't update are not able to. Anyway, here are the logs you asked for.
The combofix log is as follows:

ComboFix 09-07-05.01 - User 05/07/2009 22:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.447.210 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFscript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\windows\system32\drivers\8d89dc49.sys"

file zipped: c:\windows\system32\besegopa.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\besegopa.exe
c:\windows\system32\drivers\8d89dc49.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_8d89dc49

((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-06-30 22:20 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-30 22:20 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 22:58 . 2009-06-29 23:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 21:01 . 2005-11-25 09:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 21:01 . 2005-11-25 09:17 -------- d-----w- c:\program files\CyberLink
2009-07-05 20:59 . 2006-01-12 20:16 -------- d-----w- c:\program files\Azureus
2009-07-05 18:06 . 2008-08-10 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 22:05 . 2006-01-10 19:54 -------- d-----w- c:\program files\Guild Wars
2009-07-02 19:44 . 2006-07-19 19:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-02 19:41 . 2006-07-19 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-01 18:56 . 2006-11-16 18:47 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-06-29 23:01 . 2006-07-19 19:44 -------- d-----w- c:\program files\SpywareBlaster
2009-05-14 22:37 . 2006-01-10 19:28 38552 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-22 17:03 . 2007-09-22 17:03 3099663 ----a-w- c:\program files\uos-security-check_0015f2013aa2_1190480531.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\program files\uos-security-check_0015f2013aa2_1190480531.exe ---
Company:
File Description:
File Version:
Product Name:
Copyright:
Original Filename:
File size: 3099663
Created time: 2007-09-22 17:03
Modified time: 2007-09-22 17:03
MD5: C79A9D2001E09E32D822B5537D79484B
SHA1: 569B8739863F6EFCDD1E3BAE60C727DFF0AB87F9

((((((((((((((((((((((((((((( SnapShot@2009-07-05_18.54.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-05 21:18 . 2009-07-05 21:18 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-25 98304]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 136600]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-03 180269]
"WireLessMouse "="c:\program files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 503808]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2004-07-01 80896]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-10-10 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"atwtusb"="atwtusb.exe" - c:\windows\system32\atwtusb.exe [2005-03-09 290816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dll32"="dll32" [X]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-12 1073152]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-1-12 118784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:UDP"= 6112:UDP:dow6112
"6500:UDP"= 6500:UDP:dow6500
"27900:UDP"= 27900:UDP:dow27900
"27901:UDP"= 27901:UDP:dow27901
"28910:TCP"= 28910:TCP:dow28910
"29900:TCP"= 29900:TCP:dow29900
"29901:TCP"= 29901:TCP:dow29901
"29910:UDP"= 29910:UDP:dow29910
"29920:TCP"= 29920:TCP:dow29920

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [04/04/2009 00:44 55152]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\tnet1130.sys [10/01/2006 20:03 385536]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [10/01/2006 19:44 22272]
S3 cpuz;cpuz;\??\e:\cpuz.sys --> e:\cpuz.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 13:29 162176]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [16/11/2006 19:54 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [16/11/2006 19:54 85696]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 17:44 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 17:44 51840]
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 22:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title = Tiscali Internet Access
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {51AE91DF-5F11-4628-9904-A77489B7A8CF} = 192.168.0.1
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dnmkxgqc.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 22:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-732552938-1092693543-720440500-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ec,16,b4,c0,b6,ee,4e,2e,4a,e0,68,14,b3,dd,c0,e0,ec,21,a9,95,36,83,65,
76,16,1a,00,03,f2,cb,96,c1,53,18,44,16,41,eb,a0,99,e6,62,15,59,1d,5d,a9,7b,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95

[HKEY_USERS\S-1-5-21-732552938-1092693543-720440500-1006\Software\SecuROM\License information*]
"datasecu"=hex:9a,d5,f3,33,92,e0,11,05,3f,cd,36,e6,a1,82,37,fa,06,63,c9,77,aa,
cd,24,dc,44,2f,cb,5b,a5,ad,6c,e2,94,e7,24,0f,c9,c8,fd,2b,6d,8f,06,b7,56,ee,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\PAStiSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-07-05 22:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 21:32
ComboFix2.txt 2009-07-05 19:02

Pre-Run: 131,342,946,304 bytes free
Post-Run: 131,356,233,728 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
209 --- E O F --- 2009-04-20 02:10

The Kaspersky scan log is as follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 05, 2009 21:12:41
Records in database: 2430157
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 80018
Threat name: 4
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 02:08:52

File name / Threat name / Threats count
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\8d89dc49.sys.vir Infected: Backdoor.Win32.NewRest.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_8d89dc49_.sys.zip Infected: Backdoor.Win32.NewRest.z 6
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ypdsgotl_.sys.zip Infected: Trojan.Win32.BHO.ext 1
C:\System Volume Information\_restore{54C7A4C0-672A-400F-89D3-264781F4E928}\RP20\A0008285.sys Infected: Backdoor.Win32.NewRest.z 1

The selected area was scanned.

07-05-2009, 06:30 PM	#6 (permalink)
Kirashio Registered User Join Date: Jul 2009 Posts: 14 OS: xp	Re: Recurring Vundo Trojan Hello again, just got finished doing those things you asked me to, also deleted Azureus for good measure considering I hadn't used it in an age anyway. As for how my machine is running in general, it seems a fair bit faster, the windows automatic update system is prompting me to update again and I am able to download said updates, and the other programs which couldn't update are not able to. Anyway, here are the logs you asked for. The combofix log is as follows: ComboFix 09-07-05.01 - User 05/07/2009 22:09.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.447.210 [GMT 1:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\User\Desktop\CFscript.txt AV: McAfee VirusScan Enterprise On-access scanning enabled (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} FILE :: "c:\windows\system32\drivers\8d89dc49.sys" file zipped: c:\windows\system32\besegopa.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\besegopa.exe c:\windows\system32\drivers\8d89dc49.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_8d89dc49 ((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 ))))))))))))))))))))))))))))))) . 2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2009-06-30 22:20 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-30 22:20 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-30 22:20 . 2009-06-30 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-29 22:58 . 2009-06-29 23:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-05 21:01 . 2005-11-25 09:17 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-05 21:01 . 2005-11-25 09:17 -------- d-----w- c:\program files\CyberLink 2009-07-05 20:59 . 2006-01-12 20:16 -------- d-----w- c:\program files\Azureus 2009-07-05 18:06 . 2008-08-10 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-02 22:05 . 2006-01-10 19:54 -------- d-----w- c:\program files\Guild Wars 2009-07-02 19:44 . 2006-07-19 19:45 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-07-02 19:41 . 2006-07-19 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-07-01 18:56 . 2006-11-16 18:47 -------- d-----w- c:\program files\Common Files\Teleca Shared 2009-06-29 23:01 . 2006-07-19 19:44 -------- d-----w- c:\program files\SpywareBlaster 2009-05-14 22:37 . 2006-01-10 19:28 38552 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-09-22 17:03 . 2007-09-22 17:03 3099663 ----a-w- c:\program files\uos-security-check_0015f2013aa2_1190480531.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . --- c:\program files\uos-security-check_0015f2013aa2_1190480531.exe --- Company: File Description: File Version: Product Name: Copyright: Original Filename: File size: 3099663 Created time: 2007-09-22 17:03 Modified time: 2007-09-22 17:03 MD5: C79A9D2001E09E32D822B5537D79484B SHA1: 569B8739863F6EFCDD1E3BAE60C727DFF0AB87F9 ((((((((((((((((((((((((((((( SnapShot@2009-07-05_18.54.32 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-05 21:18 . 2009-07-05 21:18 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-25 98304] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 136600] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-03 180269] "WireLessMouse "="c:\program files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 503808] "WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2004-07-01 80896] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-10-10 1519616] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952] "atwtusb"="atwtusb.exe" - c:\windows\system32\atwtusb.exe [2005-03-09 290816] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "dll32"="dll32" [X] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-12 1073152] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-1-12 118784] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6112:UDP"= 6112:UDP:dow6112 "6500:UDP"= 6500:UDP:dow6500 "27900:UDP"= 27900:UDP:dow27900 "27901:UDP"= 27901:UDP:dow27901 "28910:TCP"= 28910:TCP:dow28910 "29900:TCP"= 29900:TCP:dow29900 "29901:TCP"= 29901:TCP:dow29901 "29910:UDP"= 29910:UDP:dow29910 "29920:TCP"= 29920:TCP:dow29920 R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [04/04/2009 00:44 55152] R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\tnet1130.sys [10/01/2006 20:03 385536] S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [10/01/2006 19:44 22272] S3 cpuz;cpuz;\??\e:\cpuz.sys --> e:\cpuz.sys [?] S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360] S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 13:29 162176] S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [16/11/2006 19:54 87824] S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [16/11/2006 19:54 85696] S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 17:44 85888] S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 17:44 51840] . Contents of the 'Scheduled Tasks' folder 2009-07-05 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 22:43] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mWindow Title = Tiscali Internet Access uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {51AE91DF-5F11-4628-9904-A77489B7A8CF} = 192.168.0.1 DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dnmkxgqc.default\ FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-05 22:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-732552938-1092693543-720440500-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY] "??"=hex:ec,16,b4,c0,b6,ee,4e,2e,4a,e0,68,14,b3,dd,c0,e0,ec,21,a9,95,36,83,65, 76,16,1a,00,03,f2,cb,96,c1,53,18,44,16,41,eb,a0,99,e6,62,15,59,1d,5d,a9,7b,\ "??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95 [HKEY_USERS\S-1-5-21-732552938-1092693543-720440500-1006\Software\SecuROM\License information] "datasecu"=hex:9a,d5,f3,33,92,e0,11,05,3f,cd,36,e6,a1,82,37,fa,06,63,c9,77,aa, cd,24,dc,44,2f,cb,5b,a5,ad,6c,e2,94,e7,24,0f,c9,c8,fd,2b,6d,8f,06,b7,56,ee,\ "rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe c:\windows\system32\nvsvc32.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\PAStiSvc.exe c:\windows\system32\wdfmgr.exe c:\program files\McAfee\Common Framework\naPrdMgr.exe c:\program files\McAfee\Common Framework\Mctray.exe c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe . ************************************************************************** . Completion time: 2009-07-05 22:32 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-05 21:32 ComboFix2.txt 2009-07-05 19:02 Pre-Run: 131,342,946,304 bytes free Post-Run: 131,356,233,728 bytes free Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4 209 --- E O F --- 2009-04-20 02:10 The Kaspersky scan log is as follows: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Monday, July 6, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Sunday, July 05, 2009 21:12:41 Records in database: 2430157 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 80018 Threat name: 4 Infected objects: 14 Suspicious objects: 0 Duration of the scan: 02:08:52 File name / Threat name / Threats count C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1 C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\8d89dc49.sys.vir Infected: Backdoor.Win32.NewRest.z 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_8d89dc49_.sys.zip Infected: Backdoor.Win32.NewRest.z 6 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ypdsgotl_.sys.zip Infected: Trojan.Win32.BHO.ext 1 C:\System Volume Information\_restore{54C7A4C0-672A-400F-89D3-264781F4E928}\RP20\A0008285.sys Infected: Backdoor.Win32.NewRest.z 1 The selected area was scanned.