Rackman
-
Posts
7 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Rackman
-
-
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[sharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.5.5 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:138 Go - Free:33 Go )
D:\ [Fixed-NTFS] .. ( Total:279 Go - Free:38 Go )
E:\ [CD_Rom]
.
Scan : 21:07.42
Path : C:\Documents and Settings\swr\Desktop\HJT\Rooter.exe
User : swr ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [system Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (764)
______ \??\C:\WINDOWS\system32\csrss.exe (1260)
______ \??\C:\WINDOWS\system32\winlogon.exe (1284)
______ C:\WINDOWS\system32\services.exe (1328)
______ C:\WINDOWS\system32\lsass.exe (1340)
______ C:\WINDOWS\system32\svchost.exe (1508)
______ C:\WINDOWS\system32\svchost.exe (1588)
______ C:\WINDOWS\System32\svchost.exe (1784)
______ C:\WINDOWS\system32\svchost.exe (340)
______ C:\WINDOWS\system32\svchost.exe (432)
______ C:\WINDOWS\system32\spoolsv.exe (592)
______ C:\WINDOWS\Explorer.EXE (984)
______ C:\Program Files\Scansoft\PaperPort\pptd40nt.exe (1132)
______ C:\WINDOWS\system32\taskswitch.exe (1168)
______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (1184)
______ C:\WINDOWS\system32\RUNDLL32.EXE (1224)
______ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (1228)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (1244)
______ C:\WINDOWS\system32\svchost.exe (1768)
______ C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (1840)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1860)
______ C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE (1884)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe (1936)
______ C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (1960)
______ C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe (1996)
______ C:\WINDOWS\system32\nvsvc32.exe (272)
______ C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe (416)
______ C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe (2260)
______ C:\Program Files\CyberLink\Shared Files\RichVideo.exe (2552)
______ C:\WINDOWS\system32\svchost.exe (3020)
______ C:\WINDOWS\System32\alg.exe (368)
______ C:\Program Files\Raxco\PerfectDisk2008\PDAgentS1.exe (3104)
______ C:\Documents and Settings\swr\Desktop\HJT\Rooter.exe (2468)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:148696579584)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 21:07.46
.
C:\Rooter$\Rooter_1.txt - (23/06/2010 | 21:07.46)
-
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4224
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/22/2010 8:19:14 AM
mbam-log-2010-06-22 (08-19-14).txt
Scan type: Quick scan
Objects scanned: 149772
Time elapsed: 5 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
MBAM did not detect any of the items found by Kasperski.
I had detected a possible issue with MagicDVDripper in the past and contacted them. Here is their reply.
I'm so sorry for this inconvenience. We can guarantee our program is 100% clean. It may be ripper use some resource when running that the anti-spy softwares focus on. Now please use the the following way to try again:
1) close the our program Magic DVD Ripper
2) add ripper to the white list of the anti-spy softwares
3) launch the program again, let us know the result.
Best regards,
Sam - Customer service representative
Magic DVD Software (http://www.magicdvdripper.com)
The fresh download showed the same test results.
-
Java has been updated. Here is the log.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, June 21, 2010 17:44:44
Records in database: 4306235
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Objects scanned: 270715
Threats found: 4
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 05:24:50
File name / Threat / Threats count
C:\Documents and Settings\swr\DoctorWeb\Quarantine\6d1d8a0e-4f6ce360 Infected: Trojan-Downloader.Java.Agent.ak 1
C:\Program Files\MagicDVDRipper\MagicDVDRipper.bad Infected: Trojan.Win32.Cosmu.mjj 1
C:\Program Files\MagicDVDRipper\MagicDVDRipper.exe Infected: Trojan.Win32.Cosmu.mjj 1
C:\Program Files\Scansoft\PaperPort\Visioneer.exe Infected: Backdoor.Win32.Rbot.akpt 1
C:\swr\4 gb thumb drive encr bu\8100.exe Infected: Backdoor.Win32.Rbot.akpt 1
C:\swr\MagicDVD Ripper\MagicDVDRipper432.exe Infected: Trojan.Win32.Cosmu.yhk 1
C:\swr\MagicDVD Ripper\MagicDVDRipper521.exe Infected: Trojan.Win32.Cosmu.mjj 1
C:\swr\Malware\MagicDVDRipper.exe Infected: Trojan.Win32.Cosmu.mjj 1
D:\Data traveler bu\8100.exe Infected: Backdoor.Win32.Rbot.akpt 1
Selected area has been scanned.
-
Here are the log files:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4208
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/17/2010 6:54:39 AM
mbam-log-2010-06-17 (06-54-39).txt
Scan type: Quick scan
Objects scanned: 144027
Time elapsed: 5 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
{DDE19280-9D20-40A9-9954-7095B86018F6}.qbd\data001;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{BA1E01D7-726;Trojan.Loader.553;;
{DDE19280-9D20-40A9-9954-7095B86018F6}.qbd;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{BA1E01D7-726;Container contains infected objects;Moved.;
{71A531FD-B483-4085-A686-9C5E91087CDD}.qbd\data001;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{E93D7502-BB3;Trojan.Fakealert.15118;;
{71A531FD-B483-4085-A686-9C5E91087CDD}.qbd;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{E93D7502-BB3;Container contains infected objects;Moved.;
RegUBP2b-swr.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
tcpip.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers;BackDoor.Tdss.2459;Cured.;
A0010351.ocx;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Adware.Coupons.34;Incurable.Moved.;
A0010371.reg;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.StartPage.1505;Deleted.;
A0010372.exe;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.Fakealert.11681;Incurable.Moved.;
A0010373.exe;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.Fakealert.11681;Incurable.Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;
A0010374.exe\data273;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56\A0010374.exe;Program.SrvAny;;
A0010374.exe\data278;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56\A0010374.exe;Tool.InstSrv;;
A0010374.exe\data295;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56\A0010374.exe;Program.SrvAny;;
A0010374.exe;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Container contains infected objects;Moved.;
A0010375.exe;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.Fakealert.11681;Incurable.Moved.;
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:52:48 AM, on 6/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Raxco\PerfectDisk2008\PDEngine.exe
C:\Program Files\Raxco\PerfectDisk2008\PDAgentS1.exe
C:\Program Files\Raxco\PerfectDisk2008\PerfectDisk.exe
C:\Documents and Settings\swr\Desktop\HJT\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://home.aurorabankfsb.com
O15 - Trusted Zone: http://remote.aurorabankfsb.com
O15 - Trusted Zone: http://www.aurorabankfsb.com
O15 - Trusted Zone: www.select2perform.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237131535109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1258154378171
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {BAC16126-1812-41A1-AD18-66B3FC8DFEDA} (PPM WordModule) - https://fdicdrr.policytech.com/includes/obj.../WordModule.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab
O16 - DPF: {EBE67253-D4EA-11D3-845A-00500483D287} (ImageViewer Class) - file://E:\vwr_data\dcm_vwr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...015/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O20 - Winlogon Notify: khfFXpqn - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 11486 bytes
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java SE Runtime Environment 6
Adobe Flash Player
Mozilla Firefox (3.5.5) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
-
Bit torrent has been removed.
My problem is resolved.
Thank you
Here is the combofix log
ComboFix 10-06-18.03 - swr 06/19/2010 0:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1644 [GMT -6:00]
Running from: c:\documents and settings\swr\Desktop\Combo-Fix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\swr\Local Settings\Application Data\Windows Server
c:\documents and settings\swr\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\swr\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini
c:\windows\system32\Ijl11.dll
c:\windows\wiaserviv.log
Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.
2010-06-18 22:17 . 2010-06-18 22:18 -------- d-----w- c:\program files\ERUNT
2010-06-11 17:56 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-24 04:26 . 2010-05-24 04:26 -------- d-----w- c:\documents and settings\swr\Application Data\Windows Search
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 12:04 . 2010-05-12 17:22 -------- d-----w- c:\program files\Windows Desktop Search
2010-06-16 13:21 . 2010-03-18 23:13 -------- d-----w- c:\documents and settings\swr\Application Data\Wireshark
2010-06-14 16:37 . 2009-09-23 21:44 -------- d-----w- c:\program files\Coupons
2010-06-11 20:31 . 2010-05-12 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-06 23:50 . 2008-11-23 01:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-05 01:09 . 2010-04-04 15:05 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 02:05 . 2008-01-26 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-05-19 00:51 . 2008-01-26 16:45 -------- d-----w- c:\documents and settings\swr\Application Data\Passlogix
2010-05-17 03:43 . 2010-05-17 03:43 -------- d-----w- c:\program files\American Systems
2010-05-14 18:41 . 2008-05-20 01:05 73504 ----a-w- c:\documents and settings\swr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 16:05 . 2010-05-12 16:54 -------- d-----w- c:\program files\Microsoft Works
2010-05-12 17:28 . 2010-05-12 17:28 10134 ----a-r- c:\documents and settings\swr\Application Data\Microsoft\Installer\{616A66CD-D36D-4E24-8B67-33AFDFF48061}\ARPPRODUCTICON.exe
2010-05-12 17:27 . 2010-05-12 17:27 -------- d-----w- c:\program files\Palm Inc
2010-05-12 17:27 . 2009-02-01 01:10 -------- d-----w- c:\program files\Palm
2010-05-12 17:26 . 2009-01-25 19:33 -------- d-----w- c:\program files\Lavasoft
2010-05-12 16:54 . 2010-02-10 02:07 -------- d-----w- c:\program files\MSBuild
2010-05-12 16:53 . 2010-05-12 16:53 -------- d-----w- c:\program files\Microsoft.NET
2010-05-12 16:51 . 2010-05-12 16:51 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-05-07 13:44 . 2008-11-16 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-07 13:44 . 2008-11-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-06 10:41 . 2004-08-04 02:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 17:55 . 2008-04-07 22:50 -------- d-----w- c:\documents and settings\swr\Application Data\TaxCut
2010-05-02 05:22 . 2004-08-04 02:07 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 00:42 . 2010-05-02 00:42 -------- d-----w- c:\program files\Sony
2010-05-02 00:42 . 2008-01-12 03:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-01 09:21 . 2010-03-24 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 21:39 . 2010-03-24 04:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2010-03-24 04:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 17:35 . 2008-11-16 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-21 17:18 . 2010-04-21 17:17 -------- d-----w- c:\program files\WingDir
2010-04-21 17:17 . 2010-04-21 17:17 249856 ------w- c:\windows\Setup1.exe
2010-04-21 17:17 . 2010-04-21 17:17 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-21 17:05 . 2008-01-26 16:42 -------- d-----w- c:\program files\MagicDVDRipper
2010-04-20 05:30 . 2004-08-04 02:07 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-25 20:27 . 2010-03-25 20:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-25 20:27 . 2010-03-25 20:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-25 20:27 . 2010-03-25 23:21 482432 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-03-25 20:27 . 2010-03-25 23:21 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-03-25 20:27 . 2010-03-25 23:21 310320 ----a-w- c:\windows\system32\drivers\SymEFA.sys
2010-03-25 20:27 . 2010-03-25 23:21 217136 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-03-25 20:27 . 2010-03-25 23:21 259632 ----a-w- c:\windows\system32\drivers\BHDrvx86.sys
2010-03-25 20:27 . 2010-03-25 20:27 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-25 20:27 . 2008-10-30 01:41 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-25 20:27 . 2008-10-30 01:41 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-03-25 01:04 . 2010-03-25 01:04 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe
2010-03-24 08:22 . 2008-01-12 05:28 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-24 08:10 . 2008-11-17 00:57 8 ----a-w- c:\windows\system32\nvModes.dat
2010-03-23 20:05 . 2010-03-23 20:05 760 ----a-w- C:\error.reg
2009-09-14 02:59 . 2009-09-14 02:59 1309413 ----a-w- c:\program files\NetMeeting.zip
2009-08-28 18:55 . 2009-08-28 18:55 524667454 ----a-w- c:\program files\SkillSoft.zip
2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-07-30 98304]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-09 8527872]
"nwiz"="nwiz.exe" [2007-10-09 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-09 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
c:\documents and settings\swr\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 AACMgt;AACMgt;c:\windows\system32\drivers\aacmgt.sys [9/3/2006 2:18 AM 93591]
R0 aarsi3x;aarsi3x;c:\windows\system32\drivers\aarsi3x.sys [11/11/2004 7:09 PM 197120]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [2/2/2008 11:27 AM 133760]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/17/2010 12:41 PM 28552]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [3/25/2010 5:21 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [3/25/2010 5:21 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [3/25/2010 5:21 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100617.005\IDSXpx86.sys [6/19/2010 12:33 AM 331640]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [3/25/2010 5:20 PM 117640]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [1/26/2008 10:49 AM 14976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 2:00 AM 102448]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2/25/2009 7:08 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2/25/2009 7:08 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2/9/2010 7:52 PM 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2/9/2010 8:17 PM 23936]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [10/26/2008 2:54 PM 91841]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aurorabankfsb.com\home
Trusted Zone: aurorabankfsb.com\remote
Trusted Zone: aurorabankfsb.com\www
Trusted Zone: select2perform.com\www
Trusted Zone: usps.gov\webvpn
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {BAC16126-1812-41A1-AD18-66B3FC8DFEDA} - hxxps://fdicdrr.policytech.com/includes/objects/WordModule.cab
DPF: {EBE67253-D4EA-11D3-845A-00500483D287} - file://e:\vwr_data\dcm_vwr.cab
FF - ProfilePath - c:\documents and settings\swr\Application Data\Mozilla\Firefox\Profiles\5w6orxtl.default\
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-khfFXpqn - khfFXpqn.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 00:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-448539723-861567501-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1368)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-06-19 00:55:51
ComboFix-quarantined-files.txt 2010-06-19 06:55
Pre-Run: 33,112,137,728 bytes free
Post-Run: 33,058,115,584 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 0742EF99C8669971F5A501BAB17CE73B
-
My system keeps accessing the some of the following sites per wireshark. I then receive messages from Symantec that an attack from the site was blocked.01n02n4cx00.cc
19js810300z.com
30xc1cjh91.com
7gafd33ja90a.com
j00k877x.cc
lj1i16b0.com
m01n83kjf7.com
n16fa53.com
n1mo661s6cx0.com
zz87jhfda88.com
www1.softhelper10.com
91.212.226.59
91.212.226.67
I have blocked these sites via the hosts file
DDS (Ver_10-03-17.01) - NTFSx86
Run by swr at 7:27:32.18 on Thu 06/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1403 [GMT -6:00]
AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Temp\Hijackthis\DDS\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} -
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aurorabankfsb.com\home
Trusted Zone: aurorabankfsb.com\remote
Trusted Zone: aurorabankfsb.com\www
Trusted Zone: select2perform.com\www
Trusted Zone: usps.gov\webvpn
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237131535109
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258154378171
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {BAC16126-1812-41A1-AD18-66B3FC8DFEDA} - hxxps://fdicdrr.policytech.com/includes/objects/WordModule.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {EBE67253-D4EA-11D3-845A-00500483D287} - file://e:\vwr_data\dcm_vwr.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6015/mcfscan.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
Notify: khfFXpqn - khfFXpqn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\swr\applic~1\mozilla\firefox\profiles\5w6orxtl.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 AACMgt;AACMgt;c:\windows\system32\drivers\aacmgt.sys [2006-9-3 93591]
R0 aarsi3x;aarsi3x;c:\windows\system32\drivers\aarsi3x.sys [2004-11-11 197120]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [2008-2-2 133760]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-17 28552]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-25 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-25 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-25 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-8 331640]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-3-25 117640]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-1-26 14976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100616.039\NAVENG.SYS [2010-6-17 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100616.039\NAVEX15.SYS [2010-6-17 1347504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-2-25 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-2-25 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-2-9 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-2-9 23936]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-10-26 91841]
=============== Created Last 30 ================
2010-06-17 12:51:18 0 ----a-w- c:\documents and settings\swr\defogger_reenable
2010-06-16 17:08:34 0 d-----w- c:\temp\Hijackthis
2010-06-11 17:56:14 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-06 23:43:14 11366400 ----a-w- c:\documents and settings\swr\s-1-5-21-448539723-861567501-839522115-1003.rrr
2010-05-24 04:26:53 0 d-----w- c:\docume~1\swr\applic~1\Windows Search
==================== Find3M ====================
2010-05-12 01:45:32 24152 ----a-w- c:\docume~1\swr\applic~1\GDIPFONTCACHEV1.DAT
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 17:17:51 249856 ------w- c:\windows\Setup1.exe
2010-04-21 17:17:49 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-25 20:27:06 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-25 20:27:00 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-03-24 08:22:15 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-23 20:05:44 760 ----a-w- C:\error.reg
2009-09-14 02:59:07 1309413 ----a-w- c:\program files\NetMeeting.zip
2009-08-28 18:55:20 524667454 ----a-w- c:\program files\SkillSoft.zip
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2003-07-28 13:16:52 36864 ----a-w- c:\windows\inf\i386\Vizmicro.dll
2003-07-28 13:16:26 172032 ----a-w- c:\windows\inf\i386\viceo.dll
2003-07-28 13:01:10 36207 ----a-w- c:\windows\inf\i386\9320FW.bin
2003-07-28 13:01:10 274432 ----a-w- c:\windows\inf\i386\9320LLD.dll
2003-07-28 13:01:10 155648 ----a-w- c:\windows\inf\i386\rtscan.dll
2001-08-04 01:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys
2010-02-19 01:02:33 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
============= FINISH: 7:28:44.14 ===============
GMER log
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-18 03:08:44
Windows 5.1.2600 Service Pack 3
Running: ji91h61p.exe; Driver: C:\DOCUME~1\swr\LOCALS~1\Temp\kxtdqpow.sys
---- System - GMER 1.0.15 ----
SSDT 89C4AD80 ZwAlertResumeThread
SSDT 89C4C4A8 ZwAlertThread
SSDT 89D55B58 ZwAllocateVirtualMemory
SSDT 89C22628 ZwAssignProcessToJobObject
SSDT 89E053F8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9EE9130]
SSDT 8A055EA8 ZwCreateMutant
SSDT 89AEADD8 ZwCreateSymbolicLinkObject
SSDT 89E8AFB0 ZwCreateThread
SSDT 89C42D80 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA9EE93B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9EE9910]
SSDT 8A059D28 ZwDuplicateObject
SSDT 89DAE9D0 ZwFreeVirtualMemory
SSDT 89C2BA88 ZwImpersonateAnonymousToken
SSDT 89C59D80 ZwImpersonateThread
SSDT 89E51DC0 ZwLoadDriver
SSDT 89C1A770 ZwMapViewOfSection
SSDT 89CA9D58 ZwOpenEvent
SSDT 89C93E88 ZwOpenProcess
SSDT 89C12D80 ZwOpenProcessToken
SSDT 89C35368 ZwOpenSection
SSDT 89BF32D8 ZwOpenThread
SSDT 89AEAE68 ZwProtectVirtualMemory
SSDT 89BB4B08 ZwResumeThread
SSDT 89BD1628 ZwSetContextThread
SSDT 8A04F2F8 ZwSetInformationProcess
SSDT 89C276F8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9EE9B60]
SSDT 89C9C8C8 ZwSuspendProcess
SSDT 89BD32C0 ZwSuspendThread
SSDT 89BD97A8 ZwTerminateProcess
SSDT 89C163C0 ZwTerminateThread
SSDT 89C34D80 ZwUnmapViewOfSection
SSDT 89CC7658 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2D1C 805045B8 4 Bytes JMP 12CECF97
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8DCB380, 0x33F867, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB008CA00]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1800] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1800] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1800] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1800] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1800] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0Z386EX2\bullet[1] 0 bytes
---- EOF - GMER 1.0.15 ----
Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/11/2008 8:30:51 PM
System Uptime: 6/17/2010 7:25:40 AM (0 hours ago)
Motherboard: ASUSTeK Computer INC. | | P5E3 Deluxe
Processor: Intel® Core2 Duo CPU E6750 @ 2.66GHz | LGA775 | 2666/333mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 138 GiB total, 30.866 GiB free.
D: is FIXED (NTFS) - 279 GiB total, 38.589 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&B6AFFD&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&B6AFFD&0
Service: i8042prt
==== System Restore Points ===================
RP1: 5/1/2010 2:59:18 AM - System Checkpoint
RP2: 5/1/2010 6:42:16 PM - Installed Sony Recorder Driver
RP3: 5/2/2010 7:40:59 PM - System Checkpoint
RP4: 5/3/2010 7:50:57 PM - System Checkpoint
RP5: 5/4/2010 8:50:56 PM - System Checkpoint
RP6: 5/5/2010 11:31:42 PM - System Checkpoint
RP7: 5/7/2010 12:02:53 AM - System Checkpoint
RP8: 5/8/2010 12:30:05 PM - System Checkpoint
RP9: 5/9/2010 1:15:27 PM - System Checkpoint
RP10: 5/10/2010 3:03:12 PM - System Checkpoint
RP11: 5/11/2010 3:14:23 PM - System Checkpoint
RP12: 5/12/2010 9:27:22 AM - Software Distribution Service 3.0
RP13: 5/12/2010 10:48:17 AM - Installed Microsoft Office Enterprise 2007
RP14: 5/12/2010 10:55:45 AM - Printer Driver Send To Microsoft OneNote Driver Installed
RP15: 5/12/2010 11:21:47 AM - Installed Windows XP KB915800-v4.
RP16: 5/12/2010 11:21:59 AM - Installed Windows XP Windows Search 4.0.
RP17: 5/12/2010 11:26:31 AM - Removed Ad-Aware Email Scanner for Outlook
RP18: 5/12/2010 11:27:58 AM - Installed Palm Outlook Conduits Updater.
RP19: 5/12/2010 10:22:06 PM - Software Distribution Service 3.0
RP20: 5/13/2010 10:42:13 PM - System Checkpoint
RP21: 5/14/2010 9:58:53 AM - Software Distribution Service 3.0
RP22: 5/14/2010 10:06:48 AM - Printer Driver Send To Microsoft OneNote Driver Installed
RP23: 5/14/2010 11:05:29 AM - Software Distribution Service 3.0
RP24: 5/14/2010 11:09:29 AM - Software Distribution Service 3.0
RP25: 5/16/2010 10:20:24 AM - System Checkpoint
RP26: 5/17/2010 10:20:43 AM - System Checkpoint
RP27: 5/18/2010 10:48:25 AM - System Checkpoint
RP28: 5/19/2010 11:05:13 AM - System Checkpoint
RP29: 5/20/2010 12:40:15 PM - System Checkpoint
RP30: 5/21/2010 1:36:51 PM - System Checkpoint
RP31: 5/22/2010 1:58:02 PM - System Checkpoint
RP32: 5/23/2010 3:54:00 PM - System Checkpoint
RP33: 5/24/2010 11:33:28 PM - System Checkpoint
RP34: 5/26/2010 12:20:54 AM - System Checkpoint
RP35: 5/27/2010 12:36:31 AM - Software Distribution Service 3.0
RP36: 5/28/2010 12:49:06 PM - System Checkpoint
RP37: 5/29/2010 2:35:55 PM - System Checkpoint
RP38: 5/30/2010 5:55:34 PM - System Checkpoint
RP39: 5/31/2010 6:06:01 PM - System Checkpoint
RP40: 6/1/2010 6:39:45 PM - System Checkpoint
RP41: 6/2/2010 8:16:21 PM - System Checkpoint
RP42: 6/4/2010 10:23:05 AM - Software Distribution Service 3.0
RP43: 6/5/2010 11:13:21 AM - System Checkpoint
RP44: 6/6/2010 6:42:17 PM - System Checkpoint
RP45: 6/7/2010 6:58:27 PM - System Checkpoint
RP46: 6/9/2010 8:43:19 AM - System Checkpoint
RP47: 6/11/2010 12:36:17 PM - System Checkpoint
RP48: 6/11/2010 2:23:10 PM - Software Distribution Service 3.0
RP49: 6/12/2010 2:39:49 PM - System Checkpoint
RP50: 6/13/2010 7:13:01 PM - System Checkpoint
RP51: 6/15/2010 8:51:11 AM - System Checkpoint
RP52: 6/16/2010 8:57:04 AM - System Checkpoint
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acronis
My system keeps accessing the some of the following sites per wireshark. I then receive messages from Symantec that an attack from the site was blocked.
Root kit on my system ?
in Resolved Malware Removal Logs
Posted
No infections found.
Thanks for all the help.