help with malware

[ericv222]

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-07 12:22:44
PROTECTIONS: 0
MALWARE: 8
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Eric\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Eric\Desktop\Flash_Disinfector.exe][nircmd.exe]
00456045 Adware/SurfAccuracy Adware No 1 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP168\A0138453.exe
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP171\A0141654.sys
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP172\A0141700.sys
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP176\A0145068.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP173\A0142778.EXE
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No E:\WBYPJHE.EXE
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-03@11.57.zip[Suspect_meex.exe.vir]
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-03@11.57.zip[Suspect_plvjpqf.exe.vir]
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\ujrxfan.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-03@11.57.zip[Suspect_ujrxfan.exe.vir]
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP173\A0142747.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No H:\WBYPJHE.EXE
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\Program Files\meex.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP174\A0144775.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP174\A0144776.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP174\A0144777.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02282009_200641\wbypjhe.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\Program Files\Common Files\System\plvjpqf.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP171\A0141658.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02282009_200641\Program Files\Common Files\Microsoft Shared\ujrxfan.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02282009_200641\Program Files\Common Files\System\plvjpqf.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP173\A0142754.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP176\A0145043.sys
05035868 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP168\A0138448.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Documents and Settings\Eric\Desktop\ComboFix.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

[katana]

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip
  C:\Documents and Settings\Eric\Desktop\Flash_Disinfector.exe
  E:\WBYPJHE.EXE
  H:\WBYPJHE.EXE
  Folder::
  Driver::
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae960644-5894-11dd-8c96-00c09faf3b7d}]
  ADS::

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




How are things running now, any problems still ?

 

[ericv222]

ComboFix 09-03-03.01 - Eric 2009-03-08 20:21:53.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.139 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip
c:\documents and settings\Eric\Desktop\Flash_Disinfector.exe
E:\WBYPJHE.EXE
H:\WBYPJHE.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip
c:\documents and settings\Eric\Desktop\Flash_Disinfector.exe
E:\WBYPJHE.EXE
H:\WBYPJHE.EXE

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-05 18:15 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-05 18:14 . 2009-03-05 18:14 <DIR> d-------- c:\windows\LastGood
2009-03-05 18:14 . 2009-03-05 18:14 <DIR> d-------- c:\program files\Panda Security
2009-02-28 21:06 . 2009-02-28 21:06 <DIR> d-------- C:\_OTMoveIt
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 19:13 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 19:13 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-28 16:41 . 2009-02-28 16:41 <DIR> d-------- C:\rsit
2009-02-25 18:18 . 2009-02-25 18:18 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 17:55 . 2009-02-25 17:55 <DIR> d-------- c:\program files\ERUNT
2009-02-20 04:41 . 2009-02-20 04:42 <DIR> d-------- c:\documents and settings\Eric\Application Data\U3
2009-02-18 22:36 . 1999-09-10 13:06 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2009-02-18 22:36 . 1999-09-10 13:06 25,244 --a------ c:\windows\system32\drivers\ASPI32.SYS
2009-02-18 22:36 . 1999-09-10 13:06 5,600 --a------ c:\windows\system\WINASPI.DLL
2009-02-18 22:36 . 1999-09-10 13:06 4,672 --a------ c:\windows\system\WOWPOST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 01:04 --------- d-----w c:\program files\AIMTunes
2009-02-07 17:21 --------- d-----w c:\documents and settings\Eric\Application Data\foobar2000
2009-02-05 08:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 08:44 --------- d-----w c:\program files\SpywareBlaster
2009-02-01 04:40 --------- d-----w c:\documents and settings\Eric\Application Data\Memorex
2008-12-19 00:51 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-07-23 21:39 256 -c--a-w c:\documents and settings\Eric\pool.bin
2008-08-27 16:51 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-02_20.03.46.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\2009-03-05\ERDNT.EXE
+ 2009-03-05 23:07:02 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\2009-03-05\Users\00000001\ntuser.dat
+ 2009-03-05 23:07:04 217,088 ----a-w c:\windows\erdnt\AutoBackup\2009-03-05\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-3-2009\ERDNT.EXE
+ 2009-03-03 17:51:44 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-3-2009\Users\00000001\ntuser.dat
+ 2009-03-03 17:51:45 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-3-2009\Users\00000002\UsrClass.dat
- 2005-10-21 02:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2009-03-04 23:58:27 16,384 ----atw c:\windows\temp\Perflib_Perfdata_254.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-06-27 91432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

c:\documents and settings\Eric\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a--c--- 2008-01-15 09:17 277960 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [2008-07-22 6784]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50:32 61424]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-07-23 2688]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [2008-07-22 16000]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-07-23 184320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d8b6130-ff32-11dd-8dbc-00c09faf3b7d}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {08FCE788-D490-4C3C-90DC-B5C9DB4E19D8} = 208.67.220.220,208.67.222.222
TCP: {4AA53199-8264-413A-9FE1-BBEF71A6A0CB} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - my.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 20:25:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2009-03-08 20:28:09
ComboFix-quarantined-files.txt 2009-03-09 01:27:45
ComboFix2.txt 2009-03-05 23:10:27
ComboFix3.txt 2009-03-03 18:07:39
ComboFix4.txt 2009-03-03 02:12:33

Pre-Run: 4,019,040,256 bytes free
Post-Run: 4,002,811,904 bytes free

157 --- E O F --- 2008-12-18 07:01:03

 

[katana]

How are things running now, any problems still ?

 

[ericv222]

i just turned on my computer and don't see any of the malware processes running in my task manager, so that's good. also, i've been meaning to ask. when combofix asked me to update, should i have updated or not? because i ignored it the first 2-3 times, then i clicked update and it updated, but this last time i ran combofix (with the latest script) it asked me to update again. i was just wondering if that was normal.

 

[katana]

Combofix checks to see if there is a newer version before it runs, and since it gets updated twice a day sometimes, there is nothing unusual in it asking you to update.

Right, let's have a look at the other USB drive.

Plug in the other drive and your iPod and then run the Panda Active scan again.

 

[ericv222]

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-12 12:11:45
PROTECTIONS: 0
MALWARE: 8
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip.vir
00366244 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP180\A0145169.exe[C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP180\A0145169.exe][nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 No No C:\Qoobox\Quarantine\C\Documents and Settings\Eric\Desktop\Flash_Disinfector.exe.vir[C:\Qoobox\Quarantine\C\Documents and Settings\Eric\Desktop\Flash_Disinfector.exe.vir][nircmd.exe]
00456045 Adware/SurfAccuracy Adware No 1 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP168\A0138453.exe
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP171\A0141654.sys
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP172\A0141700.sys
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP173\A0142778.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP176\A0145068.EXE
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-03@11.57.zip[Suspect_plvjpqf.exe.vir]
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-03@11.57.zip[Suspect_meex.exe.vir]
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No E:\WBYPJHE.EXE
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\E\wbypjhe.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\Program Files\meex.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP171\A0141658.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-03@11.57.zip[Suspect_ujrxfan.exe.vir]
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP173\A0142747.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02282009_200641\wbypjhe.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\H\wbypjhe.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP174\A0144775.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP174\A0144776.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP174\A0144777.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02282009_200641\Program Files\Common Files\System\plvjpqf.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\Program Files\Common Files\System\plvjpqf.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\ujrxfan.exe.vir
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\02282009_200641\Program Files\Common Files\Microsoft Shared\ujrxfan.exe
01275541 Trj/Autorun.AI Virus/Trojan No 0 Yes No H:\WBYPJHE.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP173\A0142754.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP176\A0145043.sys
05035868 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{FFD9F110-C7EC-401D-9726-2B7096877383}\RP168\A0138448.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Documents and Settings\Eric\Desktop\ComboFix.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

[katana]

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  E:\WBYPJHE.EXE
  H:\WBYPJHE.EXE
  Folder::
  
  ADS::

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

 

[ericv222]

ComboFix 09-03-22.01 - Eric 2009-03-24 2:19:59.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.207 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
* Created a new restore point

FILE ::
E:\WBYPJHE.EXE
H:\WBYPJHE.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\autorun.inf
E:\WBYPJHE.EXE

.
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-12 00:39 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-11 23:10 . 2008-12-05 01:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-05 18:14 . 2009-03-05 18:14 <DIR> d-------- c:\program files\Panda Security
2009-03-02 22:14 . 2008-06-17 14:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
2009-02-28 21:06 . 2009-02-28 21:06 <DIR> d-------- C:\_OTMoveIt
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 19:13 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 19:13 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-28 16:41 . 2009-02-28 16:41 <DIR> d-------- C:\rsit
2009-02-25 18:18 . 2009-02-25 18:18 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 17:55 . 2009-02-25 17:55 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 19:30 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-09 01:04 --------- d-----w c:\program files\AIMTunes
2009-02-20 09:42 --------- d-----w c:\documents and settings\Eric\Application Data\U3
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 17:21 --------- d-----w c:\documents and settings\Eric\Application Data\foobar2000
2009-02-05 08:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 08:44 --------- d-----w c:\program files\SpywareBlaster
2009-02-01 04:40 --------- d-----w c:\documents and settings\Eric\Application Data\Memorex
2008-07-23 21:39 256 -c--a-w c:\documents and settings\Eric\pool.bin
2008-08-27 16:51 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-02_20.03.46.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\2009-03-05\ERDNT.EXE
+ 2009-03-05 23:07:02 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\2009-03-05\Users\00000001\ntuser.dat
+ 2009-03-05 23:07:04 217,088 ----a-w c:\windows\erdnt\AutoBackup\2009-03-05\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-13-2009\ERDNT.EXE
+ 2009-03-13 19:54:51 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-13-2009\Users\00000001\ntuser.dat
+ 2009-03-13 19:54:51 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-13-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-14-2009\ERDNT.EXE
+ 2009-03-14 05:21:52 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-14-2009\Users\00000001\ntuser.dat
+ 2009-03-14 05:21:52 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-14-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-17-2009\ERDNT.EXE
+ 2009-03-17 20:11:50 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-17-2009\Users\00000001\ntuser.dat
+ 2009-03-17 20:11:51 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-17-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-18-2009\ERDNT.EXE
+ 2009-03-18 18:53:37 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-18-2009\Users\00000001\ntuser.dat
+ 2009-03-18 18:53:38 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-18-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-19-2009\ERDNT.EXE
+ 2009-03-19 19:24:23 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-19-2009\Users\00000001\ntuser.dat
+ 2009-03-19 19:24:24 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-19-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-24-2009\ERDNT.EXE
+ 2009-03-24 05:59:51 9,105,408 ----a-w c:\windows\erdnt\AutoBackup\3-24-2009\Users\00000001\ntuser.dat
+ 2009-03-24 05:59:52 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-24-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-3-2009\ERDNT.EXE
+ 2009-03-03 17:51:44 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-3-2009\Users\00000001\ntuser.dat
+ 2009-03-03 17:51:45 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-3-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\3-9-2009\ERDNT.EXE
+ 2009-03-09 17:25:55 9,064,448 ----a-w c:\windows\erdnt\AutoBackup\3-9-2009\Users\00000001\ntuser.dat
+ 2009-03-09 17:25:56 217,088 ----a-w c:\windows\erdnt\AutoBackup\3-9-2009\Users\00000002\UsrClass.dat
- 2005-10-21 02:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2008-12-11 07:09:35 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-16 19:30:57 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-12-11 07:09:36 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-16 19:30:59 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-11 07:09:35 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-16 19:30:58 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-12-11 07:09:35 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-03-16 19:30:58 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-12-11 07:09:35 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-16 19:30:59 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-11 07:09:36 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-16 19:30:59 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-11 07:09:36 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-16 19:30:59 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-11 07:09:35 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-03-16 19:30:59 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-11 07:09:35 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-16 19:30:59 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-11 07:09:35 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-16 19:30:59 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-11 07:09:36 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-16 19:30:59 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-11 07:09:35 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-16 19:30:58 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 03:35:14 3,594,752 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2008-10-16 20:38:40 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
- 2007-06-12 04:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 23:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2008-09-08 10:41:42 333,824 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 10:57:09 333,952 ----a-w c:\windows\system32\drivers\srv.sys
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ------w c:\windows\system32\extmgr.dll
- 2009-03-01 08:22:45 296,456 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-17 09:43:16 296,456 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-25 20:54:59 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 03:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ------w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ------w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\occache.dll
- 2008-11-02 16:47:35 68,806 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-09 17:27:12 68,806 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-02 16:47:35 436,328 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-09 17:27:13 436,328 ----a-w c:\windows\system32\perfh009.dat
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-08-11 01:46:18 26,488 -c--a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 14:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
- 2007-06-12 04:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 23:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2009-03-13 19:52:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_25c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-06-27 91432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

c:\documents and settings\Eric\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a--c--- 2008-01-15 09:17 277960 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-12 28544]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [2008-07-22 6784]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50:32 61424]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-07-23 2688]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [2008-07-22 16000]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-07-23 184320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d55653f-58bf-11dd-8c98-00c09faf3b7d}]
\Shell\AutoRun\command - H:\wbypjhe.exe
\Shell\explore\Command - H:\wbypjhe.exe
\Shell\open\Command - H:\wbypjhe.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d8b6130-ff32-11dd-8dbc-00c09faf3b7d}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae960644-5894-11dd-8c96-00c09faf3b7d}]
\Shell\AutoRun\command - H:\wbypjhe.exe
\Shell\explore\Command - H:\wbypjhe.exe
\Shell\open\Command - H:\wbypjhe.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {08FCE788-D490-4C3C-90DC-B5C9DB4E19D8} = 208.67.220.220,208.67.222.222
TCP: {4AA53199-8264-413A-9FE1-BBEF71A6A0CB} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - my.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 02:23:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2009-03-24 2:25:38
ComboFix-quarantined-files.txt 2009-03-24 07:25:09
ComboFix2.txt 2009-03-09 01:28:11
ComboFix3.txt 2009-03-05 23:10:27
ComboFix4.txt 2009-03-03 18:07:39
ComboFix5.txt 2009-03-24 07:18:42

Pre-Run: 3,207,983,104 bytes free
Post-Run: 3,281,145,856 bytes free

378 --- E O F --- 2009-03-16 19:33:58

 

[katana]

You need to reply faster, the infection has spread again.

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  H:\wbypjhe.exe
  
  Registry::
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d55653f-58bf-11dd-8c98-00c09faf3b7d}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae960644-5894-11dd-8c96-00c09faf3b7d}]

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

 

[ericv222]

My apologies, Katana. I had to leave town for a few days and couldn't bring my laptop. I can assure you that henceforth I will reply speedily.


ComboFix 09-03-23.01 - Eric 2009-03-24 16:42:26.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.168 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
* Created a new restore point

FILE ::
H:\wbypjhe.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-12 00:39 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-11 23:10 . 2008-12-05 01:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-05 18:14 . 2009-03-05 18:14 <DIR> d-------- c:\program files\Panda Security
2009-03-02 22:14 . 2008-06-17 14:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
2009-02-28 21:06 . 2009-02-28 21:06 <DIR> d-------- C:\_OTMoveIt
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-02-28 19:13 . 2009-02-28 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 19:13 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 19:13 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-28 16:41 . 2009-02-28 16:41 <DIR> d-------- C:\rsit
2009-02-25 18:18 . 2009-02-25 18:18 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 17:55 . 2009-02-25 17:55 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 19:30 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-09 01:04 --------- d-----w c:\program files\AIMTunes
2009-02-20 09:42 --------- d-----w c:\documents and settings\Eric\Application Data\U3
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 17:21 --------- d-----w c:\documents and settings\Eric\Application Data\foobar2000
2009-02-05 08:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 08:44 --------- d-----w c:\program files\SpywareBlaster
2009-02-01 04:40 --------- d-----w c:\documents and settings\Eric\Application Data\Memorex
2008-07-23 21:39 256 -c--a-w c:\documents and settings\Eric\pool.bin
2008-08-27 16:51 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-06-27 91432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]

c:\documents and settings\Eric\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a--c--- 2008-01-15 09:17 277960 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-12 28544]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [2008-07-22 6784]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50:32 61424]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-07-23 2688]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [2008-07-22 16000]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-07-23 184320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d8b6130-ff32-11dd-8dbc-00c09faf3b7d}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {08FCE788-D490-4C3C-90DC-B5C9DB4E19D8} = 208.67.220.220,208.67.222.222
TCP: {4AA53199-8264-413A-9FE1-BBEF71A6A0CB} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - my.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 16:45:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2009-03-24 16:48:05
ComboFix-quarantined-files.txt 2009-03-24 21:47:46
ComboFix2.txt 2009-03-24 07:25:40
ComboFix3.txt 2009-03-09 01:28:11
ComboFix4.txt 2009-03-05 23:10:27
ComboFix5.txt 2009-03-24 21:41:12

Pre-Run: 3,493,355,520 bytes free
Post-Run: 3,477,786,624 bytes free

130 --- E O F --- 2009-03-16 19:33:58

 

[katana]

How are things running now ?

Please plug in all of your USB devices one by one, and then post a fresh RSIT log after the last one

 

[ericv222]

Logfile of random's system information tool 1.05 (written by random/random)
Run by Eric at 2009-03-24 20:55:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (6%) free of 57 GB
Total RAM: 494 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:31 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Eric\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Eric.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{08FCE788-D490-4C3C-90DC-B5C9DB4E19D8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA53199-8264-413A-9FE1-BBEF71A6A0CB}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe

--
End of file - 6501 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-18 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-18 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-18 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-05-20 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-05-20 532480]
"RemoteControl8"=C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe [2008-03-20 83240]
"PDVD8LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe [2007-12-14 50472]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-02-10 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-02-10 118784]
"BDRegion"=C:\Program Files\Cyberlink\Shared Files\brs.exe [2008-06-27 91432]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-11-07 111936]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-18 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe [2008-01-15 277960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2

C:\Documents and Settings\Eric\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-02-10 339968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Steam\steamapps\flipmaster380\counter-strike\hl.exe"="C:\Program Files\Steam\steamapps\flipmaster380\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe"="C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0"
"C:\Program Files\Microsoft Games\Age of Empires II\empires2.exe"="C:\Program Files\Microsoft Games\Age of Empires II\empires2.exe:*:Enabled:Age of Empires II"
"C:\Program Files\Microsoft Games\Age of Empires II\AGE2_X1.EXE"="C:\Program Files\Microsoft Games\Age of Empires II\AGE2_X1.EXE:*:Enabled:Age of Empires II Expansion"
"C:\WINDOWS\system32\dplaysvr.exe"="C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe"="C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d8b6130-ff32-11dd-8dbc-00c09faf3b7d}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-03-24 16:48:08 ----A---- C:\ComboFix.txt
2009-03-16 14:31:59 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-16 14:31:52 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-16 14:31:10 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-09 01:27:23 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-09 01:27:17 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-03-09 01:27:04 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-05 18:14:17 ----D---- C:\Program Files\Panda Security
2009-03-02 20:54:08 ----A---- C:\WINDOWS\zip.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\VFIND.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\SWSC.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\SWREG.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\sed.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\grep.exe
2009-03-02 20:54:08 ----A---- C:\WINDOWS\fdsv.exe
2009-03-02 20:53:59 ----AD---- C:\Qoobox
2009-03-02 20:44:06 ----RASHD---- C:\autorun.inf
2009-02-28 21:06:41 ----D---- C:\_OTMoveIt
2009-02-28 19:13:39 ----D---- C:\Documents and Settings\Eric\Application Data\Malwarebytes
2009-02-28 19:13:29 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-28 19:13:28 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-28 16:41:01 ----D---- C:\rsit
2009-02-25 18:18:12 ----D---- C:\Program Files\Trend Micro
2009-02-25 17:55:26 ----D---- C:\Program Files\ERUNT

======List of files/folders modified in the last 1 months======

2009-03-24 20:55:18 ----D---- C:\WINDOWS\Prefetch
2009-03-24 20:52:21 ----D---- C:\Program Files\Mozilla Firefox
2009-03-24 16:48:22 ----D---- C:\WINDOWS\temp
2009-03-24 16:48:14 ----D---- C:\WINDOWS\system32
2009-03-24 16:48:13 ----D---- C:\WINDOWS
2009-03-24 16:45:39 ----A---- C:\WINDOWS\system.ini
2009-03-24 16:44:56 ----D---- C:\WINDOWS\system32\drivers
2009-03-24 16:44:56 ----D---- C:\WINDOWS\AppPatch
2009-03-24 16:44:48 ----D---- C:\Program Files\Common Files
2009-03-24 16:42:19 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-24 16:41:55 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-24 13:44:23 ----HD---- C:\WINDOWS\inf
2009-03-24 01:51:21 ----D---- C:\WINDOWS\Minidump
2009-03-16 14:32:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-16 14:31:58 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-16 14:31:56 ----A---- C:\WINDOWS\imsins.BAK
2009-03-16 14:31:02 ----D---- C:\Config.Msi
2009-03-16 14:30:59 ----SHD---- C:\WINDOWS\Installer
2009-03-16 14:30:56 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-03-09 12:27:11 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-09 01:26:42 ----D---- C:\Program Files\Internet Explorer
2009-03-08 20:04:07 ----D---- C:\Program Files\AIMTunes
2009-03-05 18:14:17 ----RD---- C:\Program Files
2009-03-03 20:47:08 ----RASH---- C:\boot.ini
2009-03-03 20:47:08 ----A---- C:\WINDOWS\win.ini
2009-03-03 12:58:26 ----D---- C:\Program Files\Common Files\System
2009-03-03 12:58:24 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-02 21:11:21 ----D---- C:\WINDOWS\repair
2009-03-02 20:54:03 ----D---- C:\WINDOWS\erdnt
2009-02-25 15:54:59 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [1999-09-10 25244]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SMBHC;Microsoft SM Bus Host Controller Driver; C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 6784]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; \??\C:\Program Files\CyberLink\PowerDVD8\000.fcl []
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2007-02-18 62336]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2003-09-26 44032]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-04-29 292352]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-04-29 274688]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-02-10 681469]
R3 MovRVDrv32;MovRVDrv32; C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 2688]
R3 SMBBATT;Microsoft Smart Battery Driver; C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2008-04-13 16000]
R3 SndTDriverV32;SndTDriverV32; C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 513152]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-05-20 184768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w22n51;Intel(R) PRO/Wireless 2200 Adapter Driver; C:\WINDOWS\system32\DRIVERS\w22n51.sys [2004-03-08 1657344]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 a01oymfx;a01oymfx; C:\WINDOWS\system32\drivers\a01oymfx.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 RimSerPort;RIM Virtual Serial Port; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 17920]
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2007-05-14 22656]
S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 17920]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-18 152984]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SoundMovieServer;SoundMovieServer; C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 184320]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

 

[ericv222]

Things seem to be working well, as far as I can tell.

 

[katana]

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.


Uninstall Combofix

• This will clear your System Volume Information restore points and remove all the infected files that were quarantined
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • 

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

• 
  AntiSpyware is not the same thing as Antivirus.
  Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
  You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
  Most of the programs in this list have a free (for Home Users ) and paid versions,
  it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
• Spybot - Search & Destroy <<< A must have program
  • It includes host protection and registry protection
  • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
• MalwareBytes Anti-malware <<< A New and effective program
• a-squared Free <<< A good "realtime" or "on demand" scanner
• superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

• 
  These programs don't detect malware, they help stop it getting on your machine in the first place.
  Each does a different job, so you can have more than one
• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

• 
  Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
  Using a different web browser can help stop malware getting on your machine.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
       • Change the Download signed ActiveX controls to Prompt
       • Change the Download unsigned ActiveX controls to Disable
       • Change the Initialise and script ActiveX controls not marked as safe to Disable
       • Change the Installation of desktop items to Prompt
       • Change the Launching programs and files in an IFRAME to Prompt
       • Change the Navigate sub-frames across different domains to Prompt
       • When all these settings have been made, click on the OK button.
       • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  If you are still using IE6 then either update, or get one of the following.
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
  • Opera
    • Another popular alternative
  • Netscape
    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

• 
  Temporary Internet Files are mainly the files that are downloaded when you open a web page.
  Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
  It is a good idea to empty the Temporary Internet Files folder on a regular basis.
  
  Tracking Cookies are files that websites use to monitor which sites you visit and how often.
  A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
  CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
  
  Both of these can be cleaned manually, but a quicker option is to use a program
• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

 

[ericv222]

hey katana, thanks a lot for helping me out! i really, really appreciate it. as soon as i get some funds in order, i'll be sure to donate =D

so which of the programs i installed should i keep?

 

[katana]

I've given instructions on which programs should be removed,
I have listed info on a few good programs, which you use to stay clear in the future is your choice.