hmmm, in the short time since posting those logs, my antivirus picked up vundo and metajuan. i ran combofix and hijack again for the logs.
ComboFix 08-06-06.6 - stacy 2008-06-08 9:52:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT -5:00]
Running from: C:\Documents and Settings\stacy\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.
2008-06-06 06:45 . 2008-06-07 03:54 354 --ahs---- C:\WINDOWS\system32\puqkrknm.ini
2008-06-05 01:47 . 2008-06-06 06:40 714 --ahs---- C:\WINDOWS\system32\nisdgdte.ini
2008-06-03 08:45 . 2008-06-05 01:33 594 --ahs---- C:\WINDOWS\system32\qqdxjsbh.ini
2008-06-02 08:40 . 2008-06-03 08:41 474 --ahs---- C:\WINDOWS\system32\erqcnfif.ini
2008-06-01 08:40 . 2008-06-01 10:49 354 --ahs---- C:\WINDOWS\system32\rywdbpno.ini
2008-06-01 06:24 . 2008-06-01 06:24 <DIR> d-------- C:\Program Files\Microprose
2008-06-01 05:25 . 2008-06-01 05:25 <DIR> d-------- C:\_OTMoveIt
2008-06-01 05:06 . 2008-06-01 05:06 <DIR> d-------- C:\Deckard
2008-05-30 08:15 . 2008-05-30 08:15 294 --ahs---- C:\WINDOWS\system32\iuerldgl.ini
2008-05-30 01:19 . 2008-05-03 06:37 414 --ahs---- C:\WINDOWS\system32\oecssvmd.ini
2008-05-29 06:07 . 2008-05-29 06:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 12:02 . 2008-05-27 12:02 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\WarZone
2008-05-27 12:01 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Common Files\Idu
2008-05-27 12:00 . 2008-06-01 06:13 <DIR> d-------- C:\Program Files\WarZone
2008-05-27 11:44 . 2008-05-27 11:44 <DIR> d-------- C:\Program Files\CCleaner
2008-05-27 11:25 . 2008-05-27 11:25 <DIR> d-------- C:\Program Files\CleanMyPC
2008-05-15 10:01 . 2008-05-15 10:01 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-15 10:01 . 2008-01-10 07:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-05-15 10:01 . 2006-09-24 10:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2008-05-15 10:01 . 2004-01-25 11:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-05-15 10:01 . 2007-09-04 11:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-05-15 10:01 . 2008-01-10 07:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-05-15 10:01 . 2007-09-20 19:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-05-15 10:01 . 2008-03-28 12:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-05-15 10:01 . 2007-07-10 11:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-15 10:01 . 2007-10-03 10:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-05-15 05:12 . 2008-06-08 09:48 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-05-15 05:05 . 2008-05-15 05:05 <DIR> d-------- C:\Program Files\uTorrent
2008-05-15 05:05 . 2008-05-23 04:17 <DIR> d-------- C:\Documents and Settings\stacy\Application Data\uTorrent
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 14:51 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-08 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-07 13:31 --------- d--h--w C:\Documents and Settings\stacy\Application Data\Move Networks
2008-06-01 12:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 08:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 07:59 --------- d-----w C:\Program Files\Apple Software Update
2008-05-26 12:03 --------- d-----w C:\Documents and Settings\stacy\Application Data\Lavasoft
2008-05-17 09:14 --------- d-----w C:\Program Files\PokerStars
2008-05-15 14:34 --------- d-----w C:\Program Files\DivX
2008-05-15 05:54 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-15 05:11 --------- d-----w C:\Program Files\Absolute Poker
2008-05-14 06:12 --------- d-----w C:\Program Files\UltimateBet
2008-05-09 20:16 --------- d-----w C:\Program Files\Cake Poker
2008-05-09 09:01 --------- d-----w C:\Program Files\Poker.com
2008-05-09 07:25 --------- d-----w C:\Documents and Settings\stacy\Application Data\Microgaming
2008-05-09 07:13 --------- d-----w C:\Program Files\CarbonPoker
2008-05-02 06:32 --------- d-----w C:\Program Files\LimeWire
2008-04-26 07:42 --------- d-----w C:\Program Files\Bodog Poker
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-04-05 00:04 702,212 ----a-w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-04-05 00:04 699,465 ----a-w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-04-05 00:04 56,902 ----a-w C:\Program Files\APR2007_xinput_x86.cab
2007-04-05 00:04 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-04-05 00:04 199,366 ----a-w C:\Program Files\APR2007_XACT_x64.cab
2007-04-05 00:04 154,825 ----a-w C:\Program Files\APR2007_XACT_x86.cab
2007-04-05 00:04 100,417 ----a-w C:\Program Files\APR2007_xinput_x64.cab
2007-04-05 00:04 1,610,958 ----a-w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-04-05 00:04 1,609,639 ----a-w C:\Program Files\APR2007_d3dx9_33_x86.cab
.
((((((((((((((((((((((((((((( snapshot@2008-06-08_ 7.24.24.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 12:17:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-08 14:42:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-25 06:36 68856]
"HijackThis startup scan"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]
"AtiPTA"="Atiptaab.exe" [1999-03-30 15:28 218112 C:\WINDOWS\system32\atiptaab.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7c4e09bc]
C:\WINDOWS\system32\lgdlreui.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7f7d3a20]
C:\WINDOWS\system32\gaueosiv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-14 05:33 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-25 06:36 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Poker.com\\client.exe"=
"C:\\Program Files\\CarbonPoker\\client.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\stacy\\My Documents\\pandoras box\\Risk.II.2006\\RISKII.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-14 05:33]
S4 ati2mpab;ati2mpab;C:\WINDOWS\system32\DRIVERS\ati2mpab.sys [1999-04-21 18:37]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 08:48:27 C:\WINDOWS\Tasks\Absolute Poker.job"
- C:\PROGRA~1\ABSOLU~1\MAINCL~1.EXE
"2008-06-08 08:00:03 C:\WINDOWS\Tasks\Bodog Poker.job"
- C:\PROGRA~1\BODOGP~1\BPGame.exe
"2008-05-09 09:23:35 C:\WINDOWS\Tasks\Cake Poker.job"
- C:\PROGRA~1\CAKEPO~1\cake.exe
"2008-05-09 09:12:12 C:\WINDOWS\Tasks\CarbonPoker.job"
- C:\PROGRA~1\CARBON~1\client.exe
"2008-05-09 20:15:53 C:\WINDOWS\Tasks\Full Tilt Poker.job"
- C:\PROGRA~1\FULLTI~1\FULLTI~1.EXE
"2008-05-09 09:27:08 C:\WINDOWS\Tasks\Poker.job"
- C:\PROGRA~1\Poker.com\client.exe
"2008-05-10 02:28:07 C:\WINDOWS\Tasks\PokerStars.job"
- C:\PROGRA~1\POKERS~1\POKERS~4.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-06-08 09:55:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-08 9:57:26
ComboFix-quarantined-files.txt 2008-06-08 14:57:14
ComboFix2.txt 2008-06-08 12:25:19
Pre-Run: 10,402,144,256 bytes free
Post-Run: 10,392,133,632 bytes free
183 --- E O F --- 2008-06-08 13:02:56
-------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:12 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\Atiptaab.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\stacy\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\stacy\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) -
https://signin3.valueactive.com/Registe ... lashax.cabO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 4997 bytes