Hi,
I have attached the GMER and Combofix Logs as directed.
Regards,
Yps
ComboFix 09-03-23.01 - User 2009-03-24 17:01:25.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.460 [GMT 5.5:30]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\pthreadGC2.dll
c:\windows\wiaserviv.log
----- BITS: Possible infected sites -----
hxxp://vestepau.cn
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RPCLOCATORTHEMES
-------\Service_RpcLocatorThemes
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.
2009-03-24 12:49 . 2009-03-24 12:49 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-24 12:49 . 2009-03-24 12:49 1,409 --a------ c:\windows\QTFont.for
2009-03-11 21:14 . 2009-03-11 21:14 <DIR> d-------- c:\program files\Cucusoft
2009-03-11 21:14 . 2009-03-11 21:37 <DIR> d-------- C:\ConverterOutput
2009-03-11 21:14 . 2006-07-08 04:07 114,688 --a------ c:\windows\system32\PropListCtrl.ocx
2009-03-11 21:14 . 2008-08-31 11:59 92,102 --a------ c:\windows\system32\HKCU_GNU.reg
2009-03-11 21:14 . 2006-07-17 21:42 14,909 --a------ c:\windows\system32\A_reg.reg
2009-03-11 21:14 . 2008-06-15 21:13 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-11 21:14 . 2008-06-17 10:57 6,700 --a------ c:\windows\system32\HKLM_GNU.reg
2009-03-11 21:14 . 2008-06-15 21:13 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-03-11 21:14 . 2008-06-15 10:01 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-03-08 22:05 . 2009-03-11 11:45 88 --a-s---- c:\windows\system32\336962256.dat
2009-03-08 22:04 . 2004-08-04 00:56 24,576 --a------ c:\windows\system32\stu2.exe
2009-02-24 10:27 . 2009-02-24 10:27 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-24 10:27 . 2009-02-24 10:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-24 10:23 . 2009-03-20 09:58 <DIR> d-------- c:\program files\SpywareGuard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 11:34 --------- d-----w c:\documents and settings\User\Application Data\OpenOffice.org2
2009-03-07 10:11 --------- d-----w c:\documents and settings\User\Application Data\dvdcss
2009-02-24 05:14 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-24 05:12 --------- d-----w c:\program files\SpywareBlaster
2009-02-24 04:57 --------- d-----w c:\program files\Java
2009-02-18 16:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 17:25 71,215 ----a-w c:\program files\IMG_2287.JPG
2009-02-16 13:50 --------- d-----w c:\program files\PCFriendly
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-01 14:34 --------- d-----w c:\program files\Mozilla Sunbird
2009-01-31 10:21 --------- d-----w c:\program files\Zoom Player
2009-01-30 07:28 --------- d-----w c:\program files\Google
2009-01-24 08:26 --------- d-----w c:\program files\Audible
2009-01-24 08:10 --------- d--h--w c:\program files\Creative Installation Information
2009-01-24 08:10 --------- d-----w c:\program files\Creative
2009-01-24 08:04 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Creative
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-28 07:51 1,202,136 ----a-w c:\program files\IMG_2226.JPG
.
------- Sigcheck -------
2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\system32\dllcache\tcpip.sys
2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-02-16_19.29.31.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 05:27:10 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
+ 2005-10-20 14:32:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
- 2007-09-24 17:00:28 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-02-24 04:57:23 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-24 17:00:30 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-24 04:57:23 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-24 18:01:42 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-24 04:57:23 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-10-31 11:17:18 1,536 ----a-w c:\windows\system32\TrueSoft.dat
+ 2009-03-12 14:20:13 1,536 ----a-w c:\windows\system32\TrueSoft.dat
- 2006-04-18 22:30:22 245,408 ----a-w c:\windows\system32\unicows.dll
+ 2008-06-15 04:31:00 258,352 ----a-w c:\windows\system32\unicows.dll
- 2009-02-14 18:21:15 22,528 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-03 19:26:58 24,576 ----a-w c:\windows\system32\userinit.exe
+ 2009-03-24 11:34:15 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-06-20 4538368]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-03-26 413775]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-12 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-18 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-11 709992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-24 148888]
"nwiz"="nwiz.exe" [2005-10-10 c:\windows\system32\nwiz.exe]
c:\documents and settings\Ipbleepa\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-08-09 18944]
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-08-09 18944]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Nokia Device Manager.lnk - c:\program files\Nokia\PC Suite for the Nokia 6708\Device Manager\audevicemgr.exe [2006-03-20 802304]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-08-09 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
R2 VenturiClient;Venturi Client;c:\program files\Speed+\Client\VentC.exe [2007-10-23 2475360]
R3 komiceb;Nokia 6708 Cable Emulation Bus (WDM);c:\windows\system32\drivers\komiceb.sys [2007-11-13 41792]
R3 sit_bus;SIT_1x_usbmodem Device;c:\windows\system32\drivers\sit_bus.sys [2007-04-17 22144]
R3 sit_flt;SUNGIL USB Filter Service;c:\windows\system32\drivers\sit_flt.sys [2007-04-18 4352]
R3 sit_mdm;SIT_1x_usbmodem ;c:\windows\system32\drivers\sit_mdm.sys [2007-04-17 39680]
R3 sit_prt;SIT_1x_usbmodem Port;c:\windows\system32\drivers\sit_prt.sys [2007-04-17 38656]
R3 vwinter;Venturi Wireless Intercepter;c:\windows\system32\drivers\vwinter.sys [2007-10-23 47392]
R3 vwredir;Venturi Wireless Redirector;c:\windows\system32\drivers\vwredir.sys [2007-10-23 85792]
S3 komibus;Nokia 6708 Composite Device driver (WDM);c:\windows\system32\drivers\komibus.sys [2007-11-13 52384]
S3 komimdfl;Nokia 6708 VSC Modem (WDM) (Filter);c:\windows\system32\drivers\komimdfl.sys [2007-11-13 6000]
S3 komimdmc;Nokia 6708 mRouter Port (WDM);c:\windows\system32\drivers\komimdmc.sys [2007-11-13 85184]
S3 komisce;Nokia 6708 VSC Modem (WDM);c:\windows\system32\drivers\komisce.sys [2007-11-13 68112]
.
Contents of the 'Scheduled Tasks' folder
2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-12-18 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2007-04-11 03:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ax3abblf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.00.19.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-03-24 17:04:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SiteAdvisor\6253\SAService.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Speed+\squid\ventcsquid.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcunlinkd.exe
c:\windows\system32\rundll32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\OpenOffice.org 2.1\program\soffice.exe
c:\program files\Nokia\PC Suite for the Nokia 6708\Connectivity Pack\ConnMngmntBox.exe
c:\program files\OpenOffice.org 2.1\program\soffice.bin
c:\program files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\Nokia\PC Suite for the Nokia 6708\Sync ML Desktop Server\SyncController.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-24 17:06:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 11:36:20
ComboFix2.txt 2009-02-18 13:37:33
ComboFix3.txt 2009-02-16 14:00:16
ComboFix4.txt 2008-06-30 06:57:45
ComboFix5.txt 2009-03-24 11:30:43
Pre-Run: 27,311,845,376 bytes free
Post-Run: 27,348,955,136 bytes free
215
Edited by PropagandaPanda, 24 March 2009 - 10:38 AM.