ok.... Here's what I'm coming up with...
Combofix log-----------------
ComboFix 09-01-05.02 - Home 2009-01-05 12:03:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1281 [GMT -8:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
FILE ::
c:\windows\system32\gazibifu.exe
c:\windows\system32\lesatuho.dll
c:\windows\system32\svchostn.exe
c:\windows\Tasks\qnfonxms.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\gazibifu.exe
c:\windows\system32\svchostn.exe
c:\windows\Tasks\qnfonxms.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SCPRTN
-------\Service_Scprtn
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.
2008-12-27 23:27 . 2008-12-27 23:27 61,440 --a------ c:\windows\system32\drivers\wkist.sys
2008-12-27 09:16 . 2008-12-27 09:16 <DIR> d-------- C:\!KillBox
2008-12-27 09:07 . 2008-12-27 09:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\documents and settings\Home\Application Data\Malwarebytes
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 08:50 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 08:50 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 00:35 . 2009-01-03 08:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-27 00:34 . 2008-12-27 00:34 <DIR> d-------- c:\program files\Security Task Manager
2008-12-26 17:17 . 2008-12-26 17:17 <DIR> d-------- c:\documents and settings\Administrator.COMPUTER-B2A67D\Application Data\Nero
2008-12-25 15:17 . 2008-12-25 15:17 <DIR> d-------- c:\program files\Smartparts
2008-12-13 16:23 . 2008-12-13 16:23 <DIR> d-------- C:\Hanson Quarry
2008-12-13 16:23 . 2008-12-23 18:05 <DIR> d-------- C:\2008-12-13
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\program files\AIM Toolbar
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-05 08:01 . 2008-12-05 08:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 20:11 --------- d-----w c:\documents and settings\Home\Application Data\LimeWire
2009-01-05 20:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-05 20:01 --------- d-----w c:\documents and settings\Home\Application Data\NewsBin
2009-01-05 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-05 07:35 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-05 02:44 --------- d-----w c:\program files\LimeWire
2009-01-05 02:19 --------- d-----w c:\program files\Sportsbook Poker
2008-12-07 02:18 --------- d-----w c:\program files\WarRock
2008-12-05 16:02 --------- d-----w c:\program files\AIM6
2008-12-05 07:08 304,957 ----a-w C:\hjsplit.zip
2008-12-05 07:01 --------- d-----w c:\program files\MasterSplitter
2008-12-04 06:37 --------- d-----w c:\documents and settings\Home\Application Data\FileZilla
2008-12-03 08:37 --------- d-----w c:\documents and settings\Home\Application Data\Apple Computer
2008-12-03 08:35 --------- d-----w c:\program files\iTunes
2008-12-03 08:35 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-03 08:34 --------- d-----w c:\program files\iPod
2008-12-03 08:34 --------- d-----w c:\program files\Common Files\Apple
2008-12-03 08:34 --------- d-----w c:\program files\Bonjour
2008-12-03 08:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-03 08:33 --------- d-----w c:\program files\QuickTime
2008-12-03 08:32 --------- d-----w c:\program files\Apple Software Update
2008-12-03 08:32 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-01 23:19 3,852,560 ----a-w C:\PHP-Nuke-6.0.zip
2008-12-01 02:07 291,648 ----a-w C:\gbtop4.8-1.zip
2008-12-01 01:59 --------- d-----w c:\program files\FileZilla FTP Client
2008-12-01 00:10 --------- d-----w c:\documents and settings\Home\Application Data\CoffeeCup Software
2008-11-30 22:13 1,697,280 ----a-w c:\documents and settings\Home\Application Data\KaspAVP.exe
2008-11-30 04:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 04:14 --------- d-----w c:\program files\CoffeeCup Software
2008-11-30 04:11 --------- d-----w c:\program files\Applet Effects Factory
2008-11-30 04:08 197,965 ----a-w c:\windows\CoffeeCup Visual Site Designer Uninstaller.exe
2008-11-30 03:46 --------- d-----w c:\documents and settings\Home\Application Data\Likno
2008-11-30 02:08 --------- d-----w c:\program files\Web CEO
2008-11-21 22:18 --------- d-----w c:\documents and settings\Home\Application Data\cronometer
2008-11-21 22:17 --------- d-----w c:\program files\CRON-O-METER
2008-11-18 07:05 --------- d-----w c:\program files\AllWebMenus5
2008-11-18 07:05 --------- d-----w c:\documents and settings\All Users\Application Data\Tarma Installer
2008-11-17 04:20 --------- d-----w c:\program files\Xpress Software
2008-11-17 04:17 --------- d-----w c:\program files\ShopFactory V6
2008-11-17 04:15 --------- d-----w c:\program files\SEO Report
2008-11-17 04:14 --------- d-----w c:\program files\SEO GodFather
2008-11-17 04:14 --------- d-----w c:\program files\Search Engine Composer
2008-11-17 04:13 --------- d-----w c:\program files\PokerStars
2008-11-17 04:12 --------- d-----w c:\program files\PayPal Shop Maker 3
2008-11-17 04:12 --------- d-----w c:\program files\Page Generator
2008-11-17 04:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 04:06 --------- d-----w c:\program files\Keyword Extreme
2008-11-17 04:05 --------- d-----w c:\program files\iMapBuilder
2008-11-17 04:05 --------- d-----w c:\program files\Flash Website Design
2008-11-17 04:05 --------- d-----w c:\program files\Flash Effect Maker
2008-11-17 04:00 --------- d-----w c:\program files\Synonymizer
2008-11-17 04:00 --------- d-----w c:\program files\Classified Ad Posting Utility
2008-11-17 03:39 --------- d-----w c:\program files\AffiliateToolBoxCreator
2008-11-17 03:23 --------- d-----w c:\program files\3D Home Architect
2008-11-14 21:39 --------- d-----w c:\documents and settings\Home\Application Data\ImgBurn
2008-11-14 20:28 --------- d-----w c:\program files\ImgBurn
2008-11-14 17:58 --------- d-----w c:\program files\QuickPar
2008-11-07 22:20 --------- d-----w c:\program files\Ateksoft
2008-11-07 22:13 --------- d-----w c:\program files\Mobiola Web Camera for Windows Mobile
2008-11-06 17:44 --------- d-----w c:\program files\PowerISO
2008-11-05 22:12 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-05 22:12 --------- d-----w c:\program files\AVG
2008-11-05 22:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-05 20:29 --------- d-----w c:\program files\BBDBViewerPlus
2008-11-05 19:39 --------- d-----w c:\program files\Ultra Mobile 3GP Video Converter
2008-11-05 19:23 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-04 22:10 225 ----a-w c:\documents and settings\Home\Application Data\shedl.bat
2008-11-04 22:09 1,697,280 ----a-w c:\documents and settings\Home\Application Data\winavp.exe
2008-11-04 22:08 1,695,744 ----a-w c:\documents and settings\Home\Application Data\NTuser.exe
2008-06-03 03:26 13 ---h--w c:\documents and settings\All Users\Application Data\ÝÃÄΛÒ3113›.sys
2007-12-18 01:23 1,136,640 ----a-w c:\program files\Common Files\ewutils2.dll
2008-12-25 09:38 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 09:38 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-01 11:17 192,512 ----a-w c:\program files\mozilla firefox\components\msvcrj71.dll
2008-12-25 09:38 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-25 09:38 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-25 09:38 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-17 12:57 952 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-13 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-06-16 167936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]
c:\documents and settings\Home\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free DHTML Menu Builder\ThirtyDayTimer.exe [2008-11-29 372224]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2008-06-06 1134592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KmReg]
@="Event log"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NtLclIpc]
@="Event log"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe"
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"ysicp"=c:\program files\Instant Color Picker\icp.exe
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-05 97928]
R1 KmReg;System kernel configuration;c:\windows\system32\ansiox.sys [2008-05-27 38784]
R1 NtLclIpc;Remote Procedure Call RT4s;c:\windows\system32\ansio.sys [2008-05-27 122112]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-04-16 39424]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2008-11-07 11776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-04-22 109616]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-05 231704]
R4 HPWJAUpdateService;HP WJA Update Service;c:\program files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe [2008-05-29 20480]
R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-05-28 14976]
R4 Webcamera Plus Service;Webcamera Plus Service;c:\program files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe [2008-11-07 46592]
S4 AutoExNT;AutoExNT;c:\windows\system32\Autoexnt.exe [2008-06-14 5904]
S4 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [2002-01-24 20480]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a422612-21df-11dd-a52d-001e8c6c7f58}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 18:35]
2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1965331169-839522115-1003.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 11:18]
2008-12-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Home.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-13 17:09]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: research.ebay.com
Trusted Zone: www.paypal.com
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\3a3y7jd1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Web Accelerator\firefox\components\GoogleWebAccFirefox.dll
FF - component: c:\program files\Mozilla Firefox\components\msvcrj71.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npCtxCAOHF425.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
ATTENTION: FIREFOX POLICES IS IN FORCE FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: browser.sessionstore.resume_from_crash - false
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-05 12:10:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-05 12:19:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 20:18:04
ComboFix2.txt 2009-01-05 18:05:19
Pre-Run: 242,318,405,632 bytes free
Post-Run: 242,264,633,344 bytes free
313 --- E O F --- 2008-12-14 04:33:11
VirScan.org log------------------
VirSCAN.org Scanned Report :
Scanned time : 2008/12/30 22:22:14 (EST)
Scanner results: 18% Scanner(7/39) found malware!
File Name : sdnmctyw.sys
File Size : 61440 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 589312a3b46721c5a751e4d5222a89be
SHA1 : 3a497d3968a4f6e3c648d196da38e5f98e75ec30
Online report :
http://virscan.org/report/d431bff0ca4da1eb...cee43dab85.htmlScanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20081231050130 2008-12-31 2.10 Hoax.Win32.Agent.fu!A2
AhnLab V3 2008.12.31.00 2008.12.31 2008-12-31 1.01 Win-Trojan/Avenger.61440
AntiVir 7.9.0.45 7.1.1.54 2008-12-30 1.66 -
Antiy 2.0.18 20081230.1945037 2008-12-30 0.12 -
Arcavir 1.0.5 200812131407 2008-12-13 1.29 -
Authentium 5.1.1 200812301619 2008-12-30 1.09 -
AVAST! 3.0.1 081230-0 2008-12-30 0.01 -
AVG 7.5.52.442 270.10.1/1869 2008-12-30 1.80 -
BitDefender 7.81008.2397126 7.22876 2008-12-31 2.20 -
CA (VET) 9.0.0.143 31.6.6284 2008-12-31 3.81 -
ClamAV 0.94.2 8815 2008-12-31 0.01 -
Comodo 3.0 851 2008-12-31 0.83 -
CP Secure 1.1.0.715 2008.12.30 2008-12-30 6.22 Malware.W32.Agent.fu
Dr.Web 4.44.0.9170 2008.12.31 2008-12-31 3.80 -
ewido 4.0.0.2 2008.12.29 2008-12-29 3.16 -
F-Prot 4.4.4.56 20081230 2008-12-30 1.09 -
F-Secure 5.51.6100 2008.12.31.01 2008-12-31 0.05 -
Fortinet 2.81-3.117 9.872 2008-12-30 0.15 PossibleThreat
GData 19.2176/19.162 20081231 2008-12-31 4.02 -
ViRobot 20081230 2008.12.30 2008-12-30 0.41 -
Ikarus T3.1.01.45 2008.12.31.72085 2008-12-31 3.58 -
JiangMin 11.0.706 2008.12.21 2008-12-21 1.38 Hoax.Agent.f
Kaspersky 5.5.10 2008.12.31 2008-12-31 0.04 -
KingSoft 2008.9.8.18 2008.12.31.10 2008-12-31 0.58 -
McAfee 5.3.00 5479 2008-12-30 2.78 -
Microsoft 1.4205 2008.12.31 2008-12-31 4.31 -
mks_vir 2.01 2008.12.30 2008-12-30 2.72 -
Norman 5.93.01 5.93.00 2008-12-30 5.93 W32/Agent.HHSF
Panda 9.05.01 2008.12.30 2008-12-30 2.53 Trj/Downloader.MDW
Trend Micro 8.700-1004 5.740.03 2008-12-30 0.03 -
Quick Heal 10.00 2008.11.17 2008-11-17 0.87 -
Rising 20.0 21.10.12.00 2008-12-30 0.78 -
Sophos 2.82.1 4.37 2008-12-31 1.94 -
Sunbelt 4755 4755 2008-12-22 0.95 -
Symantec 1.3.0.24 20081230.004 2008-12-30 0.22 -
nProtect 20081230.02 2827454 2008-12-30 4.17 -
The Hacker 6.3.1.2 v00202 2008-12-30 0.50 -
VBA32 3.12.8.10 20081230.0938 2008-12-30 1.54 -
VirusBuster 4.5.11.10 10.100.10/732162 2008-12-30 0.94 -
HiJack this log----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:00 PM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
http://localhost:9100/proxy.pacR3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone:
http://research.ebay.comO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) -
http://www.yougamers.com/systeminfo/MSC3.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoExNT - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WJA Update Service (HPWJAUpdateService) - Unknown owner - C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webcamera Plus Service - Ateksoft Company Ltd. - C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
--
End of file - 11724 bytes