Greetings

My computer is a windows XP professional SP2 and it's sending spam emails. I noticed it because Symantec Antivirus starts to check the mails and i have to end the ccApp.exe process (the mail scan feature of SAV) in order to be able to stop the huge amount of little pop up windows saying the mail was scanned, failed to delivered, etc.

I ran several tools (ad-aware, spybot, spyware doctor, SAV) but none of them detected viruses in my computer. Any help would be really appreciated. Here is my HJT log:

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.parmac.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [bios] C:\WINDOWS\system32\bios.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://autosupport.intuit.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01115A00-3E00-11D2-8470-0060089874ED} (Support.com Control Commander Proxy) - http://autosupport.intuit.com/sdccommon/download/tgcmd.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://autosupport.intuit.com/sdccommon/download/ssrc.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.amitrading.com/Remote/msrdp.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {8FEED82A-42A6-4117-A803-7EC3EB9339E0} (ClientControl Class) - http://192.168.0.8/plugin/client.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://200.88.186.87:83/plugin/h263ctrl.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

----------------------------------------------------------------------------------------


I'm afraid I have unpleasant news for you. You have evidence of a Very Dangerous infection on this machine.
It is a Password Stealer See HERE (http://www.bleepingcomputer.com/startups/bios-17795.html) for more details

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine,

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.

I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection :(



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


Please post both logs in reply

Hi Katana

Thanks a lot for your help in this issue!!!!!!. Here is the combofix log:

ComboFix 08-02-25.3 - Mariano 2008-02-25 17:03:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT -5:00]
Running from: C:\Documents and Settings\Mariano\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mariano\Application Data\macromedia\Flash Player\#SharedObjects\LYMVTGTJ\iforex.com
C:\Documents and Settings\Mariano\Application Data\macromedia\Flash Player\#SharedObjects\LYMVTGTJ\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Mariano\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Mariano\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\system32\mqtdffqr.dll
C:\WINDOWS\system32\qjmeqtin.ini
C:\WINDOWS\system32\tstckltj.dll
C:\WINDOWS\system32\xybeg.ini2
C:\WINDOWS\system32\yvfnsdcu.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 14:21 . 2008-02-25 14:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-25 14:21 . 2008-02-25 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-08 14:43 . 2008-02-13 14:25 <DIR> d-------- C:\Documents and Settings\Mariano\Tracing
2008-02-08 14:41 . 2008-02-08 14:41 <DIR> d-------- C:\Program Files\DIFX
2008-02-08 14:41 . 2007-09-28 23:08 84,992 --a------ C:\WINDOWS\system32\lmdimon8.dll
2008-02-08 14:40 . 2008-02-08 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-01-26 08:27 . 2008-01-26 08:27 97 --a------ C:\WINDOWS\wininit.ini
2008-01-25 20:33 . 2008-01-25 20:33 244 --ah----- C:\sqmnoopt13.sqm
2008-01-25 20:33 . 2008-01-25 20:33 232 --ah----- C:\sqmdata13.sqm
2008-01-25 20:12 . 2004-08-04 07:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-25 18:52 . 2008-02-25 14:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 18:37 . 2008-02-25 13:12 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-25 18:37 . 2008-01-25 18:37 <DIR> d-------- C:\Documents and Settings\Mariano\Application Data\PC Tools
2008-01-25 18:37 . 2008-01-25 18:46 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-25 18:37 . 2008-01-25 18:46 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-25 18:37 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-25 18:37 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-25 15:51 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 22:10 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-25 21:59 --------- d-----w C:\Program Files\Trillian
2008-02-23 02:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-22 20:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-22 20:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-22 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 19:37 --------- d-----w C:\Documents and Settings\Mariano\Application Data\Lavasoft
2008-01-25 21:02 --------- d-----w C:\Program Files\Common Files\Real
2008-01-24 23:38 54,764 ----a-w C:\WINDOWS\system32\drivers\srtwe.sys
2008-01-18 20:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-15 23:29 49 ----a-w C:\tmp.bat
2008-01-12 18:36 --------- d-----w C:\Program Files\ALCATEL PC Suite
2008-01-12 14:18 --------- d-----w C:\Program Files\Java
2008-01-12 14:15 --------- d-----w C:\Program Files\Common Files\Java
2008-01-10 04:44 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-09 19:18 --------- d-----w C:\Program Files\Windows Live
2008-01-09 19:18 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 19:16 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-09 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-04 18:40 --------- d-----w C:\Documents and Settings\Mariano\Application Data\AdobeUM
2007-07-26 01:26 5,673,168 ----a-w C:\Documents and Settings\Mariano\networkinventory3setup.zip
2007-07-26 01:26 429 ----a-w C:\Documents and Settings\Mariano\EMCOLicense.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 14:58 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-11 15:26 98304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36 124232]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivir]
C:\WINDOWS\nod32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExAlien]
C:\Arquivos de programas\ExAlien.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]
--a------ 2004-06-10 13:48 286720 C:\WINDOWS\vsnpstd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"SavRoam"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"gusvc"=3 (0x3)
"CVPND"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\D-Link\\Installation Wizard\\InstallationWizard.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 14:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-08-06 12:04]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-08-06 12:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{954b14a6-d353-11dc-a9a7-444553544200}]
\shell\auto\command - Knight.exe open
\shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\shell\explore\command - Knight.exe open
\shell\find\command - Knight.exe open
\shell\install\command - Knight.exe open
\shell\open\command - Knight.exe open

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 20:00:22 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 17:10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2008-02-25 17:12:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 22:12:06
.
2008-02-23 04:45:12 --- E O F ---

Hi Katana

Here is the kaspersky log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 8:07:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 580704
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 38184
Number of viruses found: 24
Number of infected objects: 58
Number of suspicious objects: 0
Duration of the scan process: 01:44:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b64dcbc2ba4b588e3fc270967cfd722_200076aa-a622-4a99-aa46-2ddb780f2b40 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ef8c911361c5750fcccd37dfc90db1bd_200076aa-a622-4a99-aa46-2ddb780f2b40 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01640000.VBN Infected: Trojan-Downloader.JS.Agent.kd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F80000.VBN Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B140000.VBN Infected: Trojan-Spy.Win32.Banker.ciy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B3C0000.VBN Infected: Trojan-Downloader.Win32.Delf.dvv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BC40000.VBN Infected: Worm.Win32.AutoRun.aul skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0000.VBN Infected: Trojan-Spy.Win32.Banker.ciy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE00000.VBN Infected: Trojan-Spy.Win32.Banker.ciy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80000.VBN Infected: Trojan-Spy.Win32.Banker.ciy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100000.VBN Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140000.VBN Infected: Trojan-PSW.Win32.Sinowal.gf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140001.VBN Infected: Trojan-PSW.Win32.Sinowal.gf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140002.VBN Infected: Trojan-PSW.Win32.Sinowal.gf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140003.VBN Infected: Trojan-PSW.Win32.Sinowal.gf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140004.VBN Infected: Trojan-Downloader.Win32.Diehard.dr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140005.VBN Infected: Trojan-Downloader.Win32.Agent.dpe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140006.VBN Infected: Trojan-Dropper.Win32.Agent.dnu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D500000.VBN Infected: Trojan-Downloader.SWF.Gida.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0000.VBN Infected: Trojan-Downloader.JS.Agent.kd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00001.VBN Infected: Trojan-Downloader.Win32.Murlo.ji skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00002.VBN Infected: Trojan-Downloader.Win32.Agent.hzc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00003.VBN Infected: Trojan-Downloader.Win32.Small.hxz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00004.VBN Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00005.VBN Infected: Trojan-Downloader.Win32.Murlo.ji skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0001.VBN Infected: Trojan-Downloader.Win32.Murlo.ji skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0002.VBN Infected: Trojan-Downloader.Win32.Agent.hzc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0003.VBN Infected: Trojan-Downloader.Win32.Small.hxz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0004.VBN Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0005.VBN Infected: Trojan-Downloader.Win32.Murlo.ji skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mariano\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\bcache2.bmc Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Application Data\Microsoft\Windows Live Contacts\marianodrummer@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Application Data\Microsoft\Windows Live Contacts\marianodrummer@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\History\History.IE5\MSHist012008022520080226\index.dat Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temp\Perflib_Perfdata_9a8.dat Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temp\~DF32F1.tmp Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temp\~DF32FC.tmp Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temp\~DF6AB4.tmp Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temp\~DF6C01.tmp Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temp\~DFAC6A.tmp Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temp\~DFAC9B.tmp Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mariano\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mariano\My Documents\CodecPackElisoft140[Codec-Download.de].zip/CodecPackElisoft140.exe/divx511\fsg_4104.exe Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\Documents and Settings\Mariano\My Documents\CodecPackElisoft140[Codec-Download.de].zip/CodecPackElisoft140.exe Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\Documents and Settings\Mariano\My Documents\CodecPackElisoft140[Codec-Download.de].zip ZIP: infected - 2 skipped
C:\Documents and Settings\Mariano\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mariano\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\fastpush\real337\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\fastpush\real337\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\fastpush\real337\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\fastpush\real4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\fastpush\real4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\fastpush\real4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\fastpush\real4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\fastpush\real411\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\fastpush\real411\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\fastpush\tight129\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\fastpush\tight129\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\fastpush\ultra\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\fastpush\ultra\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\fastpush\utils\xCmd.exe Infected: not-a-virus:RemoteAdmin.Win32.RemoteExec skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Trillian\users\default\logs\MSN\Query\jreina@parmac.com.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mqtdffqr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tstckltj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020189.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\backUp\My Documents\CodecPackElisoft140[Codec-Download.de].zip/CodecPackElisoft140.exe/divx511\fsg_4104.exe Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
D:\backUp\My Documents\CodecPackElisoft140[Codec-Download.de].zip/CodecPackElisoft140.exe Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
D:\backUp\My Documents\CodecPackElisoft140[Codec-Download.de].zip ZIP: infected - 2 skipped
D:\Instaladores\UltraVnc-101-Setup.zip/UltraVNC-101-Setup.exe/file130 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
D:\Instaladores\UltraVnc-101-Setup.zip/UltraVNC-101-Setup.exe/file131 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
D:\Instaladores\UltraVnc-101-Setup.zip/UltraVNC-101-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
D:\Instaladores\UltraVnc-101-Setup.zip ZIP: infected - 3 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\change.log Object is locked skipped

Scan process completed.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



RootKit::
C:\WINDOWS\system32\drivers\srtwe.sys

File::
C:\WINDOWS\wininit.ini
C:\Documents and Settings\Mariano\My Documents\CodecPackElisoft140[Codec-Download.de].zip
D:\backUp\My Documents\CodecPackElisoft140[Codec-Download.de].zip

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivir]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExAlien]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{954b14a6-d353-11dc-a9a7-444553544200}]

Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK

Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

Hi katana, the following is the combofix log with the CFScript. Now I'm going to prepare the coffee while the other report is created:bigthumb::


ComboFix 08-02-25.3 - Mariano 2008-02-26 14:27:57.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639 [GMT -5:00]
Running from: C:\Documents and Settings\Mariano\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mariano\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Mariano\My Documents\CodecPackElisoft140[Codec-Download.de].zip
C:\WINDOWS\wininit.ini
D:\backUp\My Documents\CodecPackElisoft140[Codec-Download.de].zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mariano\My Documents\CodecPackElisoft140[Codec-Download.de].zip
C:\WINDOWS\system32\drivers\srtwe.sys
C:\WINDOWS\wininit.ini
D:\backUp\My Documents\CodecPackElisoft140[Codec-Download.de].zip

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 21:42 . 2008-02-25 21:42 61,480 --a------ C:\Documents and Settings\Mariano\GoToAssistDownloadHelper.exe
2008-02-25 14:21 . 2008-02-25 14:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-25 14:21 . 2008-02-25 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-08 14:43 . 2008-02-13 14:25 <DIR> d-------- C:\Documents and Settings\Mariano\Tracing
2008-02-08 14:41 . 2008-02-08 14:41 <DIR> d-------- C:\Program Files\DIFX
2008-02-08 14:41 . 2007-09-28 23:08 84,992 --a------ C:\WINDOWS\system32\lmdimon8.dll
2008-02-08 14:40 . 2008-02-08 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 19:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-26 19:26 --------- d-----w C:\Program Files\Trillian
2008-02-25 19:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-25 18:12 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-23 02:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-22 20:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-22 20:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-22 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 19:37 --------- d-----w C:\Documents and Settings\Mariano\Application Data\Lavasoft
2008-01-25 23:46 74,240 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-25 23:46 56,832 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-25 23:37 --------- d-----w C:\Documents and Settings\Mariano\Application Data\PC Tools
2008-01-25 21:02 --------- d-----w C:\Program Files\Common Files\Real
2008-01-18 20:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-15 23:29 49 ----a-w C:\tmp.bat
2008-01-12 18:36 --------- d-----w C:\Program Files\ALCATEL PC Suite
2008-01-12 14:18 --------- d-----w C:\Program Files\Java
2008-01-12 14:15 --------- d-----w C:\Program Files\Common Files\Java
2008-01-10 04:44 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-09 19:18 --------- d-----w C:\Program Files\Windows Live
2008-01-09 19:18 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 19:16 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-09 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-04 18:40 --------- d-----w C:\Documents and Settings\Mariano\Application Data\AdobeUM
2007-07-26 01:26 5,673,168 ----a-w C:\Documents and Settings\Mariano\networkinventory3setup.zip
2007-07-26 01:26 429 ----a-w C:\Documents and Settings\Mariano\EMCOLicense.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 14:58 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-11 15:26 98304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36 124232]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]
--a------ 2004-06-10 13:48 286720 C:\WINDOWS\vsnpstd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"SavRoam"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"gusvc"=3 (0x3)
"CVPND"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\D-Link\\Installation Wizard\\InstallationWizard.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 14:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-08-06 12:04]
S1 srtwe;srtwe;C:\WINDOWS\system32\drivers\srtwe.sys []
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-08-06 12:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 20:00:22 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 14:32:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2008-02-26 14:34:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 19:34:37
ComboFix2.txt 2008-02-25 22:12:11
.
2008-02-26 18:21:26 --- E O F ---

Hi Katana

Here is the total scan log, Thanks for your help

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-02-26 17:50:05
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec AntiVirus Corporate Edition 9.0.1.1000 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040114 Application/Xcmd.A HackTools No 0 Yes No C:\fastpush\utils\xCmd.exe
00040114 Application/Xcmd.A HackTools No 0 Yes No archive folders\sent items\emailing: fastpush.zip\fastpush.zip[fastpush/utils/xCmd.exe]
00040114 Application/Xcmd.A HackTools No 0 Yes No archive folders\sent items\emailing: fastpush.zip\fastpush.zip[fastpush/utils/xCmd.exe]
00040114 Application/Xcmd.A HackTools No 0 Yes No archive folders\sent items\fastpush\fastpush.zip[fastpush/utils/xCmd.exe]
00040114 Application/Xcmd.A HackTools No 0 Yes No archive folders\sent items\fastpush\fastpush.zip[fastpush/utils/xCmd.exe]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mariano\Cookies\mariano@atdmt[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Mariano\Cookies\mariano@server.iad.liveperson[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mariano\Cookies\mariano@advertising[1].txt
00170553 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Mariano\Cookies\mariano@ig.com[1].txt
00170557 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Mariano\Cookies\mariano@terra.com[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Mariano\Cookies\mariano@searchportal.information[1].txt
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020201.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020183.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP29\A0017999.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0020145.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0019092.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP36\A0021240.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP36\A0021252.EXE
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0020060.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0019095.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0020134.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0019078.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0020148.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020171.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020186.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP36\A0021275.com
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Mariano\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020227.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP35\A0021234.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0020081.com
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Mariano\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP32\A0020060.exe[327882R2FWJFW\nircmd.cfexe]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP36\A0021247.sys
02893506 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\mqtdffqr.dll.vir
02893506 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{16F06A61-06B7-4FEF-96A6-5308A32F9103}\RP33\A0020188.dll
02900229 Trj/Spammer.ADX Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\catchme2008-02-26_143238.29.zip[srtwe.sys]
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================

It looks like we may have found the culprit...
C:\fastpush\utils\xCmd.exe

I take it that this is nothing to do with you ?

Please do the following in the order they appear

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.



@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
dir /a /s "C:\fastpush" >> C:\kresults.txt
start notepad C:\kresults.txt
del /q look.bat
exit

Double click on look.bat

Notepad will open, please copy/paste the results here.


Now....


OTMoveIt
Please download OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\fastpush


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


There also seems to be evidence of it in your E-Mail client
archive folders\sent items\emailing: fastpush.zip\fastpush.zip[fastpush/utils/xCmd.exe]
archive folders\sent items\emailing: fastpush.zip\fastpush.zip[fastpush/utils/xCmd.exe]
archive folders\sent items\fastpush\fastpush.zip[fastpush/utils/xCmd.exe]
archive folders\sent items\fastpush\fastpush.zip[fastpush/utils/xCmd.exe]

It doesn't tell me where that is, so you will have to delete those on your own

Hi Katata
Actually fastpush is a package used in the placed where I work to sent the ultra VNC installation through the network and take control of the machine remotelly. Nevertheless i did what you asked me to so here I go with the results:

Volume in drive C has no label.
Volume Serial Number is 7CB3-2997

Directory of C:\fastpush

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 3,120 change.txt
11/17/2006 06:07 PM <DIR> common
11/17/2006 06:07 PM <DIR> real337
11/17/2006 06:07 PM <DIR> real4
11/17/2006 06:07 PM <DIR> real411
11/17/2006 06:07 PM <DIR> tight129
11/17/2006 06:07 PM <DIR> ultra
11/17/2006 06:07 PM <DIR> utils
08/23/2005 04:49 PM 55,506 vnc.cmd
11/17/2006 06:07 PM <DIR> zvnc
2 File(s) 58,626 bytes

Directory of C:\fastpush\common

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 65 helper.ini
08/23/2005 04:49 PM 2,988 machine.ini
08/23/2005 04:48 PM 36,864 MyDetails.exe
08/23/2005 04:48 PM 32,768 MyDetails.old1
08/23/2005 04:48 PM 32,768 MyDetails.old2
08/23/2005 04:48 PM 734 vnc4.ini
08/23/2005 04:48 PM 415 warning.ini
7 File(s) 106,602 bytes

Directory of C:\fastpush\real337

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 45,056 omnithread2_rt.dll
08/23/2005 04:48 PM 61,440 othread2.dll
08/23/2005 04:48 PM 57,344 vnchooks.dll
08/23/2005 04:48 PM 233,472 vncviewer.exe
08/23/2005 04:48 PM 335,872 winvnc.exe
5 File(s) 733,184 bytes

Directory of C:\fastpush\real4

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 12,288 logmessages.dll
08/23/2005 04:48 PM 131,072 vncconfig.exe
08/23/2005 04:48 PM 274,432 vncviewer.exe
08/23/2005 04:48 PM 380,928 winvnc4.exe
08/23/2005 04:48 PM 53,248 wm_hooks.dll
5 File(s) 851,968 bytes

Directory of C:\fastpush\real411

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 17,384 logmessages.dll
08/23/2005 04:48 PM 160,776 vncconfig.exe
08/23/2005 04:48 PM 291,792 vncviewer.exe
08/23/2005 04:48 PM 455,632 winvnc4.exe
08/23/2005 04:48 PM 58,336 wm_hooks.dll
5 File(s) 983,920 bytes

Directory of C:\fastpush\tight129

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 60,928 VNCHooks.dll
08/23/2005 04:48 PM 274,432 vncviewer.exe
08/23/2005 04:48 PM 474,624 winvnc.exe
3 File(s) 809,984 bytes

Directory of C:\fastpush\ultra

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
06/11/2005 11:23 PM 86,083 authadmin.dll
06/11/2005 11:23 PM 122,945 authSSP.dll
11/17/2006 06:07 PM <DIR> doc
11/17/2006 06:07 PM <DIR> icons
06/11/2005 11:23 PM 110,658 ldapauth.dll
03/29/2005 10:40 PM 19,882 Licence.txt
06/11/2005 11:23 PM 98,369 logging.dll
06/11/2005 11:22 PM 12,288 logmessages.dll
06/11/2005 11:23 PM 69,632 MSLogonACL.exe
11/17/2006 06:07 PM <DIR> plugin
07/03/2005 09:32 PM 13,248 Readme.txt
08/23/2005 04:56 PM 44,884 unins000.dat
08/23/2005 04:55 PM 687,434 unins000.exe
08/07/2005 11:25 AM 102,400 UnZip32.dll
06/11/2005 11:22 PM 98,370 vnchooks.dll
08/28/2000 11:41 AM 2,140 VNCHooks_Settings.reg
08/06/2005 09:18 PM 1,024,000 vncviewer.exe
08/06/2005 07:35 PM 24,869 Whatsnew.txt
08/06/2005 07:45 PM 974,848 winvnc.exe
06/11/2005 11:23 PM 102,471 workgrpdomnt4.dll
08/07/2005 11:09 AM 151,552 Zip32.dll
18 File(s) 3,746,073 bytes

Directory of C:\fastpush\ultra\doc

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
11/17/2006 06:07 PM <DIR> addons
11/17/2006 06:07 PM <DIR> css
11/17/2006 06:07 PM <DIR> features
11/17/2006 06:07 PM <DIR> general
11/17/2006 06:07 PM <DIR> images
11/17/2006 06:07 PM <DIR> img
06/09/2005 03:24 PM 9,396 index.html
11/17/2006 06:07 PM <DIR> install
1 File(s) 9,396 bytes

Directory of C:\fastpush\ultra\doc\addons

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
11/17/2006 06:07 PM <DIR> img
06/09/2005 03:24 PM 5,887 index.html
06/09/2005 03:24 PM 7,118 nat2nat.html
06/09/2005 03:24 PM 10,536 repeater.html
06/09/2005 03:24 PM 5,601 routerconf.html
06/09/2005 03:24 PM 11,258 singleclick.html
5 File(s) 40,400 bytes

Directory of C:\fastpush\ultra\doc\addons\img

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
03/05/2005 10:34 PM 8,449 addons.png
02/17/2005 05:06 PM 2,084 balloon.gif
02/17/2005 05:10 PM 1,186 bg1.bmp
02/17/2005 05:11 PM 1,186 bg2.bmp
02/17/2005 05:11 PM 1,186 bg3.bmp
02/17/2005 05:11 PM 1,186 bg4.bmp
02/17/2005 05:06 PM 32,064 input.jpg
01/15/2005 09:08 PM 15,166 modeI.gif
02/14/2005 02:33 PM 11,432 nat2nat-2.png
02/14/2005 02:13 PM 29,927 nat2nat.png
02/14/2005 03:34 PM 266 nsc-green.gif
02/14/2005 03:33 PM 297 nsc-red.gif
02/14/2005 03:34 PM 266 nsc-yellow.gif
02/17/2005 05:53 PM 33,723 plugin.jpg
01/15/2005 11:36 PM 11,037 rep1.gif
01/15/2005 11:36 PM 13,467 rep2.gif
01/15/2005 11:36 PM 34,104 rep3.gif
01/15/2005 11:36 PM 16,850 rep4.gif
03/30/2005 08:52 AM 33,485 repeater.gif
01/15/2005 09:08 PM 22,508 sample1.gif
01/15/2005 09:08 PM 22,258 sample2.gif
02/17/2005 05:53 PM 32,499 viewer.jpg
22 File(s) 324,626 bytes

Directory of C:\fastpush\ultra\doc\css

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
05/10/2005 02:43 PM 6,274 Copy of ultravnc-screen-common.css
04/15/2005 09:10 AM 1,208 ultranvc-print.css
05/17/2005 02:47 PM 4,010 ultravnc-print.css
04/15/2005 09:03 AM 1,030 ultravnc-screen-alt.css
06/02/2005 10:17 AM 6,408 ultravnc-screen-common.css
02/14/2005 01:03 PM 1,404 ultravnc-screen.css
6 File(s) 20,334 bytes

Directory of C:\fastpush\ultra\doc\features

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
06/09/2005 03:24 PM 16,472 authentication.html
06/09/2005 03:24 PM 4,353 chat.html
06/09/2005 03:24 PM 6,244 driver.html
06/09/2005 03:24 PM 4,916 encryption.html
06/09/2005 03:24 PM 4,886 filetransfer.html
11/17/2006 06:07 PM <DIR> img
06/09/2005 03:24 PM 5,484 index.html
06/09/2005 03:24 PM 4,914 javaviewer.html
7 File(s) 47,269 bytes

Directory of C:\fastpush\ultra\doc\features\img

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
02/14/2005 05:24 PM 4,747 classicdialog.png
01/15/2005 05:49 PM 11,167 export.png
03/05/2005 10:14 PM 11,053 features.png
01/15/2005 05:49 PM 8,697 mslogon.png
02/14/2005 05:59 PM 7,350 mslogon1groups.png
02/14/2005 05:29 PM 1,556 mslogon1prop.png
02/14/2005 05:23 PM 5,047 mslogondialog.png
01/15/2005 05:49 PM 1,603 prop.png
01/15/2005 05:49 PM 1,686 traymenu.png
9 File(s) 52,906 bytes

Directory of C:\fastpush\ultra\doc\general

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
06/09/2005 03:24 PM 5,890 aboutus.html
06/09/2005 03:24 PM 12,609 faq.html
11/17/2006 06:07 PM <DIR> img
06/09/2005 03:24 PM 7,020 index.html
06/09/2005 03:24 PM 22,590 licence.html
06/09/2005 03:24 PM 9,026 links.html
06/09/2005 03:24 PM 33,861 readme.html
06/09/2005 03:24 PM 26,512 whatsnew.html
7 File(s) 117,508 bytes

Directory of C:\fastpush\ultra\doc\general\img

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
03/05/2005 10:19 PM 11,482 general.png
1 File(s) 11,482 bytes

Directory of C:\fastpush\ultra\doc\images

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
02/18/2005 04:47 PM 4,841 logo.gif
1 File(s) 4,841 bytes

Directory of C:\fastpush\ultra\doc\img

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
03/03/2005 11:59 AM 18,539 clipart.gif
02/18/2005 04:47 PM 4,841 logo.gif
2 File(s) 23,380 bytes

Directory of C:\fastpush\ultra\doc\install

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
06/09/2005 03:24 PM 13,125 cmdline.html
06/09/2005 03:24 PM 11,596 configuration.html
11/17/2006 06:07 PM <DIR> img
11/17/2006 06:07 PM <DIR> img2
06/09/2005 03:24 PM 5,653 index.html
06/09/2005 03:24 PM 9,304 installation.html
05/13/2005 09:50 AM 9,170 installation2.html
06/09/2005 03:24 PM 4,957 registry.html
06/09/2005 03:24 PM 5,923 unattended.html
06/09/2005 03:24 PM 11,411 usage.html
06/09/2005 03:24 PM 10,790 viewerconfig.html
9 File(s) 81,929 bytes

Directory of C:\fastpush\ultra\doc\install\img

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
04/21/2005 12:02 PM 19,733 adminprops.png
06/01/2005 11:35 AM 5,381 contextmenu-viewer.png
04/21/2005 09:36 PM 3,289 driver.png
03/05/2005 10:04 PM 7,853 install.png
04/21/2005 03:30 PM 7,239 mslogon1groups.png
04/21/2005 03:28 PM 9,607 mslogon2groups.png
04/21/2005 04:22 PM 8,279 props.png
05/13/2005 10:33 PM 9,205 quick-auto.gif
05/13/2005 10:34 PM 8,452 quick-lan.gif
05/13/2005 10:35 PM 8,461 quick-medium.gif
05/13/2005 10:35 PM 8,491 quick-modem.gif
05/13/2005 10:35 PM 8,464 quick-slow.gif
05/13/2005 10:34 PM 8,471 quick-ultra.gif
06/09/2005 02:05 PM 12,295 setup-acl.png
06/09/2005 02:04 PM 15,326 setup-add.png
06/09/2005 02:02 PM 13,998 setup-comp.png
06/09/2005 02:01 PM 13,195 setup-dest.png
06/09/2005 02:10 PM 31,398 setup-end.png
06/09/2005 02:03 PM 13,067 setup-fold.png
06/09/2005 02:58 PM 6,064 setup-lang.png
06/09/2005 02:00 PM 15,888 setup-lic.png
06/09/2005 02:09 PM 14,937 setup-new.png
06/09/2005 02:06 PM 12,553 setup-props.png
06/09/2005 02:07 PM 14,255 setup-ready.png
06/09/2005 02:01 PM 16,454 setup-rel.png
04/25/2005 03:57 PM 28,509 setup-welcome.png
06/01/2005 11:56 AM 8,406 toolbar.png
06/01/2005 03:33 PM 601 toolbar01.png
06/01/2005 03:34 PM 613 toolbar02.png
06/01/2005 03:36 PM 951 toolbar03.png
06/01/2005 03:36 PM 696 toolbar04.png
06/01/2005 03:38 PM 790 toolbar05.png
06/01/2005 03:38 PM 416 toolbar06.png
06/01/2005 05:25 PM 645 toolbar07.png
06/01/2005 05:26 PM 1,085 toolbar08.png
06/01/2005 05:26 PM 693 toolbar09.png
06/01/2005 05:27 PM 796 toolbar10.png
06/01/2005 05:28 PM 841 toolbar11.png
06/01/2005 05:28 PM 591 toolbar12.png
06/01/2005 05:29 PM 746 toolbar13.png
06/01/2005 05:30 PM 721 toolbar14.png
04/21/2005 09:59 PM 9,396 viewer.png
04/21/2005 10:00 PM 11,962 vieweroptions.png
43 File(s) 360,813 bytes

Directory of C:\fastpush\ultra\doc\install\img2

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
05/10/2005 01:29 PM 13,521 setup-acl.png
05/10/2005 01:28 PM 15,950 setup-add.png
05/10/2005 01:26 PM 14,549 setup-comp.png
04/25/2005 04:00 PM 14,637 setup-dest.png
04/25/2005 04:08 PM 28,703 setup-end.png
04/25/2005 04:01 PM 14,529 setup-fold.png
02/17/2005 09:56 AM 5,524 setup-lang.png
04/25/2005 03:58 PM 17,234 setup-lic.png
04/25/2005 04:08 PM 15,764 setup-new.png
05/10/2005 01:30 PM 13,851 setup-props.png
04/25/2005 04:02 PM 15,439 setup-ready.png
04/25/2005 03:58 PM 17,680 setup-rel.png
04/25/2005 03:57 PM 28,509 setup-welcome.png
13 File(s) 215,890 bytes

Directory of C:\fastpush\ultra\icons

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
06/15/2005 09:42 AM 174,246 Connected 1.ico
06/15/2005 09:43 AM 174,246 Connected 2.ico
06/15/2005 09:43 AM 174,246 Connected 3.ico
06/15/2005 09:44 AM 174,246 Connected 4.ico
06/15/2005 10:46 AM 174,246 Connected 5.ico
06/15/2005 10:46 AM 174,246 Connected 6.ico
06/24/2005 10:02 PM 127 Readme.txt
06/15/2005 09:42 AM 174,246 Standby 1.ico
06/15/2005 09:45 AM 174,246 Standby 2.ico
06/14/2005 03:29 PM 174,246 Standby 3.ico
06/14/2005 03:22 PM 174,246 Standby 4.ico
06/14/2005 03:32 PM 174,246 Standby 5.ico
06/15/2005 10:42 AM 174,246 Standby 6.ico
06/15/2005 10:43 AM 174,246 Standby 7.ico
14 File(s) 2,265,325 bytes

Directory of C:\fastpush\ultra\plugin

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
03/12/2005 03:40 PM 550 debug_off.reg
03/12/2005 04:39 PM 550 debug_on.reg
02/18/2005 03:31 PM 18,340 Licence.txt
06/03/2005 02:19 PM 14,848 MSRC4Plugin.dsm
06/03/2005 02:20 PM 14,336 MSRC4Plugin_NoReg.dsm
06/03/2005 02:18 PM 1,355 Readme.txt
02/17/2005 09:41 PM 1,203 testserver.bat
02/17/2005 07:41 PM 1,203 testserver.cmd
02/18/2005 09:31 PM 942 testviewer.bat
02/18/2005 07:31 PM 942 testviewer.cmd
06/03/2005 02:19 PM 4,097 Whatsnew.txt
11 File(s) 58,366 bytes

Directory of C:\fastpush\utils

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 48,128 reg.exe
08/23/2005 04:48 PM 54,032 REGDIR.EXE
08/23/2005 04:48 PM 68,880 REGINI.EXE
08/23/2005 04:48 PM 22,016 RMTSHARE.EXE
08/23/2005 04:48 PM 54,032 sc.exe
08/23/2005 04:48 PM 19,728 SHORTCUT.EXE
08/23/2005 04:48 PM 37,376 TIMEOUT.EXE
08/23/2005 04:48 PM 36,864 vncenc.exe
08/23/2005 04:48 PM 40,960 xCmd.exe
9 File(s) 382,016 bytes

Directory of C:\fastpush\zvnc

11/17/2006 06:07 PM <DIR> .
11/17/2006 06:07 PM <DIR> ..
08/23/2005 04:48 PM 57,344 omnithread_rt.dll
08/23/2005 04:48 PM 171 readme.txt
08/23/2005 04:48 PM 45,056 VNCHooks.dll
08/23/2005 04:48 PM 245,760 Vncviewer.exe
08/23/2005 04:48 PM 315,392 WinVNC.exe
5 File(s) 663,723 bytes

Total Files Listed:
210 File(s) 11,970,561 bytes
71 Dir(s) 3,550,330,880 bytes free

Here is the OTmoveit log:

C:\fastpush\zvnc moved successfully.
C:\fastpush\utils moved successfully.
C:\fastpush\ultra\plugin moved successfully.
C:\fastpush\ultra\icons moved successfully.
C:\fastpush\ultra\doc\install\img2 moved successfully.
C:\fastpush\ultra\doc\install\img moved successfully.
C:\fastpush\ultra\doc\install moved successfully.
C:\fastpush\ultra\doc\img moved successfully.
C:\fastpush\ultra\doc\images moved successfully.
C:\fastpush\ultra\doc\general\img moved successfully.
C:\fastpush\ultra\doc\general moved successfully.
C:\fastpush\ultra\doc\features\img moved successfully.
C:\fastpush\ultra\doc\features moved successfully.
C:\fastpush\ultra\doc\css moved successfully.
C:\fastpush\ultra\doc\addons\img moved successfully.
C:\fastpush\ultra\doc\addons moved successfully.
C:\fastpush\ultra\doc moved successfully.
C:\fastpush\ultra moved successfully.
C:\fastpush\tight129 moved successfully.
C:\fastpush\real411 moved successfully.
C:\fastpush\real4 moved successfully.
C:\fastpush\real337 moved successfully.
C:\fastpush\common moved successfully.
C:\fastpush moved successfully.

OTMoveIt2 v1.0.20 log created on 02292008_132856

If you installed Fastpush, then I am not sure where the problem is coming from.
There is nothing else in your logs that would cause you to send spam mail.

Are you still having the problem, or has it stopped ?

Hi Katana, the spam problem is solved now. Thanks a lot for all your help. :eek::present:

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

You can also delete any logs we have produced, and empty your Recycle bin.




The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Hi Katana

I just can't find the right words to tell you how thankful i am. I'll for sure follow your recomendations. Everything is fine now!!!.:bigthumb: