Here are the ComboFix.txt log and Malwarebyte scan results:
ComboFix 09-02-12.03 - John 2009-02-14 11:46:24.2 -
FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.662 [GMT -5:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\winxp\system32\gafopaji
c:\winxp\system32\pijelodo.dll
c:\winxp\system32\razifazi.dll
c:\winxp\system32\rotawugo.dll
c:\winxp\system32\vopeside.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winxp\system32\gafopaji
.
((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.
2009-02-13 10:46 . 2009-02-13 10:46 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes
2009-02-13 10:46 . 2009-02-13 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 10:46 . 2009-02-11 10:19 38,496 --a------ c:\winxp\system32\drivers\mbamswissarmy.sys
2009-02-13 10:46 . 2009-02-11 10:19 15,504 --a------ c:\winxp\system32\drivers\mbam.sys
2009-02-13 10:45 . 2009-02-13 10:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 14:17 . 2009-02-03 14:17 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-03 14:17 . 2009-02-03 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-03 14:14 . 2009-02-03 14:14 <DIR> d-------- c:\program files\MagicDisc
2009-02-03 14:14 . 2008-07-28 17:19 116,736 --a------ c:\winxp\system32\drivers\mcdbus.sys
2009-01-26 13:32 . 2009-01-26 13:32 54,156 --ah----- c:\winxp\QTFont.qfn
2009-01-26 13:32 . 2009-01-26 13:32 1,409 --a------ c:\winxp\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 17:01 3,067,904 ------w c:\winxp\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\winxp\system32\dllcache\srv.sys
2006-11-04 05:31 32 ----a-w c:\documents and settings\John\o9u.dat
2006-10-24 22:15 266 --sh--w c:\program files\desktop.ini
2006-10-24 22:15 11,079 ---h--w c:\program files\folder.htt
2004-02-01 00:54 331,776 ----a-w c:\winxp\inf\pdfinst2.exe
2002-08-02 13:00 12,348 ----a-w c:\program files\viewsonicinstruct_xp.pdf
2006-02-28 17:00 73,728 --sha-w c:\winxp\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-13_15.05.37.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-14 16:50:30 16,384 ----a-w c:\winxp\Temp\Perflib_Perfdata_6a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-28 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-02 185896]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\winxp\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-01 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-25 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\John\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\winxp\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2Wire Wireless Manager]
--a------ 2007-10-01 16:56 61440 c:\program files\2Wire Wireless Manager\2Wire.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-08-08 18:00 1945424 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-08-08 17:47 1169456 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2006-05-30 15:22 542208 c:\program files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-03-23 13:20 227328 c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-28 09:16 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-02 09:01 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 17:54 37376 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2001-10-22 13:24 1216512 c:\winxp\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINXP\\System32\\mmc.exe"=
"c:\\WINXP\\System32\\FXSCLNT.exe"=
"c:\\Program Files\\K-Lite\\kazaa.core"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
R0 PQV2i;PQV2i;c:\winxp\system32\drivers\PQV2i.sys [2004-07-29 138780]
R1 epfwtdir;epfwtdir;c:\winxp\system32\drivers\epfwtdir.sys [2008-03-13 33800]
R1 PQIMount;PQIMount;c:\winxp\system32\drivers\PQIMount.sys [2004-07-29 46779]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
S3 OlCamudp;OLYMPUS Digital Camera;c:\winxp\system32\drivers\olcamudp.sys [2006-11-13 10379]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66f2e300-66b1-11db-b68d-0040f4416052}]
\Shell\AutoRun\command - E:\StartPortableApps.exe
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/IE: Download all by YouTube Robot - c:\program files\YouTubeRobot\RobotExt.ocx/ALL.HTM
IE: Download by YouTube Robot - c:\program files\YouTubeRobot\RobotExt.ocx/LINK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} -
hxxps://lm-learnlinc-6.ilinc.com/download/ilinci80.dllDPF: {413D6754-BFD4-47FE-9346-319559290BFA} -
hxxp://www.webpcfos.com/webpcfos/websabre/HTEweb.cabDPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} -
hxxp://www.tellmemore-online.com/bin/tol7inst.cabFF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\dgchrfgn.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-14 11:51:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
- - - - - - - > 'lsass.exe'(832)
c:\winxp\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\SEAGATE\SCHEDULE2\SCHEDUL2.EXE
c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\winxp\SYSTEM32\GEARSEC.EXE
c:\program files\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE
c:\program files\NERO\NERO 7\INCD\INCDSRV.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\SYMANTEC\NORTON GHOST\AGENT\PQV2ISVC.EXE
c:\program files\PC CONNECTIVITY SOLUTION\SERVICELAYER.EXE
c:\program files\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE
c:\winxp\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-14 11:54:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-14 16:54:04
ComboFix2.txt 2009-02-13 20:06:48
Pre-Run: 20,403,748,864 bytes free
Post-Run: 20,393,295,872 bytes free
174 --- E O F --- 2009-02-11 08:02:49
_________________________________
Malwarebyte Scan Results
Malwarebytes' Anti-Malware 1.34
Database version: 1761
Windows 5.1.2600 Service Pack 3
2/14/2009 12:49:56 PM
mbam-log-2009-02-14 (12-49-42).txt
Scan type: Full Scan (C:\|)
Objects scanned: 233415
Time elapsed: 33 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092695.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092696.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092704.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{8906CF86-5B8F-469A-8BB8-94026E37EC53}\RP669\A0092708.dll (Trojan.Vundo) -> No action taken.
That is it and I will send the Kaspersky log when finished. Its been running for 40 minutes and is only 15% done.
Thanks,
John