Hi,
Can someone take a look at these log results and let me know if I need to take further action?
Thanks.
ComboFix 10-02-09.04 - gkg 02/10/2010 9:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1345 [GMT -8:00]
Running from: c:\gkg\dload\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
PEV Error: PersonalFolder
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\LOG6.tmp
C:\LOG7.tmp
c:\windows\dubumu.vbs
c:\windows\epubehu.inf
c:\windows\foxyhigidi.vbs
c:\windows\system32\explorer.exe
----- BITS: Possible infected sites -----
hxxp://kvbback1:8530
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.
2010-02-10 15:31 . 2010-02-10 15:31 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-10 15:30 . 2010-02-10 15:30 -------- d-----w- c:\documents and settings\gkg\Application Data\DAEMON Tools Lite
2010-02-10 15:30 . 2010-02-10 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-04 22:59 . 2010-02-04 22:59 -------- d-----w- c:\program files\Kiwi Log Viewer
2010-01-18 17:22 . 2010-01-18 17:22 -------- d-----w- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 16:52 . 2009-07-13 22:03 137328 ----a-w- c:\documents and settings\gkg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 16:36 . 2009-08-06 16:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 16:22 . 2007-07-10 19:43 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-10 16:17 . 2009-07-14 01:41 -------- d-----w- c:\documents and settings\gkg\Application Data\uTorrent
2010-02-10 16:16 . 2007-01-16 21:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 15:31 . 2009-07-17 20:36 -------- d-----w- c:\program files\gkg
2010-02-10 05:05 . 2009-05-29 15:35 -------- d-----w- c:\program files\DesktopAuthority
2010-02-09 22:46 . 2009-07-17 20:38 -------- d-----w- c:\documents and settings\gkg\Application Data\vlc
2010-02-09 15:22 . 2009-09-16 14:48 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-05 19:00 . 2009-07-20 16:22 -------- d-----w- c:\documents and settings\gkg\Application Data\dvdcss
2010-02-03 05:07 . 2008-05-08 20:49 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-01-31 15:21 . 2009-07-26 15:44 -------- d-----w- c:\documents and settings\gkg\Application Data\Skype
2010-01-31 14:52 . 2009-07-26 15:47 -------- d-----w- c:\documents and settings\gkg\Application Data\skypePM
2010-01-22 15:25 . 2009-09-22 19:52 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 00:07 . 2009-08-06 16:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-08-06 16:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 18:52 . 2008-12-16 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-07 18:51 . 2010-01-07 18:51 -------- d-----w- c:\program files\PDF-Converter
2010-01-07 18:43 . 2008-02-13 15:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-05 17:57 . 2010-01-05 17:57 -------- d-----w- c:\documents and settings\gkg\Application Data\Hallmark
2010-01-04 22:00 . 2008-06-01 20:34 256 ----a-w- c:\windows\system32\pool.bin
2009-12-16 19:51 . 2009-07-14 04:31 -------- d-----w- c:\documents and settings\gkg\Application Data\Apple Computer
2009-12-16 19:48 . 2009-02-16 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-09 15:45 . 2009-12-09 15:45 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-03 22:20 . 2009-07-30 21:47 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-08-26 04:30 . 2009-08-26 04:30 16880 ----a-w- c:\program files\Common Files\yxylypecaz.dll
2009-08-26 04:30 . 2009-08-26 04:30 16246 ----a-w- c:\program files\Common Files\tucefo.ban
2009-08-26 04:30 . 2009-08-26 04:30 15308 ----a-w- c:\program files\Common Files\uqerih.com
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\gkg\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DA Remote Management GUI"="c:\program files\DesktopAuthority\rmgui.exe" [2008-05-27 489392]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-30 115560]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
c:\documents and settings\amt\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2008-12-15 2367488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Card Event Planner Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Card Event Planner Reminder.lnk
backup=c:\windows\pss\Photo Card Event Planner Reminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RealDownload.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RealDownload.lnk
backup=c:\windows\pss\RealDownload.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 04:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2009-07-14 17:41 31552 ----a-w- c:\documents and settings\gkg\Local Settings\Application Data\Citrix\GoToMeeting\366\g2mstart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 19:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 23:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 23:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
2002-08-15 13:26 886272 ----a-w- c:\windows\system32\LXSUPMON.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-09-24 15:17 26112 ----a-w- c:\program files\gkg\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 15:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\MaxRecall\\Programs\\zzviewer.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\gkg\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 DAInfo;DA Remote Management Kernel Information Provider;c:\program files\DesktopAuthority\DAInfo.sys [5/29/2009 7:35 AM 12080]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\DesktopAuthority\DaMaint.exe [5/29/2009 7:35 AM 63408]
R2 DAtf;DA Remote Management Token Factory;c:\program files\DesktopAuthority\DAtf.sys [5/29/2009 7:35 AM 11184]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [5/29/2009 7:35 AM 1324976]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [5/29/2009 7:34 AM 558496]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [5/29/2009 7:35 AM 9264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/2/2009 7:29 AM 102448]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [3/8/2006 7:53 PM 77952]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [3/8/2006 7:53 PM 77952]
S0 ijhte;ijhte;c:\windows\system32\drivers\tmwptu.sys --> c:\windows\system32\drivers\tmwptu.sys [?]
S0 vyos;vyos;c:\windows\system32\drivers\dreqaipw.sys --> c:\windows\system32\drivers\dreqaipw.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/30/2009 1:46 PM 23888]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 3:04 PM 99200]
S4 HttpRouter;RM HTTP router;c:\program files\DesktopAuthority\gateway_svc.exe [5/29/2009 7:35 AM 28080]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
DPF: {720A3751-EB23-45E7-B5DB-68BA712A38AB} - hxxp://172.20.11.11/ShoreWareSoftPhone/SoftPhone.cab
FF - ProfilePath - c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\
FF - plugin: c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-mserv - c:\documents and settings\gkg\Application Data\seres.exe
MSConfigStartUp-Recorder - [INSTALLDIR]Recorder.exe
AddRemove-SAE Standards Server - k:\sae standards\Uninst.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 09:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF2D856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f19852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9df7bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e04a21
SendHandler -> NDIS.sys @ 0xb9de287b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1796)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-10 10:01:54
ComboFix-quarantined-files.txt 2010-02-10 18:01
Pre-Run: 23,978,733,568 bytes free
Post-Run: 24,979,243,008 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9000F84D4C92A4F3DEA6E6F282C6F990
Edit: Moved topic from XP to the more appropriate forum. ~ Animal