Combofix result:
While running after reboot Watch def dog detected some change in etc/Host or something to which I replied reject change. Report is as follows:
ComboFix 08-11-09.04 - Owner 2008-11-10 19:59:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.102 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\BIPVuBeg.ini
c:\windows\system32\BIPVuBeg.ini2
c:\windows\system32\hgPsBJjl.ini
c:\windows\system32\hgPsBJjl.ini2
c:\windows\system32\MSVolume.dll
c:\windows\system32\QqYGOqru.ini
c:\windows\system32\QqYGOqru.ini2
c:\windows\system32\TDSSblat.dat
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSStubu.log
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
2008-11-04 18:15 . 2008-11-04 18:15 <DIR> d-------- c:\program files\Common Files\xing shared
2008-10-23 17:17 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 00:44 . 2008-10-21 00:44 <DIR> d-------- c:\documents and settings\Owner\Application Data\WinPatrol
2008-10-21 00:43 . 2008-10-21 00:43 <DIR> d-------- c:\program files\BillP Studios
2008-10-20 23:35 . 2008-10-20 23:35 <DIR> d-------- c:\program files\CCleaner
2008-10-20 23:26 . 2008-10-20 23:30 <DIR> d-------- c:\program files\SpywareBlaster
2008-10-20 22:30 . 2008-10-20 22:30 <DIR> d-------- c:\program files\Windows Defender
2008-10-20 10:09 . 2008-10-20 10:09 342 --a------ c:\windows\wininit.ini
2008-10-20 09:12 . 2008-10-20 22:26 <DIR> d--hs---- c:\windows\UGFyYWcgVGFrbGU
2008-10-18 19:30 . 2008-10-21 13:33 0 --a------ c:\windows\system32\drivers\TDSSrfdc.sys
2008-10-15 01:42 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 01:41 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 01:41 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 01:41 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 01:41 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 01:41 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-14 14:59 . 2008-10-14 14:59 <DIR> d-------- C:\cclass
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 01:13 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-04 23:15 --------- d-----w c:\program files\Common Files\Real
2008-10-27 04:23 --------- d-----w c:\program files\RSSoft
2008-10-23 22:15 --------- d-----w c:\program files\pdf995
2008-10-22 20:31 --------- d-----w c:\program files\Mp3 My Mp3 2.0
2008-10-22 20:11 --------- d-----w c:\program files\NCH Swift Sound
2008-10-22 20:11 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-10-22 18:43 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-10-21 05:16 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 04:34 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-20 14:09 --------- d-----w c:\program files\Common Files\zwwu
2008-10-13 02:53 --------- d-----w c:\documents and settings\Owner\Application Data\Canon
2008-10-10 22:45 --------- d-----w c:\program files\NCH Software
2008-10-10 22:36 --------- d-----w c:\documents and settings\Owner\Application Data\NCH Swift Sound
2008-10-10 22:27 27,136 ----a-w c:\windows\system32\drivers\nchssvad.sys
2008-10-10 22:16 --------- d-----w c:\program files\Mp3Splitter
2008-10-10 22:13 286,720 ------w c:\windows\Setup1.exe
2008-10-10 17:32 --------- d-----w c:\program files\Games
2008-10-09 09:06 --------- d-----w c:\program files\Google
2008-10-06 03:57 --------- d-----w c:\program files\FlashGet
2008-10-03 20:40 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-03 20:40 --------- d-----w c:\documents and settings\Owner\Application Data\DAEMON Tools
2008-10-03 20:15 --------- d-----w c:\program files\LaCasadeDora
2008-10-03 20:11 --------- d-----w c:\program files\Compress-split
2008-10-02 22:49 --------- d-----w c:\program files\SQLLIB
2008-10-02 09:33 --------- d-----w c:\program files\PowerISO
2008-09-25 22:20 --------- d-----w c:\program files\RealVNC
2008-09-23 00:26 --------- d--h--r c:\documents and settings\Owner\Application Data\yahoo!
2008-09-23 00:04 --------- d-----w c:\program files\Verizon
2008-09-23 00:04 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-09-21 15:56 --------- d-----w c:\program files\Trend Micro
2008-09-21 13:48 --------- d-----w c:\program files\SUPERAntiSpyware
2008-09-21 13:48 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-09-21 13:48 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-21 13:47 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-09-21 04:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-09-21 04:12 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-09-20 19:09 --------- d-----w c:\program files\mypoints
2008-09-20 19:08 --------- d-----w c:\program files\Teaching
2008-09-20 18:39 --------- d-----w c:\program files\Yahoo!
2008-09-20 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\YAHOO
2008-09-19 14:48 --------- d-----w c:\program files\Real
2008-09-16 14:05 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-09-16 13:24 165 ----a-w c:\documents and settings\Owner\xrt_log.dat
2008-09-15 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2008-09-15 01:45 --------- d-----w c:\program files\Common Files\Download Manager
2008-09-14 22:04 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-09-14 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2007-02-13 17:05 0 ----a-w c:\program files\4inrow.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-09-12 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-12-04 406016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2005-04-13 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-04-28 53248]
"A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-09-07 1029664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-31 271672]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-04 185872]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-07-13 22:14 24673 c:\windows\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll
"VIDC.MJPG"= Pvmjpg30.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Games\\PuzzleOnline\\DigitOnline.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"67:UDP"= 67:UDP:DHCP Discovery Service
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R2 MSCamSvc;MSCamSvc;c:\program files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\DRIVERS\Scap.sys [2004-07-13 17456]
R2 VCS_Service;VCS NT Service;c:\program files\Serena Software\ChangeMan\DS\Client\vcs_nt_service.exe [2002-02-06 221184]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2004-07-13 670128]
R3 EraserUtilDrvI7;EraserUtilDrvI7;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [2008-09-08 99376]
R3 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2004-07-13 2041904]
R3 VX1000;VX-1000;c:\windows\system32\DRIVERS\VX1000.sys [2007-04-10 1966312]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\DRIVERS\m4301A.sys [2003-08-05 83552]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\DRIVERS\OMVA.sys [2004-07-13 14924]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\DRIVERS\P0630Vid.sys [2004-07-29 91830]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{42C7256F-E027-4352-80F7-9261A11A0C19}]
c:\windows\system32\msiexec.exe /qn /fpu {42C7256F-E027-4352-80F7-9261A11A0C19}
.
Contents of the 'Scheduled Tasks' folder
2008-11-10 c:\windows\Tasks\A80B5B519118C939.job
- c:\docume~1\owner\applic~1\inside~1\Byte for active.exe []
2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-11-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2008-11-10 c:\windows\Tasks\User_Feed_Synchronization-{FD6F5DA3-FAEF-45FC-BE9D-24CFC499BCAF}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKLM-Run-NWEReboot - (no file)
SafeBoot-TDSSmqlt.sys
SafeBoot-TDSSrfdc.sys
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\eo9f4ake.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-10 20:23:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_SDS.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-10 20:43:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 01:42:43
Pre-Run: 24,907,153,408 bytes free
Post-Run: 25,953,402,880 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
277 --- E O F --- 2008-11-08 03:24:21