Jump to content

blaqson

Members
  • Posts

    5
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Runs fine now after your help! Afterwards I ran AVG antivirus and it found a couple of viruses and got rid of them successfully. Also Malwarebytes scan showed everytthing was clean also. My friend should be happy that her laptop is working again. Thanks so much for your help.
  2. ============================ Here are the new logs ComboFix 09-08-10.03 - Virginia Arana 08/10/2009 22:32.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.211 [GMT -7:00] Running from: c:\documents and settings\Virginia Arana\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\MPROTECT c:\windows\Install.txt c:\windows\system32\drivers\GEYEKRRUMUPIWI.SYS.del c:\windows\system32\geyekrabivhoor.dat c:\windows\system32\geyekrfxvakciq.dll c:\windows\system32\geyekrjxblxewi.dat c:\windows\system32\geyekrltqlhylb.dll c:\windows\system32\Install.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_USBEWT ((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 ))))))))))))))))))))))))))))))) . 2009-08-10 01:12 . 2009-08-10 01:12 -------- d-----w- c:\program files\Trend Micro 2009-08-07 05:21 . 2009-08-07 05:21 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-08-07 05:21 . 2009-08-07 05:21 -------- d-----w- c:\documents and settings\Virginia Arana\log 2009-08-07 04:32 . 2009-08-07 04:32 -------- d-----w- c:\program files\Greatis 2009-08-06 06:57 . 2009-08-06 07:02 -------- d-----w- C:\RootkitNO 2009-08-06 06:46 . 2009-08-06 06:46 -------- d-----w- c:\documents and settings\Virginia Arana\Local Settings\Application Data\Help 2009-08-06 05:39 . 2009-08-10 02:01 2 --shatr- c:\windows\winstart.bat 2009-08-06 05:39 . 2009-08-11 05:22 -------- d-----w- c:\program files\UnHackMe 2009-08-06 04:55 . 2009-08-06 04:36 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll 2009-08-06 04:36 . 2009-08-06 04:36 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\scxpx86.dll 2009-08-06 04:26 . 2009-08-06 04:26 -------- d-----w- c:\program files\NortonInstaller 2009-08-06 04:26 . 2009-08-06 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-08-06 04:17 . 2009-08-06 04:25 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\GetRightToGo 2009-08-03 04:51 . 2009-08-08 18:20 -------- d-----w- c:\program files\Sophos 2009-08-03 04:25 . 2009-08-03 04:25 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\TrojanHunter 2009-08-03 04:14 . 2009-08-06 04:13 -------- d-----w- c:\program files\TrojanHunter 5.1 2009-08-02 22:45 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-02 22:45 . 2009-08-02 22:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-02 22:45 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-02 22:25 . 2009-08-02 22:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-02 22:18 . 2009-08-02 22:18 -------- d-sh--w- c:\documents and settings\Virginia Arana\IECompatCache 2009-08-02 22:16 . 2009-08-02 22:16 -------- d-sh--w- c:\documents and settings\Virginia Arana\IETldCache 2009-08-02 21:20 . 2009-08-02 21:21 -------- dc-h--w- c:\windows\ie8 2009-08-02 21:11 . 2009-08-02 21:11 -------- d-----w- C:\a8ad2203dd5d8c71bc 2009-08-02 02:53 . 2009-08-06 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-02 00:53 . 2009-08-02 00:53 -------- d-----w- c:\program files\CCleaner 2009-08-01 20:10 . 2009-08-01 20:10 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\Malwarebytes 2009-08-01 20:10 . 2009-08-01 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-01 02:56 . 2009-08-06 04:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-07-19 07:20 . 2009-07-19 07:20 18262 ----a-w- c:\documents and settings\Virginia Arana\Application Data\edal.sys 2009-07-19 07:20 . 2009-07-19 07:20 17170 ----a-w- c:\windows\dopih.reg 2009-07-19 07:20 . 2009-07-19 07:20 13897 ----a-w- c:\documents and settings\All Users\Application Data\imesir.dll 2009-07-19 07:20 . 2009-07-19 07:20 11419 ----a-w- c:\documents and settings\Virginia Arana\Local Settings\Application Data\exylesim.bin 2009-07-19 07:20 . 2009-07-19 07:20 19434 ----a-w- c:\windows\ynygydas.vbs 2009-07-19 07:20 . 2009-07-19 07:20 12894 ----a-w- c:\windows\aqafegirug.bat 2009-07-19 07:20 . 2009-07-19 07:20 11344 ----a-w- c:\windows\system32\ogihilid.com 2009-07-19 07:20 . 2009-07-19 07:20 18601 ----a-w- c:\windows\olapabo.sys 2009-07-19 07:20 . 2009-07-19 07:20 18527 ----a-w- c:\documents and settings\Virginia Arana\Local Settings\Application Data\eqalah.dll 2009-07-19 07:20 . 2009-07-19 07:20 15133 ----a-w- c:\windows\system32\anet.pif 2009-07-19 07:20 . 2009-07-19 07:20 14160 ----a-w- c:\windows\doqyfapuv.dll 2009-07-19 07:20 . 2009-07-19 07:20 11421 ----a-w- c:\documents and settings\All Users\Application Data\ypyhynaqoq.bat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-06 04:55 . 2009-08-06 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-08-06 04:36 . 2009-08-06 04:36 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\Scxpx86.dll 2009-08-06 04:36 . 2009-08-06 04:36 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll 2009-08-06 04:36 . 2009-08-06 04:36 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\NAVENG32.DLL 2009-08-06 04:36 . 2009-08-06 04:36 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\NAVEX32A.DLL 2009-08-06 04:36 . 2009-08-06 04:36 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll 2009-08-06 04:36 . 2009-08-06 04:36 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\IDSxpx86.dll 2009-08-06 04:36 . 2009-08-06 04:36 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\ECMSVR32.DLL 2009-08-06 04:36 . 2009-08-06 04:36 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll 2009-08-06 04:36 . 2009-08-06 04:36 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\CCERASER.DLL 2009-08-06 04:36 . 2009-08-06 04:36 -------- d-----w- c:\program files\Norton 360 2009-08-06 04:36 . 2009-08-06 04:36 -------- d-----w- c:\program files\Windows Sidebar 2009-08-06 04:36 . 2005-03-09 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-07-19 07:20 . 2009-07-19 07:20 16814 ----a-w- c:\program files\Common Files\ofajyseti.inf 2009-07-16 21:42 . 2006-10-28 20:42 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\StarOffice8 2009-07-08 04:27 . 2009-07-08 04:26 -------- d-----w- c:\program files\iTunes 2009-07-08 04:26 . 2009-07-08 04:26 -------- d-----w- c:\program files\iPod 2009-07-08 04:26 . 2008-04-28 18:49 -------- d-----w- c:\program files\Common Files\Apple 2009-07-08 04:21 . 2009-07-08 04:20 -------- d-----w- c:\program files\QuickTime 2009-07-08 04:12 . 2009-07-08 04:12 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 19:27 . 2001-08-23 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-06-13 114688] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-18 294912] "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568] "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys] @="FSFilter Activity Monitor" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5900:TCP"= 5900:TCP:VNC "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [8/5/2009 9:37 PM 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [8/5/2009 9:37 PM 258608] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [8/5/2009 9:37 PM 482352] R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\IDSxpx86.sys [8/5/2009 9:37 PM 276344] R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2/15/2005 9:15 AM 19328] R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [8/5/2009 9:37 PM 115560] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/5/2009 9:37 PM 101936] R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/9/2005 6:32 AM 37040] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S2 mfzfhnedg;mfzfhnedg;\??\c:\windows\system32\drivers\vslzc.sys --> c:\windows\system32\drivers\vslzc.sys [?] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?] S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mWindow Title = Microsoft Internet Explorer presented by Comcast uInternet Settings,ProxyServer = webcache.sfbay.sun.com:8080 uInternet Settings,ProxyOverride = <local>;*.local IE: &Search . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-10 22:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\3.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing] @Denied: (2) (Administrators) "Policy"=hex:00,00,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2408) c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\msls31.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\ati2evxx.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\progra~1\SYMANT~1\DefWatch.exe c:\progra~1\AT&TGL~1\NetCfgSv.EXE c:\progra~1\SYMANT~1\Rtvscan.exe c:\program files\RealVNC\VNC4\WinVNC4.exe c:\program files\Apoint\ApntEx.exe . ************************************************************************** . Completion time: 2009-08-11 22:45 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-11 05:45 Pre-Run: 35,331,944,448 bytes free Post-Run: 35,264,712,704 bytes free 191 --- E O F --- 2009-08-02 02:44 +++++++++++++++++++++++++++ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:53:21 PM, on 8/10/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.sfbay.sun.com:8080 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110410772755 O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 4788 bytes
  3. Hi, thx for the quick response! Here are the requested additional logs. I paste the file attach.txt AND included it as a zip attachment - the documention was conflicting =================================== DDS (Ver_09-07-30.01) - NTFSx86 Run by Virginia Arana at 19:44:54.02 on Sun 08/09/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.189 [GMT -7:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Apoint\Apntex.exe C:\Documents and Settings\Virginia Arana\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uSearch Page = hxxp://www.google.com uWindow Title = Microsoft Internet Explorer presented by Comcast uSearch Bar = hxxp://www.google.com/ie mWindow Title = Microsoft Internet Explorer presented by Comcast uInternet Settings,ProxyServer = webcache.sfbay.sun.com:8080 uInternet Settings,ProxyOverride = <local>;*.local mSearchAssistant = hxxp://www.google.com BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [ATIModeChange] Ati2mdxx.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf IE: &Search IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110410772755 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll AppInit_DLLs: c:\docume~1\virgin~1\locals~1\temp\01911kou.dll ============= SERVICES / DRIVERS =============== R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-8-5 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-8-5 258608] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-8-5 482352] R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090206.001\IDSxpx86.sys [2009-8-5 276344] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-3-9 272832] R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2005-2-15 19328] R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-8-5 115560] R2 NAVAPEL;NAVAPEL;c:\program files\symantec_antivirus_client_v8_1_0_825\Navapel.sys [2003-5-2 30208] R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\Rtvscan.exe [2003-5-21 610304] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-5 101936] R3 NAVAP;NAVAP;c:\progra~1\symant~1\NAVAP.sys [2003-5-2 224256] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090801.003\NAVENG.sys [2009-8-1 87888] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090801.003\NAVEX15.sys [2009-8-1 875728] R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-3-9 37040] S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-9 34760] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S2 mfzfhnedg;mfzfhnedg;\??\c:\windows\system32\drivers\vslzc.sys --> c:\windows\system32\drivers\vslzc.sys [?] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?] S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] =============== Created Last 30 ================ 2009-08-09 19:07 34,760 a------- c:\windows\system32\drivers\Partizan.sys 2009-08-09 19:07 32,480 a------- c:\windows\system32\Partizan.exe 2009-08-09 19:01 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys 2009-08-09 18:12 <DIR> --d----- c:\program files\Trend Micro 2009-08-06 22:21 153,104 a------- c:\windows\system32\drivers\tmcomm.sys 2009-08-06 22:21 <DIR> --d----- c:\documents and settings\virginia arana\log 2009-08-06 21:32 57,556 a------- c:\windows\guard.bmp 2009-08-06 21:32 <DIR> --d----- c:\program files\Greatis 2009-08-06 00:02 123 a------- c:\windows\rootkitno.ini 2009-08-05 23:57 <DIR> --d----- C:\RootkitNO 2009-08-05 22:39 2 a--shrot c:\windows\winstart.bat 2009-08-05 22:39 <DIR> --d----- c:\program files\UnHackMe 2009-08-05 21:37 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys 2009-08-05 21:37 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2009-08-05 21:37 805 a------- c:\windows\system32\drivers\SYMEVENT.INF 2009-08-05 21:36 <DIR> --d----- c:\windows\system32\drivers\N360 2009-08-05 21:36 <DIR> --d----- c:\program files\Norton 360 2009-08-05 21:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton 2009-08-05 21:26 <DIR> --d----- c:\program files\NortonInstaller 2009-08-05 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller 2009-08-05 21:17 <DIR> --d----- c:\docume~1\virgin~1\applic~1\GetRightToGo 2009-08-02 21:51 <DIR> --d----- c:\program files\Sophos 2009-08-02 21:27 66 a------- c:\windows\wininit.ini 2009-08-02 21:25 <DIR> --d----- c:\docume~1\virgin~1\applic~1\TrojanHunter 2009-08-02 21:14 <DIR> --d----- c:\program files\TrojanHunter 5.1 2009-08-02 15:45 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-02 15:45 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-08-02 15:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-08-02 15:18 <DIR> --dsh--- c:\documents and settings\virginia arana\IECompatCache 2009-08-02 15:16 <DIR> --dsh--- c:\documents and settings\virginia arana\IETldCache 2009-08-02 14:20 <DIR> -cd-h--- c:\windows\ie8 2009-08-02 14:11 <DIR> --d----- C:\a8ad2203dd5d8c71bc 2009-08-01 19:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2009-08-01 17:53 <DIR> --d----- c:\program files\CCleaner 2009-08-01 13:10 <DIR> --d----- c:\docume~1\virgin~1\applic~1\Malwarebytes 2009-08-01 13:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-07-31 20:16 <DIR> --d----- c:\windows\pss 2009-07-19 00:51 91 a------- c:\windows\system32\geyekrabivhoor.dat 2009-07-19 00:41 17,920 a------- c:\windows\system32\geyekrltqlhylb.dll 2009-07-19 00:40 50,590 a------- c:\windows\system32\geyekrjxblxewi.dat 2009-07-19 00:40 40,448 a------- c:\windows\system32\geyekrfxvakciq.dll 2009-07-19 00:40 65,536 a------- c:\windows\system32\drivers\GEYEKRRUMUPIWI.SYS.del 2009-07-19 00:20 18,262 a------- c:\docume~1\virgin~1\applic~1\edal.sys 2009-07-19 00:20 17,170 a------- c:\windows\dopih.reg 2009-07-19 00:20 14,148 a------- c:\windows\system32\acofaxikuc.db 2009-07-19 00:20 13,897 a------- c:\docume~1\alluse~1\applic~1\imesir.dll 2009-07-19 00:20 19,434 a------- c:\windows\ynygydas.vbs 2009-07-19 00:20 12,894 a------- c:\windows\aqafegirug.bat 2009-07-19 00:20 11,344 a------- c:\windows\system32\ogihilid.com 2009-07-19 00:20 18,601 a------- c:\windows\olapabo.sys 2009-07-19 00:20 18,094 a------- c:\windows\system32\oderotiq._sy 2009-07-19 00:20 15,133 a------- c:\windows\system32\anet.pif 2009-07-19 00:20 14,160 a------- c:\windows\doqyfapuv.dll 2009-07-19 00:20 11,421 a------- c:\docume~1\alluse~1\applic~1\ypyhynaqoq.bat ==================== Find3M ==================== 2009-08-05 21:37 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2009-08-05 21:37 60,808 a------- c:\windows\system32\S32EVNT1.DLL 2009-07-19 00:20 16,814 a------- c:\program files\common files\ofajyseti.inf 2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll 2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll 2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll ============= FINISH: 19:45:53.16 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-07-30.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 3/9/2005 1:49:27 PM System Uptime: 8/9/2009 7:08:51 PM (0 hours ago) Processor: Intel® Pentium® M processor 1600MHz | N/A | 793/100mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 45 GiB total, 32.945 GiB free. D: is FIXED (NTFS) - 6 GiB total, 2.868 GiB free. E: is Removable F: is CDROM () G: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Universal Serial Bus (USB) Controller Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_8140104D&REV_03\3&61AAA01&0&EF Manufacturer: Name: Universal Serial Bus (USB) Controller PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_8140104D&REV_03\3&61AAA01&0&EF Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA ==== System Restore Points =================== RP318: 7/19/2009 12:40:28 AM - System Checkpoint RP319: 7/19/2009 12:40:29 AM - System Checkpoint RP320: 7/19/2009 12:40:30 AM - System Checkpoint RP321: 7/19/2009 12:40:31 AM - System Checkpoint RP322: 7/19/2009 12:40:33 AM - System Checkpoint RP323: 7/19/2009 12:40:34 AM - System Checkpoint RP324: 7/19/2009 12:40:35 AM - System Checkpoint RP325: 7/19/2009 12:40:35 AM - System Checkpoint RP326: 7/19/2009 12:40:35 AM - System Checkpoint RP327: 7/19/2009 12:40:36 AM - System Checkpoint RP328: 7/19/2009 12:40:36 AM - System Checkpoint RP329: 7/19/2009 12:40:36 AM - System Checkpoint RP330: 7/19/2009 12:40:37 AM - System Checkpoint RP331: 7/19/2009 12:40:37 AM - System Checkpoint RP332: 7/19/2009 12:40:37 AM - Software Distribution Service 3.0 RP333: 7/19/2009 12:40:37 AM - System Checkpoint RP334: 7/19/2009 12:40:38 AM - System Checkpoint RP335: 7/19/2009 12:40:38 AM - System Checkpoint RP336: 7/19/2009 12:40:38 AM - System Checkpoint RP337: 7/19/2009 12:40:40 AM - System Checkpoint RP338: 7/19/2009 12:40:41 AM - System Checkpoint RP339: 7/19/2009 12:40:42 AM - System Checkpoint RP340: 7/19/2009 12:40:43 AM - System Checkpoint RP341: 7/19/2009 12:40:43 AM - System Checkpoint RP342: 7/19/2009 12:40:44 AM - System Checkpoint RP343: 7/19/2009 12:40:45 AM - System Checkpoint RP344: 7/19/2009 12:40:46 AM - System Checkpoint RP345: 7/19/2009 12:40:46 AM - System Checkpoint RP346: 7/19/2009 12:40:47 AM - System Checkpoint RP347: 7/19/2009 12:40:48 AM - System Checkpoint RP348: 7/19/2009 12:40:49 AM - System Checkpoint RP349: 7/19/2009 12:40:49 AM - System Checkpoint RP350: 7/19/2009 12:40:49 AM - System Checkpoint RP351: 7/19/2009 12:40:50 AM - System Checkpoint RP352: 7/19/2009 12:40:50 AM - System Checkpoint RP353: 7/19/2009 12:40:50 AM - Software Distribution Service 3.0 RP354: 7/19/2009 12:40:51 AM - System Checkpoint RP355: 7/19/2009 12:40:51 AM - System Checkpoint RP356: 7/19/2009 12:40:52 AM - System Checkpoint RP357: 7/19/2009 12:40:53 AM - System Checkpoint RP358: 7/19/2009 12:40:53 AM - System Checkpoint RP359: 7/19/2009 12:40:55 AM - System Checkpoint RP360: 7/19/2009 12:40:56 AM - System Checkpoint RP361: 7/19/2009 12:40:57 AM - System Checkpoint RP362: 7/19/2009 12:40:58 AM - System Checkpoint RP363: 7/19/2009 12:40:58 AM - System Checkpoint RP364: 7/19/2009 12:40:59 AM - System Checkpoint RP365: 7/19/2009 12:41:01 AM - System Checkpoint RP366: 7/19/2009 12:41:02 AM - System Checkpoint RP367: 7/19/2009 12:41:02 AM - System Checkpoint RP368: 7/19/2009 12:41:02 AM - System Checkpoint RP369: 7/19/2009 12:41:02 AM - System Checkpoint RP370: 7/19/2009 12:41:03 AM - System Checkpoint RP371: 7/19/2009 12:41:03 AM - System Checkpoint RP372: 7/19/2009 12:41:03 AM - System Checkpoint RP373: 7/19/2009 12:41:03 AM - System Checkpoint RP374: 7/19/2009 12:41:04 AM - System Checkpoint RP375: 7/19/2009 12:41:04 AM - System Checkpoint RP376: 7/19/2009 12:41:05 AM - System Checkpoint RP377: 7/19/2009 12:41:06 AM - System Checkpoint RP378: 7/19/2009 12:41:06 AM - Software Distribution Service 3.0 RP379: 7/19/2009 12:41:06 AM - System Checkpoint RP380: 7/19/2009 12:41:06 AM - System Checkpoint RP381: 8/5/2009 11:36:40 PM - RegRun Virus Scan RP382: 8/5/2009 11:42:33 PM - RegRun Virus Scan RP383: 8/5/2009 11:43:53 PM - RegRun Virus Scan RP384: 8/5/2009 11:54:50 PM - RegRun Virus Scan RP385: 8/6/2009 12:02:09 AM - RegRun Virus Scan RP386: 8/9/2009 7:03:01 PM - RegRun Virus Scan RP387: 8/9/2009 7:03:43 PM - RegRun Virus Scan RP388: 8/9/2009 7:12:15 PM - RegRun Virus Scan ==== Installed Programs ====================== Adabas D 13.01.00 Adobe Download Manager 2.0 (Remove Only) Adobe Flash Player 10 ActiveX Adobe Reader 7.0.8 Apple Mobile Device Support Apple Software Update AT&T Global Network Client ATI Control Panel ATI Display Driver ATI Attach.zip Attach.zip
  4. Malwarebytes Anti-Malware (MB) says str.sys (Rootkit.Agent) is found. I then instruct MB to fix/delete and reboot my laptop as instructed. After I reboot, I run MB again but str.sys is still there. Ive repeated the above several times with the same result. I've posted the MB log and HijackThis logs below. Thanks ============================ Malwarebytes' Anti-Malware 1.39 Database version: 2547 Windows 5.1.2600 Service Pack 2 8/9/2009 6:25:00 PM mbam-log-2009-08-09 (18-24-27).txt Scan type: Quick Scan Objects scanned: 80299 Time elapsed: 5 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\1.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken. ============================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:12:54 PM, on 8/9/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.sfbay.sun.com:8080 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110410772755 O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O20 - AppInit_DLLs: C:\DOCUME~1\VIRGIN~1\LOCALS~1\Temp\01911kou.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 5035 bytes
  5. Malwarebytes Anti-Malware (MB) says str.sys (Rootkit.Agent) is found. I then instruct MB to fix/delete and reboot my laptop as instructed. After I reboot, I run MB again but str.sys is still there. Ive repeated the above several times with the same result. I've posted the MB log and HijackThis logsbelow. Thanks ============================ Malwarebytes' Anti-Malware 1.39 Database version: 2547 Windows 5.1.2600 Service Pack 2 8/9/2009 6:25:00 PM mbam-log-2009-08-09 (18-24-27).txt Scan type: Quick Scan Objects scanned: 80299 Time elapsed: 5 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\1.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken. ============================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:12:54 PM, on 8/9/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\DefWatch.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\PROGRA~1\SYMANT~1\Rtvscan.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.sfbay.sun.com:8080 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110410772755 O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O20 - AppInit_DLLs: C:\DOCUME~1\VIRGIN~1\LOCALS~1\Temp\01911kou.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 5035 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.