Vundo, Antivirus Pro, PWS.ABD infections

Dell Optiplex 360 dt desktop computer (i...
April 28, 2010 at 09:10:29
Specs: Windows XP
Antivirus Pro 2010 keeps coming back after removing with AdAware and Maleware Bytes. I downloaded StopZilla and it also found Vundo.A1, Vundo.A2, PWS.ABD. It was suggested that I update Java and run Combo Fix and post a log. Combofix log below. Any suggestions?

ComboFix 10-04-27.04 - ihernandez 04/28/2010 11:26:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.443 [GMT -4:00]
Running from: c:\documents and settings\ihernandez\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\0w5B6.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-1070368836-2334739207-2644606082-1007
c:\windows\wiaservim.log

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Legacy_ATI64SI
-------\Legacy_I386SI
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_NICSK32
-------\Legacy_PORT135SIK
-------\Legacy_SYSTEMNTMI
-------\Legacy_WS2_32SIK


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 15:21 . 2010-04-28 15:21 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-04-28 15:13 . 2010-04-28 15:13 503808 ----a-w- c:\documents and settings\ihernandez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40398fbe-n\msvcp71.dll
2010-04-28 15:13 . 2010-04-28 15:13 499712 ----a-w- c:\documents and settings\ihernandez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40398fbe-n\jmc.dll
2010-04-28 15:13 . 2010-04-28 15:13 348160 ----a-w- c:\documents and settings\ihernandez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40398fbe-n\msvcr71.dll
2010-04-28 15:13 . 2010-04-28 15:13 61440 ----a-w- c:\documents and settings\ihernandez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62363716-n\decora-sse.dll
2010-04-28 15:13 . 2010-04-28 15:13 12800 ----a-w- c:\documents and settings\ihernandez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62363716-n\decora-d3d.dll
2010-04-28 15:13 . 2010-04-28 15:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 14:20 . 2010-04-28 14:20 262144 ----a-w- c:\documents and settings\ntuser.dat
2010-04-28 14:03 . 2010-04-28 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-28 14:02 . 2010-04-28 14:02 -------- d-----w- c:\program files\STOPzilla!
2010-04-28 14:02 . 2010-04-28 14:02 -------- d-----w- c:\program files\Common Files\iS3
2010-04-28 14:02 . 2010-04-28 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-04-27 19:27 . 2010-04-27 19:27 -------- d-----w- c:\program files\Trend Micro
2010-04-26 19:01 . 2010-04-26 19:01 0 ----a-w- c:\windows\nsreg.dat
2010-04-26 19:00 . 2010-04-26 19:00 -------- d-----w- c:\documents and settings\ihernandez\Local Settings\Application Data\Mozilla
2010-04-26 16:02 . 2010-04-26 16:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-26 16:02 . 2010-04-26 16:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-04-26 15:47 . 2010-04-26 12:16 37384 ----a-w- c:\documents and settings\ihernandez\0w5B6.com
2010-04-26 13:14 . 2010-04-26 12:16 37384 ----a-w- c:\windows\system32\config\systemprofile\0w5B6.com
2010-04-26 12:20 . 2010-04-26 12:16 37384 ----a-w- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe
2010-04-26 12:18 . 2010-04-26 12:16 37384 ----a-w- c:\windows\system32\0w5B6.com
2010-04-23 17:22 . 2010-04-23 17:22 -------- d-----w- c:\documents and settings\ihernandez\Local Settings\Application Data\AOL
2010-04-23 17:22 . 2010-04-23 17:22 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-04-23 17:22 . 2010-04-26 15:50 -------- d-----w- c:\program files\Common Files\AOL
2010-04-22 16:20 . 2010-04-22 16:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-20 12:34 . 2010-04-20 12:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-20 12:34 . 2010-04-20 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-20 12:34 . 2010-04-20 12:34 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 12:33 . 2010-04-22 16:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-13 14:19 . 2010-04-13 14:19 -------- d--h--w- c:\windows\PIF
2010-04-12 18:05 . 2010-04-12 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 20:49 . 2010-04-08 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2010-04-08 18:12 . 2010-04-08 18:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 17:31 . 2010-04-08 17:31 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-08 17:18 . 2010-04-26 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-08 14:33 . 2010-04-26 18:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-08 14:33 . 2010-04-26 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 12:59 . 2010-04-08 13:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 20:16 . 2010-04-07 20:16 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 15:39 . 2010-04-28 15:37 1576 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-04-28 15:38 . 2010-04-28 15:38 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-04-28 15:13 . 2007-09-12 04:05 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 15:13 . 2007-09-12 04:05 -------- d-----w- c:\program files\Java
2010-04-28 14:38 . 2009-10-16 00:30 -------- d-----w- c:\program files\Advanced Monitoring Agent
2010-04-28 13:53 . 2010-04-26 12:16 112 ----a-w- c:\documents and settings\All Users\Application Data\Rw6f5kL.dat
2010-04-28 13:49 . 2007-09-12 04:11 -------- d-----w- c:\program files\BAE
2010-04-28 12:14 . 2009-08-20 14:13 -------- d-----w- c:\program files\QuickTime
2010-04-26 12:16 . 2010-04-23 16:37 37384 ----a-w- c:\windows\Fonts\0w5B6.com
2010-04-26 12:16 . 2007-09-12 04:12 -------- d-----w- c:\program files\Dell Support
2010-04-15 12:47 . 2004-08-04 03:07 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-04-08 20:56 . 2007-10-03 15:24 -------- d-----w- c:\program files\WebEx
2010-04-07 20:16 . 2009-04-21 17:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2009-04-21 17:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-21 17:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 22:16 . 2010-03-05 22:16 17408 ----a-r- c:\windows\system32\SZIO5.dll
2010-03-05 22:14 . 2010-03-05 22:14 442368 ----a-r- c:\windows\system32\SZBase5.dll
2010-03-05 22:13 . 2010-03-05 22:13 540672 ----a-r- c:\windows\system32\SZComp5.dll
2010-02-24 19:06 . 2010-02-24 19:06 173328 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2010-01-29 16:52 . 2010-01-29 16:52 60744 ----a-w- c:\documents and settings\ihernandez\g2mdlhlpx.exe
.
[code]

c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\ATI Technologies\ATI.ACE\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM               .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM              .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM             .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM          .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM         .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv .exe
c:\program files\Dell Support\DSAgnt .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\Roxio\Drag-to-Disc\DrgToDsc .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Yahoo!\Messenger\YahooMessenger .exe
[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-23 37380]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-04-28 37388]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3179187369-3881194636-2813756038-1166\Scripts\Logon\0\0]
"Script"=SRTDrive.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dpvsoute REG_SZ c:\windows\system32\bootuery.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/11/2007 11:50 PM 3456]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2/24/2010 3:06 PM 173328]
R2 Advanced Monitoring Agent;Advanced Monitoring Agent;c:\program files\Advanced Monitoring Agent\winagent.exe [10/15/2009 8:30 PM 1671168]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-23 c:\windows\Tasks\At1.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-28 c:\windows\Tasks\At10.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-28 c:\windows\Tasks\At11.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-28 c:\windows\Tasks\At12.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At121.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At122.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At123.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At124.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At125.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At126.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At127.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At128.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At129.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At13.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-28 c:\windows\Tasks\At130.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At131.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At132.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At133.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At134.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At135.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At136.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At137.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At138.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At139.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At14.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At140.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At141.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At142.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At143.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At144.job
- c:\windows\system32\config\systemprofile\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At15.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-27 c:\windows\Tasks\At16.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At169.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At17.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At170.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At171.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At172.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At173.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At174.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At175.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At176.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At177.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At178.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At179.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At18.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-28 c:\windows\Tasks\At180.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At181.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At182.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At183.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At184.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At185.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At186.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At187.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At188.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At189.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At19.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At190.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At191.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At192.job
- c:\documents and settings\ihernandez\0w5B6.com [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At2.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-23 c:\windows\Tasks\At20.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-23 c:\windows\Tasks\At21.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-23 c:\windows\Tasks\At22.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-23 c:\windows\Tasks\At23.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-23 c:\windows\Tasks\At24.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At25.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At26.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At27.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At28.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At29.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At3.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At30.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At31.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At32.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At33.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At34.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At35.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At36.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At37.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At38.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At39.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At4.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-27 c:\windows\Tasks\At40.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At41.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At42.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At43.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At44.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At45.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At46.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At47.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At48.job
- c:\windows\system32\0w5B6.com [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At49.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At5.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At50.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At51.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At52.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At53.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At54.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At55.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At56.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At57.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At58.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-28 c:\windows\Tasks\At59.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At6.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-28 c:\windows\Tasks\At60.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At61.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At62.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At63.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At64.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-27 c:\windows\Tasks\At65.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At66.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At67.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At68.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At69.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At7.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-26 c:\windows\Tasks\At70.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At71.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-26 c:\windows\Tasks\At72.job
- c:\documents and settings\ihernandez\Local Settings\Application Data\0w5B6.exe [2010-04-26 12:16]

2010-04-23 c:\windows\Tasks\At8.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]

2010-04-28 c:\windows\Tasks\At9.job
- c:\windows\Fonts\0w5B6.com [2010-04-23 12:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: meetingbroker.com
TCP: {D04A8D00-BC5E-4F4F-8626-AC29A992C02B} = 192.168.0.12
FF - ProfilePath - c:\documents and settings\ihernandez\Application Data\Mozilla\Firefox\Profiles\kqesd7g1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 11:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85E2EAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7558fc3
\Driver\ACPI -> ACPI.sys @ 0xf73a2cb8
\Driver\atapi -> atapi.sys @ 0xf73347b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,63,fc,08,e1,5e,d1,9f,49,be,a4,0a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,63,fc,08,e1,5e,d1,9f,49,be,a4,0a,\

[HKEY_USERS\S-1-5-21-3179187369-3881194636-2813756038-1166\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1949236A-604A-8A3D-3B23-B27EEA309329}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iafhefgocjfgbnbgpg"=hex:6b,61,65,6f,67,64,62,67,6d,6b,65,6f,67,65,65,6d,70,67,
6f,63,64,66,00,00
"hapgkpnbjngcapmo"=hex:6b,61,62,6f,70,63,63,68,6f,6c,62,63,6c,64,6a,64,65,6d,
61,6a,62,68,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Java\Java Update\jusched .exe
.
**************************************************************************
.
Completion time: 2010-04-28 11:48:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-28 15:48

Pre-Run: 60,562,259,968 bytes free
Post-Run: 61,860,671,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 085BC82F345ABB811199ECEF18650368


See More: Vundo, Antivirus Pro, PWS.ABD infections

Report •


#1
April 28, 2010 at 09:17:45
Incidentally, I also ran a Hijack This log and have posted here in case you find that useful:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:26 PM, on 4/28/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Advanced Monitoring Agent\winagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070912
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://newmarketinc.webex.com/client/T23L/ra/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sheratonriverwalkhotel.local
O17 - HKLM\Software\..\Telephony: DomainName = sheratonriverwalkhotel.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D04A8D00-BC5E-4F4F-8626-AC29A992C02B}: NameServer = 192.168.0.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sheratonriverwalkhotel.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sheratonriverwalkhotel.local
O23 - Service: Advanced Monitoring Agent - Remote Monitoring - C:\Program Files\Advanced Monitoring Agent\winagent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 4391 bytes


Report •
Related Solutions


Ask Question