Hai5_2U
2008-05-19, 16:33
Greetings all
I was infected by this nasty virus yesterday. I continually get fake popups for spyware removal software, task manager has been disabled, and my desktop is a false ad for spyware as well. I have run Symantec AntiVirus, SpyBot, and AdAware. This has not been detected by Symantec. SpyBot removes it but it returns wothout even a reboot. AdAware has crippled it to where I do not get continuous popups.
After viewing some of the post here I ran Kaspersky and ComboFix. Plese help me dissinfect this beast virus.
My logs are as follows:
ComboFix 08-05-15.3 - Milt 2008-05-19 9:56:02.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT -4:00]
Running from: C:\Documents and Settings\Milt\Desktop\CF.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\x.exe
C:\WINDOWS\y.exe
.
---- Previous Run -------
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-19 02:22 . 2008-05-19 02:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-19 02:22 . 2008-05-19 02:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-18 22:44 . 2008-05-18 22:44 8,960 --a------ C:\WINDOWS\xxxvideo.hta
2008-05-18 22:11 . 2008-05-18 22:11 9,728 --a------ C:\WINDOWS\win32e.exe
2008-05-18 22:11 . 2008-05-18 22:44 8,704 --a------ C:\WINDOWS\waol.exe
2008-05-18 22:11 . 2008-05-18 22:43 8,704 --a------ C:\WINDOWS\astctl32.ocx
2008-05-18 21:24 . 2008-05-18 21:24 87,511 --a------ C:\WINDOWS\system32\xwusuhzh.exe
2008-05-18 21:24 . 2008-05-18 21:24 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-15 16:09 . 2008-05-18 14:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 16:09 . 2008-05-15 16:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 13:56 . 2008-05-09 13:56 99,264 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 13:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-19 13:44 --------- d-----w C:\Documents and Settings\Milt\Application Data\Free Download Manager
2008-05-19 01:36 9,728 ----a-w C:\WINDOWS\dnsrelay.dll
2008-05-18 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
2008-05-17 14:08 --------- d-----w C:\Documents and Settings\Milt\Application Data\OpenOffice.org2
2008-04-16 23:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-11 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-11 02:13 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-03 23:31 --------- d-----w C:\Program Files\TaxCut07
2008-04-03 23:31 --------- d-----w C:\Documents and Settings\Milt\Application Data\TaxCut
2008-04-03 23:30 --------- d-----w C:\Program Files\PDF995
2008-04-03 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 313,472 2006-03-30 21:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 32,768 2005-05-04 04:33:42 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
----a-w 185,896 2006-10-26 00:29:14 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 66,680 2004-02-29 21:44:46 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 66,680 2004-02-29 20:44:46 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
----a-w 278,528 2006-06-14 20:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 282,624 2006-07-15 14:31:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 214,016 2004-01-12 15:13:10 C:\Program Files\SamsungODD\Magic Speed\bak\MagicSL.exe
----a-w 55,368 2007-05-02 23:00:36 C:\Program Files\SanDisk\Sansa Updater\bak\SansaDispatch.exe
----a-w 1,477,568 2007-09-10 09:29:52 C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe
----a-w 89,024 2008-05-13 18:41:38 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
----a-w 124,128 2004-03-12 20:18:32 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 124,128 2004-03-12 19:18:32 C:\Program Files\Symantec AntiVirus\VPTray.exe
----a-w 866,584 2006-11-03 23:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 204,288 2006-10-19 01:05:26 C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe
----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 155,648 2003-07-13 07:49:48 C:\WINDOWS\system32\bak\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-05-13 14:41 2091968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-04-11 10:31 65024 C:\WINDOWS\system32\sbusbdll.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"MagicSpeed"="C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"ATIModeChange"="Ati2mdxx.exe" [2007-09-29 03:58 26112 C:\WINDOWS\system32\Ati2mdxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Winter Fun Wallpaper Changer.lnk - C:\WINDOWS\Installer\{038A524F-58DB-438A-8391-8F7F0CA14B9E}\Icon038A524F.exe [2005-02-02 06:51:25 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\xwusuhzh.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Ahead\\Nero\\nero.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 08:00]
S3 iatmunin;iatmunin;C:\DOCUME~1\Milt\LOCALS~1\Temp\iatmunin.sys []
S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\system32\DRIVERS\mqdmbus.sys [2006-07-13 13:58]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\system32\DRIVERS\mqdmmdfl.sys [2006-07-13 14:02]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\system32\DRIVERS\mqdmmdm.sys [2006-07-13 14:03]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\system32\DRIVERS\mqdmserd.sys [2006-07-13 14:03]
S3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 22:58]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys [2003-04-23 16:58]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 13:57:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 09:58:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-19 10:00:14
ComboFix-quarantined-files.txt 2008-05-19 14:00:12
Pre-Run: 6,975,053,824 bytes free
Post-Run: 6,967,361,536 bytes free
180 --- E O F --- 2008-05-16 20:44:58
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 8:39:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 784101
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Milt\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 21636
Number of viruses found 2
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 00:22:27
Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SDE1FC286.tmp Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xwusuhzh.exe Infected: not-virus:Hoax.Win32.Renos.cii skipped
C:\WINDOWS\Temp\Perflib_Perfdata_21c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Milt\LOCALS~1\Temp\Perflib_Perfdata_dc0.dat Object is locked skipped
C:\DOCUME~1\Milt\LOCALS~1\Temp\~DF1D96.tmp Object is locked skipped
C:\DOCUME~1\Milt\LOCALS~1\Temp\~DFECB5.tmp Object is locked skipped
Scan process completed.
I was infected by this nasty virus yesterday. I continually get fake popups for spyware removal software, task manager has been disabled, and my desktop is a false ad for spyware as well. I have run Symantec AntiVirus, SpyBot, and AdAware. This has not been detected by Symantec. SpyBot removes it but it returns wothout even a reboot. AdAware has crippled it to where I do not get continuous popups.
After viewing some of the post here I ran Kaspersky and ComboFix. Plese help me dissinfect this beast virus.
My logs are as follows:
ComboFix 08-05-15.3 - Milt 2008-05-19 9:56:02.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT -4:00]
Running from: C:\Documents and Settings\Milt\Desktop\CF.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\x.exe
C:\WINDOWS\y.exe
.
---- Previous Run -------
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-19 02:22 . 2008-05-19 02:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-19 02:22 . 2008-05-19 02:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-18 22:44 . 2008-05-18 22:44 8,960 --a------ C:\WINDOWS\xxxvideo.hta
2008-05-18 22:11 . 2008-05-18 22:11 9,728 --a------ C:\WINDOWS\win32e.exe
2008-05-18 22:11 . 2008-05-18 22:44 8,704 --a------ C:\WINDOWS\waol.exe
2008-05-18 22:11 . 2008-05-18 22:43 8,704 --a------ C:\WINDOWS\astctl32.ocx
2008-05-18 21:24 . 2008-05-18 21:24 87,511 --a------ C:\WINDOWS\system32\xwusuhzh.exe
2008-05-18 21:24 . 2008-05-18 21:24 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-15 16:09 . 2008-05-18 14:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 16:09 . 2008-05-15 16:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 13:56 . 2008-05-09 13:56 99,264 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 13:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-19 13:44 --------- d-----w C:\Documents and Settings\Milt\Application Data\Free Download Manager
2008-05-19 01:36 9,728 ----a-w C:\WINDOWS\dnsrelay.dll
2008-05-18 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
2008-05-17 14:08 --------- d-----w C:\Documents and Settings\Milt\Application Data\OpenOffice.org2
2008-04-16 23:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-11 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-11 02:13 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-03 23:31 --------- d-----w C:\Program Files\TaxCut07
2008-04-03 23:31 --------- d-----w C:\Documents and Settings\Milt\Application Data\TaxCut
2008-04-03 23:30 --------- d-----w C:\Program Files\PDF995
2008-04-03 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 313,472 2006-03-30 21:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 32,768 2005-05-04 04:33:42 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe
----a-w 185,896 2006-10-26 00:29:14 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 66,680 2004-02-29 21:44:46 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 66,680 2004-02-29 20:44:46 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
----a-w 278,528 2006-06-14 20:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 282,624 2006-07-15 14:31:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 214,016 2004-01-12 15:13:10 C:\Program Files\SamsungODD\Magic Speed\bak\MagicSL.exe
----a-w 55,368 2007-05-02 23:00:36 C:\Program Files\SanDisk\Sansa Updater\bak\SansaDispatch.exe
----a-w 1,477,568 2007-09-10 09:29:52 C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe
----a-w 89,024 2008-05-13 18:41:38 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
----a-w 124,128 2004-03-12 20:18:32 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 124,128 2004-03-12 19:18:32 C:\Program Files\Symantec AntiVirus\VPTray.exe
----a-w 866,584 2006-11-03 23:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 204,288 2006-10-19 01:05:26 C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe
----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 155,648 2003-07-13 07:49:48 C:\WINDOWS\system32\bak\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-05-13 14:41 2091968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"SbUsb AudCtrl"="sbusbdll.dll" [2003-04-11 10:31 65024 C:\WINDOWS\system32\sbusbdll.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"MagicSpeed"="C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"ATIModeChange"="Ati2mdxx.exe" [2007-09-29 03:58 26112 C:\WINDOWS\system32\Ati2mdxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Winter Fun Wallpaper Changer.lnk - C:\WINDOWS\Installer\{038A524F-58DB-438A-8391-8F7F0CA14B9E}\Icon038A524F.exe [2005-02-02 06:51:25 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\xwusuhzh.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Ahead\\Nero\\nero.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 08:00]
S3 iatmunin;iatmunin;C:\DOCUME~1\Milt\LOCALS~1\Temp\iatmunin.sys []
S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\system32\DRIVERS\mqdmbus.sys [2006-07-13 13:58]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\system32\DRIVERS\mqdmmdfl.sys [2006-07-13 14:02]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\system32\DRIVERS\mqdmmdm.sys [2006-07-13 14:03]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\system32\DRIVERS\mqdmserd.sys [2006-07-13 14:03]
S3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 22:58]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys [2003-04-23 16:58]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 13:57:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 09:58:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-19 10:00:14
ComboFix-quarantined-files.txt 2008-05-19 14:00:12
Pre-Run: 6,975,053,824 bytes free
Post-Run: 6,967,361,536 bytes free
180 --- E O F --- 2008-05-16 20:44:58
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 8:39:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 784101
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Milt\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 21636
Number of viruses found 2
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 00:22:27
Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SDE1FC286.tmp Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xwusuhzh.exe Infected: not-virus:Hoax.Win32.Renos.cii skipped
C:\WINDOWS\Temp\Perflib_Perfdata_21c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Milt\LOCALS~1\Temp\Perflib_Perfdata_dc0.dat Object is locked skipped
C:\DOCUME~1\Milt\LOCALS~1\Temp\~DF1D96.tmp Object is locked skipped
C:\DOCUME~1\Milt\LOCALS~1\Temp\~DFECB5.tmp Object is locked skipped
Scan process completed.