de_novo
-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by de_novo
-
-
How are things running now?
Everything seems fine. Have no messages from SEP. I see no unusual things running.
What about Acrobat 6 Pro? Does it have too many security holes?
Was any software uninstalled or deleted by ComboFix?
Roxio seems to be working.
Not sure why I have the Richo RMClient stuff running. I don't recall having Richo printers. Have very large 100 PPM Canon and Toshiba's that may have purchased Richo product.
An off topic question:
The machine from which I am posting this, and on the same network, is getting a SEP popup at times of "[sID 20495] FTP MS IIS Status DoS Detected". The logs show its from 0.0.0.0., i.e. not traceable. I do have IIS and SQL running for doing VS dev, but haven't done any in a long time . The FTP and SMTP servers are not running. I am on a network with 20 other PC's so it is possible its one of them. I am behind a NAT Router.
I don't have MBAM installed, but do have a license. Installing that would be my next step. Wondering if it is safe to run TDDSKiller and MBER to see if any TD or BootRec infections?
-
KillAll::
RenV::
c:\program files\Spybot - Search & Destroy\TeaTimer .exeSave the file to your desktop and name it CFScript.txt
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.
I ran the script. It rebooted then opened the log.
\\\\\\\\\\\\\\\\\\\ ComboFix Log \\\\\\\\\\\\\\\\\\\
ComboFix 10-07-06.02 - Earl 07/06/2010 17:46:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1520 [GMT -5:00]
Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Earl\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.
2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX
2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes
2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 21:33 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-06 21:33 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll
2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM
2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio
2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio
2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat
2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec
2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.
<pre>
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"POINTER"="point32.exe" [N/A]
"Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-09 868352]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe
"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056]
R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952]
R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]
.
Contents of the 'Scheduled Tasks' folder
2010-07-02 c:\windows\Tasks\diskspacecheck.job
- e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16]
2009-04-17 c:\windows\Tasks\getecf320 Train.job
- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]
2009-04-17 c:\windows\Tasks\getecf320.job
- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]
2010-07-06 c:\windows\Tasks\Internet Explorer.job
- c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09]
2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]
2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/MyHomePage.htm
mSearch Bar = hxxp://www.google.com/
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: uscourts.gov
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 17:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)
@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
- - - - - - - > 'explorer.exe'(2808)
c:\windows\system32\WININET.dll
c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\SYSTEM32\GEARSEC.EXE
c:\program files\Expertcity\GoToMyPC\g2svc.exe
c:\program files\Expertcity\GoToMyPC\g2comm.exe
c:\program files\Expertcity\GoToMyPC\g2pre.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Expertcity\GoToMyPC\g2tray.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
c:\program files\RDS\RMClient\PMCTray.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2010-07-06 18:02:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 23:02
ComboFix2.txt 2010-07-06 21:47
ComboFix3.txt 2010-07-06 18:17
Pre-Run: 4,649,140,224 bytes free
Post-Run: 4,627,718,144 bytes free
- - End Of File - - C29D2428B27F871AF084DCE73A817944
-
Open Notepad and copy and paste the text in the code box below into it:
KillAll::
RenV::
c:\program files\Common Files\Roxio Shared\System\EngUtil .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\RDS\RMClient\JobHisInit .exe
c:\program files\RDS\RMClient\MplSetUp .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Symantec AntiVirus\VPTray .exe
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]Save the file to your desktop and name it CFScript.txt
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.
This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.
Downloaded new ComboFix.exe named it ComboFix.exe and put it on my Desktop
Dragged and dropped above CFScript.txt onto it.
CF ran, then without asking rebooted and opened the log. Here it is.....
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
ComboFix 10-07-06.02 - Earl 07/06/2010 16:33:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1516 [GMT -5:00]
Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Earl\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.
2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX
2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes
2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 21:33 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-06 21:33 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll
2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM
2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio
2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio
2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat
2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec
2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.
<pre>
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"POINTER"="point32.exe" [N/A]
"Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-09 868352]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe
"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056]
R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952]
R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]
.
Contents of the 'Scheduled Tasks' folder
2010-07-02 c:\windows\Tasks\diskspacecheck.job
- e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16]
2009-04-17 c:\windows\Tasks\getecf320 Train.job
- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]
2009-04-17 c:\windows\Tasks\getecf320.job
- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]
2010-07-06 c:\windows\Tasks\Internet Explorer.job
- c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09]
2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]
2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/MyHomePage.htm
mSearch Bar = hxxp://www.google.com/
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: uscourts.gov
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 16:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)
@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1172)
c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
- - - - - - - > 'explorer.exe'(3928)
c:\windows\system32\WININET.dll
c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\SYSTEM32\GEARSEC.EXE
c:\program files\Expertcity\GoToMyPC\g2svc.exe
c:\program files\Expertcity\GoToMyPC\g2comm.exe
c:\program files\Expertcity\GoToMyPC\g2pre.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Expertcity\GoToMyPC\g2tray.exe
c:\windows\system32\wscntfy.exe
e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
c:\program files\RDS\RMClient\PMCTray.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2010-07-06 16:47:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 21:47
ComboFix2.txt 2010-07-06 18:17
Pre-Run: 4,622,880,768 bytes free
Post-Run: 4,634,267,648 bytes free
- - End Of File - - 6CCCEDB750813412EC0C9144FEB86EC4
-
Open Notepad and copy and paste the text in the code box below into it:
.....
Save the file to your desktop and name it CFScript.txt
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.
Based on your prior instructions my ComboFix is named Combo-Fix.exe
When I dragged and dropped the CFscript.txt onto Combo-Fix.exe a message said a new version was available and asked me if I wanted to update. To be safe I answered NO.
I am rebooting then will download ComboFix from your BC site and drop the script on it.
-
Per your instrux the combo fix log, also attached
ComboFix 10-07-06.01 - Earl 07/06/2010 12:42:03.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1435 [GMT -5:00]
Running from: c:\documents and settings\Earl\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\setup.exe
c:\windows\patch.exe
c:\windows\system32\gotomon.log
c:\windows\xpsp1hfm.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FILEMON
-------\Service_FILEMON
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.
2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic
2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX
2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes
2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll
2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM
2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio
2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio
2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat
2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-21 20:44 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec
2010-06-21 20:27 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.
Infected c:\windows\system32\user32.dll hex repaired
<pre>
c:\program files\Common Files\Roxio Shared\System\EngUtil .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\RDS\RMClient\JobHisInit .exe
c:\program files\RDS\RMClient\MplSetUp .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Symantec AntiVirus\VPTray .exe
</pre>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"POINTER"="point32.exe" [N/A]
"Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [N/A]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [N/A]
"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe
"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056]
R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952]
R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]
.
Contents of the 'Scheduled Tasks' folder
2010-07-02 c:\windows\Tasks\diskspacecheck.job
- e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16]
2009-04-17 c:\windows\Tasks\getecf320 Train.job
- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]
2009-04-17 c:\windows\Tasks\getecf320.job
- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]
2010-07-06 c:\windows\Tasks\Internet Explorer.job
- c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09]
2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]
2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/MyHomePage.htm
mSearch Bar = hxxp://www.google.com/
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: uscourts.gov
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - g:\eudora\EuShlExt.dll
Notify-NavLogon - (no file)
SafeBoot-klmdb.sys
SafeBoot-Symantec Antvirus
AddRemove-{E2FDE250-942F-11DC-6784-0AD028DD18BE} - e:\clarion.net\Uninst_Clarion.Net
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 13:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,5d,05,95,43,50,e2,45,96,e0,5e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,5d,05,95,43,50,e2,45,96,e0,5e,\
[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)
@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll
- - - - - - - > 'explorer.exe'(1060)
c:\windows\system32\WININET.dll
c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\SYSTEM32\GEARSEC.EXE
c:\program files\Expertcity\GoToMyPC\g2svc.exe
c:\program files\Expertcity\GoToMyPC\g2comm.exe
c:\program files\Expertcity\GoToMyPC\g2pre.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Expertcity\GoToMyPC\g2tray.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
c:\program files\RDS\RMClient\PMCTray.exe
.
**************************************************************************
.
Completion time: 2010-07-06 13:17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 18:17
Pre-Run: 4,211,265,536 bytes free
Post-Run: 4,635,172,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - C365D19D8025EB401E743151D7ECE310
-
In your next reply, please include these log(s) in this sequence:
- MalwareBytes' Anti-Malware log
- a new fresh DDS log only
I did as you requested. Zipped Attach.txt attached. Will I be able to reinstall Acrobat 6?
Last week after a Windows Update and Reboot the AppData EXE was no longer running and the TidServ warnings had stopped.
MBAM, that I just ran, found the old files and got rid of them. Before I did that today it seemed like IE 8 would frequently crash opening a new tab, and then recover and open it fine.
One other oddity is I no longer see MalwareBytes in my tool tray, just the SEP icon. MBAM ran just fine for doing your tests. Orginally after I installed MBAM
Thanks for all the Help!
De Novo
\\\\\\\\\\\\\\\\\\\\\\\\ mbam-log-2010-07-01 (18-57-22).txt \\\\\\\\\\\\\\\\\\\\\\\
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4265
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
7/1/2010 6:57:22 PM
mbam-log-2010-07-01 (18-57-22).txt
Scan type: Quick scan
Objects scanned: 212210
Time elapsed: 10 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\ca.cab (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{833622f9-1720-4071-851a-8a5730c33565} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a1f2b3fc-1fc0-4562-9e6e-3a66e5c703e9} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ca.cab.1 (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\84jnbN3k.dll (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe__ (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe___ (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\3MThKEWF.ex_ (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\84jnbN3k_maybeVirus.dl_ (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.
\\ end \\\\\\\\\\\\\\\\\\\\\\ mbam-log-2010-07-01 (18-57-22).txt \\\\\\\\\\\\\\\\\\\\\\\
\\\\\\\\\\\\\\\\\\\\\\\\ DDS.txt \\\\\\\\\\\\\\\\\\\\\\\
DDS (Ver_10-03-17.01) - NTFSx86
Run by Carl at 19:03:55.29 on Thu 07/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1510 [GMT -5:00]
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RDS\RMClient\PMCTray.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Documents and Settings\Carl\Desktop\dee-dee-sssABCD.scr
============== Pseudo HJT Report ===============
uStart Page = file:///C:/MyHomePage.htm
uSearch Page = hxxp://www.google.com
uSearch Bar = about:blank
mSearch Bar = hxxp://www.google.com/
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [soundMan] SOUNDMAN.EXE
mRun: [POINTER] point32.exe
mRun: [Matrox PowerDesk 8] c:\windows\system32\powerdesk8\Matrox.PowerDesk.exe /silent
mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: uscourts.gov
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - g:\eudora\EuShlExt.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-1-7 77056]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-24 304464]
R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-21 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-24 20952]
R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [2004-6-10 465280]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100630.032\NAVENG.SYS [2010-6-30 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100630.032\NAVEX15.SYS [2010-6-30 1347504]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?]
============== File Associations ===============
.txt=UltraEdit.txt
=============== Created Last 30 ================
2010-06-25 18:12:13 0 d-----w- c:\program files\Sonic
2010-06-25 18:12:06 0 d-----w- c:\program files\common files\Sonic Shared
2010-06-25 18:10:05 0 d-----w- c:\program files\DivX
2010-06-24 20:42:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 14:59:56 0 d-----w- c:\docume~1\carl\applic~1\Malwarebytes
2010-06-24 14:59:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 14:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-24 14:59:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 20:44:00 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-06-21 20:42:56 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-06-21 20:42:41 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-21 20:42:41 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-21 20:42:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-21 20:42:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-21 15:29:42 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-21 15:29:40 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-16 21:05:17 58368 ----a-w- c:\windows\system32\mkfheogm_maybeVirus.dl_
2010-06-16 07:06:47 112 ----a-w- c:\docume~1\alluse~1\applic~1\q818282.dat
==================== Find3M ====================
2010-06-24 18:58:26 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-15 15:45:08 577536 ----a-w- c:\windows\system32\user32.DLL
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-06 14:14:22 51787 ----a-w- c:\windows\fonts\AdobeFnt07.lst
============= FINISH: 19:04:39.17 ===============
\\ end \\\\\\\\\\\\\\\\\\\\\\ DDS.txt \\\\\\\\\\\\\\\\\\\\\\\
- MalwareBytes' Anti-Malware log
-
Hello de_novo! Welcome to Malwarebytes' Anti-Malware Forums!
Please, uninstall the following applications:
[*]Adobe Acrobat 6.0 Standard
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
I'm working on it.....might not have it done until 7/5 due to Holiday
Will I be able to reinstall Acrobat 6?
-
On return from vacation I noticed my machine was popping up webpages in IE, playing audio I didn't play. Web search showed it was TidServ. Attempts to fix have not worked.
I uninstalled old Symantec and installed newest Symantec Endpoint Protection (SEP), updated and scanned.
It did not find much, says Quarantined Cooper.Mine a Trojan.Gen
Now I started getting messages about blocking "tidserv request ..."
I noticed 3MThKEWF.EXE running in "C:\Doc & Setting\All Users\Application Data"
It was dated about mid point of my vacation 6/16 at 2am, I think
Renaming that caused it to just reappear.
I installed MalwareBytes free, registered Pro, updated and ran a complete scan.
The log is below (at bottom). It found Trojan.Downloader File Adware.ISTBar Spyware.Agent.H Disabled.SecurityCenter
Now MalWB generates the warning popups about blocked access instead of SEP warnings. So I think I'm not fixed.
On a fresh reboot opening the Symantec Endpoint Protection "View Network Activity" it shows net actvity by
3MThKEWF.EXE running in ...\All Users\Application Data
IExplore.exe, but I did not run IExplore.exe and TaskMan shows the owner is SYSTEM.
ntoskrnl.exe shows activity
If I block all access by 3MThKEWF.EXE and IExplore.exe then I still get popups about blocked activity. Here some sound files play too.
I ran TDSSKiller.exe. It found Drivers\PCI.Sys, said it fixed it and told me to reboot. So I did. Ran again and it found no problems. Log below.
I'm not fixed.
3MThKEWF.EXE continues to exist and is running. Also IExplore for the SYSTEM user.
MalWBytes still gives blocked messages
I hear some sound files play, they seem to get cut off
If I open IE (and unblock it in SEP) then I think I see it show some pages
Things have improved, I can get to WindowsUpdate.Microsoft.com in IE.
I have Easy CD & DVD Creator 6 asking me to insert the CD to install a feature, not usre why.
On reboot I ran GMER with IAT/EAT unchecked, log below.
I ran DDS, log below. I attached the Attach.txt zipped.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == DDS === \/\/\/\/\/\/\/\/\/\/\/\/
DDS (Ver_10-03-17.01) - NTFSx86
Run by Carl at 18:34:38.42 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1150 [GMT -5:00]
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Carl\Desktop\dee-dee-sssABCD.scr
============== Pseudo HJT Report ===============
uStart Page = file:///C:/MyHomePage.htm
uSearch Page = hxxp://www.google.com
uSearch Bar = about:blank
mSearch Bar = hxxp://www.google.com/
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: CAB Class: {c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} - c:\windows\system32\84jnbN3k.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [soundMan] SOUNDMAN.EXE
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [POINTER] point32.exe
mRun: [Matrox PowerDesk 8] c:\windows\system32\powerdesk8\Matrox.PowerDesk.exe /silent
mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: uscourts.gov
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - g:\eudora\EuShlExt.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-1-7 77056]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-24 304464]
R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-21 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-24 20952]
R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [2004-6-10 465280]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100623.024\NAVENG.SYS [2010-6-23 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100623.024\NAVEX15.SYS [2010-6-23 1347504]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?]
============== File Associations ===============
.txt=UltraEdit.txt
=============== Created Last 30 ================
2010-06-24 20:15:46 45056 ----a-w- c:\windows\system32\84jnbN3k.dll
2010-06-24 14:59:56 0 d-----w- c:\docume~1\carl\applic~1\Malwarebytes
2010-06-24 14:59:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 14:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-24 14:59:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-24 12:39:29 70146 ----a-w- c:\docume~1\alluse~1\applic~1\3MThKEWF.exe
2010-06-21 20:44:00 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-06-21 20:42:56 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-06-21 20:42:41 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-21 20:42:41 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-21 20:42:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-21 20:42:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-21 15:29:42 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-21 15:29:40 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-16 21:05:17 58368 ----a-w- c:\windows\system32\mkfheogm_maybeVirus.dl_
2010-06-16 07:06:48 45056 ----a-w- c:\windows\system32\84jnbN3k_maybeVirus.dl_
2010-06-16 07:06:47 112 ----a-w- c:\docume~1\alluse~1\applic~1\q818282.dat
==================== Find3M ====================
2010-06-24 18:58:26 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-06-15 15:45:08 577536 ----a-w- c:\windows\system32\user32.DLL
2010-04-06 14:14:22 51787 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2004-08-03 23:29:08 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 18:35:03.39 ===============
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == GMER === \/\/\/\/\/\/\/\/\/\/\/\/
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-24 18:26:37
Windows 5.1.2600 Service Pack 2
Running: g.mmm-e~r-random.exe; Driver: C:\DOCUME~1\Carl\LOCALS~1\Temp\pxddrpob.sys
---- System - GMER 1.0.15 ----
SSDT 89EFA738 ZwAlertResumeThread
SSDT 89EFA660 ZwAlertThread
SSDT 8A4123E0 ZwAllocateVirtualMemory
SSDT 89FB3680 ZwConnectPort
SSDT 89F79058 ZwCreateMutant
SSDT 8A097B68 ZwCreateThread
SSDT 89EEB8B0 ZwFreeVirtualMemory
SSDT 89EFA9B8 ZwImpersonateAnonymousToken
SSDT 89EFA810 ZwImpersonateThread
SSDT 8A090170 ZwMapViewOfSection
SSDT 89EFAB20 ZwOpenEvent
SSDT 89EFA188 ZwOpenProcessToken
SSDT 89D68280 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB4ACE880]
SSDT 89EF9F50 ZwResumeThread
SSDT 89EFA3D8 ZwSetContextThread
SSDT 8A404DB8 ZwSetInformationProcess
SSDT 8A4228E8 ZwSetInformationThread
SSDT 89EFABF8 ZwSuspendProcess
SSDT 89EFA588 ZwSuspendThread
SSDT 89EFA0B0 ZwTerminateProcess
SSDT 89EFA4B0 ZwTerminateThread
SSDT 89EFA300 ZwUnmapViewOfSection
SSDT 89DA7700 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2558 80501448 4 Bytes CALL BE9AC8F9
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB9C29900]
---- Devices - GMER 1.0.15 ----
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs A78BF400
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\WindowsXP-KB979559-x86-express-ENU.cab 262580 bytes
File C:\WINDOWS\KB979559.log 4756 bytes
File C:\WINDOWS\KB980218.log 4210 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BF5CE51F-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1D33F377-7FE0-11DF-80C9-00112F0FD8E3}.dat 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F9625F5B-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A1AC1C57-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DC00442D-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B81B9D41-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E35BC5E9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CDC07649-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{23893287-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8B69E81B-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B0A11CF3-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{009C802B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3C518409-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EA95E6B9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{618B1B3B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{165B9311-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B3360815-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5531AD0F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C5EE3EB9-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BFB7FE3B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D27C20A1-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6DEE12CF-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{08018B4F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{74291801-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{67B7D251-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F1D4CC3D-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D514D0F7-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{92AB2FF9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{36226A99-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7DE51123-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{76888FE7-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{84594EC5-7FE1-11DF-80C9-00112F0FD8E3}.dat 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2FFA7837-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E55F4199-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5154BCE9-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{17FD4E57-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C669B941-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B7AC8E3B-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4AFF7DD9-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F2003651-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7CC39519-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EBB21E4F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{80B4978F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0F61D1BF-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{37D273FB-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4287C487-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes
---- EOF - GMER 1.0.15 ----
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == TDDSKiller === \/\/\/\/\/\/\/\/\/\/\/\/
13:55:38:937 6048 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
13:55:38:937 6048 ================================================================================
13:55:38:937 6048 SystemInfo:
13:55:38:937 6048 OS Version: 5.1.2600 ServicePack: 2.0
13:55:38:937 6048 Product type: Workstation
13:55:38:937 6048 ComputerName: xxxx
13:55:38:937 6048 UserName: xxx
13:55:38:937 6048 Windows directory: C:\WINDOWS
13:55:38:937 6048 Processor architecture: Intel x86
13:55:38:937 6048 Number of processors: 1
13:55:38:937 6048 Page size: 0x1000
13:55:38:937 6048 Boot type: Normal boot
13:55:38:937 6048 ================================================================================
13:55:39:203 6048 Initialize success
13:55:39:203 6048
13:55:39:203 6048 Scanning Services ...
13:55:39:250 6048 Raw services enum returned 345 services
13:55:39:250 6048
13:55:39:250 6048 Scanning Drivers ...
13:55:39:875 6048 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:55:39:953 6048 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:55:40:062 6048 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
13:55:40:140 6048 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
13:55:40:328 6048 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
13:55:40:421 6048 ALCXWDM (9a6a99f0d75b457e3a2267776ebe9f47) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
13:55:40:562 6048 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
13:55:40:750 6048 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:55:40:812 6048 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:55:40:906 6048 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:55:40:984 6048 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:55:41:031 6048 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:55:41:093 6048 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:55:41:203 6048 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:55:41:234 6048 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
13:55:41:281 6048 Cdr4_xp (bb139f391a6bcc60c883ecc3709631b6) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
13:55:41:328 6048 Cdralw2k (ccca51c4c556ef95312a4fa8012e8d49) C:\WINDOWS\system32\drivers\Cdralw2k.sys
13:55:41:359 6048 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:55:41:406 6048 cdudf_xp (6596a79656368e84e386d5810e2deb9c) C:\WINDOWS\system32\drivers\cdudf_xp.sys
13:55:41:531 6048 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys
13:55:41:656 6048 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
13:55:41:734 6048 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
13:55:41:796 6048 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
13:55:41:843 6048 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:55:41:890 6048 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
13:55:42:000 6048 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
13:55:42:046 6048 DVDVRRdr_xp (c90b9e655ae95d95a83855c9ee6ec561) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
13:55:42:109 6048 dvd_2K (9f883d432e64f6f46fef27ddbaaca2b9) C:\WINDOWS\system32\drivers\dvd_2K.sys
13:55:42:156 6048 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
13:55:42:218 6048 EL2000 (25fe70646afe37801ab540b5d3b12cf9) C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
13:55:42:265 6048 ENTECH (bdd170fecb0e496a914318009d85b819) C:\WINDOWS\System32\DRIVERS\ENTECH.SYS
13:55:42:312 6048 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
13:55:42:375 6048 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
13:55:42:406 6048 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:55:42:515 6048 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
13:55:42:578 6048 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:55:42:625 6048 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
13:55:42:671 6048 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:55:42:703 6048 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:55:42:750 6048 gagp30kx (4216cd545e5c30807b560c5dcaa812e6) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
13:55:42:796 6048 GEARAspiWDM (46f23cfc888b0a4397aae705c8af92af) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:55:42:843 6048 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:55:42:890 6048 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:55:42:984 6048 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
13:55:43:109 6048 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:55:43:140 6048 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:55:43:250 6048 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
13:55:43:281 6048 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
13:55:43:343 6048 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:55:43:375 6048 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:55:43:437 6048 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:55:43:468 6048 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:55:43:515 6048 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:55:43:562 6048 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:55:43:609 6048 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:55:43:656 6048 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
13:55:43:734 6048 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
13:55:43:796 6048 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
13:55:43:890 6048 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys
13:55:43:937 6048 mmc_2K (49e6197955269ae539b05e161adca0cf) C:\WINDOWS\system32\drivers\mmc_2K.sys
13:55:43:984 6048 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:55:44:046 6048 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
13:55:44:125 6048 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:55:44:171 6048 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:55:44:218 6048 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
13:55:44:296 6048 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:55:44:359 6048 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:55:44:390 6048 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
13:55:44:421 6048 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:55:44:468 6048 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:55:44:500 6048 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
13:55:44:546 6048 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:55:44:609 6048 MTXPARH (3b68ee6408a15ed198d4157341edb854) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys
13:55:44:640 6048 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
13:55:44:718 6048 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100623.024\NAVENG.SYS
13:55:44:750 6048 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100623.024\NAVEX15.SYS
13:55:44:796 6048 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
13:55:44:859 6048 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:55:44:890 6048 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:55:44:937 6048 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:55:44:984 6048 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
13:55:45:031 6048 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:55:45:078 6048 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:55:45:140 6048 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
13:55:45:203 6048 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
13:55:45:281 6048 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
13:55:45:328 6048 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:55:45:406 6048 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:55:45:484 6048 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:55:45:531 6048 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:55:45:578 6048 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
13:55:45:656 6048 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
13:55:45:687 6048 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
13:55:45:750 6048 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:55:45:781 6048 PCI (18d9b9f58f233004377b9afc74f8742f) C:\WINDOWS\system32\DRIVERS\pci.sys
13:55:45:781 6048 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 18d9b9f58f233004377b9afc74f8742f, Fake md5: 8086d9979234b603ad5bc2f5d890b234
13:55:45:781 6048 File "C:\WINDOWS\system32\DRIVERS\pci.sys" infected by TDSS rootkit ... 13:55:46:125 6048 Backup copy found, using it..
13:55:46:156 6048 will be cured on next reboot
13:55:46:296 6048 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:55:46:609 6048 Point32 (08b11f5c60edca255b18cedef8efba2a) C:\WINDOWS\system32\DRIVERS\point32.sys
13:55:46:687 6048 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:55:46:734 6048 PQNTDrv (474543751522111dd7c0cf09e17f6d9f) C:\WINDOWS\system32\drivers\PQNTDrv.sys
13:55:46:781 6048 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
13:55:46:828 6048 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
13:55:46:859 6048 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:55:46:890 6048 pwd_2k (eaf307b15592d2e423148422596e5c2e) C:\WINDOWS\system32\drivers\pwd_2k.sys
13:55:47:125 6048 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:55:47:171 6048 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:55:47:234 6048 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:55:47:265 6048 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:55:47:328 6048 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:55:47:375 6048 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:55:47:437 6048 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:55:47:500 6048 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
13:55:47:562 6048 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:55:47:640 6048 RT2500 (4cd0fc7949d175cf9138dae23ae440ad) C:\WINDOWS\system32\DRIVERS\RT2500.sys
13:55:47:734 6048 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:55:47:781 6048 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:55:47:843 6048 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
13:55:47:890 6048 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:55:48:015 6048 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
13:55:48:062 6048 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
13:55:48:125 6048 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
13:55:48:171 6048 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS
13:55:48:265 6048 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
13:55:48:312 6048 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
13:55:48:390 6048 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
13:55:48:468 6048 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:55:48:515 6048 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
13:55:48:625 6048 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
13:55:48:671 6048 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
13:55:48:750 6048 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
13:55:48:890 6048 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
13:55:48:953 6048 SysPlant (1295b1da3e2a2c24c7d176f6e97afbd1) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
13:55:49:015 6048 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:55:49:062 6048 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:55:49:093 6048 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
13:55:49:140 6048 Teefer2 (1de2e1357552a79f39bff003a11c533e) C:\WINDOWS\system32\DRIVERS\teefer2.sys
13:55:49:171 6048 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:55:49:265 6048 UdfReadr_xp (228606878da45208d8b1beeffe4b6d0b) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
13:55:49:312 6048 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
13:55:49:390 6048 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
13:55:49:453 6048 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:55:49:484 6048 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:55:49:531 6048 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:55:49:578 6048 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:55:49:609 6048 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
13:55:49:656 6048 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
13:55:49:703 6048 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
13:55:49:734 6048 viasraid (45469fa05947d75874316649a22878d4) C:\WINDOWS\system32\drivers\viasraid.sys
13:55:49:796 6048 vmm (b06bf9cd4f91f4afe3f433ea1b7a358c) C:\WINDOWS\System32\drivers\vmm.sys
13:55:49:859 6048 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
13:55:49:906 6048 VPCNetS2 (11f77458f5d3abd76747a628e0da2f6b) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
13:55:49:968 6048 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:55:50:062 6048 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
13:55:50:109 6048 WPS (c1620ebb375d3b02e31fd311c44fedeb) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
13:55:50:187 6048 WpsHelper (a930c1d2a7d0cb01810c9912d101b83c) C:\WINDOWS\system32\drivers\WpsHelper.sys
13:55:50:250 6048 yukonwxp (a81a1f8c2a50f72fda9c686aa85bf151) C:\WINDOWS\system32\DRIVERS\yukonwxp.sys
13:55:50:265 6048 Reboot required for cure complete..
13:55:50:281 6048 Cure on reboot scheduled successfully
13:55:50:281 6048
13:55:50:281 6048 Completed
13:55:50:281 6048
13:55:50:281 6048 Results:
13:55:50:281 6048 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:55:50:281 6048 File objects infected / cured / cured on reboot: 1 / 0 / 1
13:55:50:281 6048
13:55:50:281 6048 KLMD(ARK) unloaded successfully
rebooted and ran TDSSKiller again, nothing was found:
14:01:56:453 2128 Completed
14:01:56:453 2128
14:01:56:453 2128 Results:
14:01:56:453 2128 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:01:56:453 2128 File objects infected / cured / cured on reboot: 0 / 0 / 0
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == MBAM Log === \/\/\/\/\/\/\/\/\/\/\/\/
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4233
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
6/24/2010 12:44:30 PM
mbam-log-2010-06-24 (12-44-30).txt
Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 665160
Time elapsed: 2 hour(s), 31 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appintt_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\radmin\admdll.dll (PUP.RemoteAdmin) -> Not selected for removal.
C:\Program Files\radmin\raddrv.dll (PUP.RemoteAdmin) -> Not selected for removal.
C:\System Volume Information\_restore{C61C1574-B964-4E80-A3AB-04657FD7B0AF}\RP2079\A0212591.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\admdll.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\raddrv.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.
TidServ Blocked gone, but MBAM warns of blocked
in Resolved Malware Removal Logs
Posted
Wnen I reboot I do get an error:
---------------------------
ccApp.exe - Unable To Locate Component
---------------------------
This application has failed to start because ccL40.dll was not found. Re-installing the application may fix this problem.
---------------------------
OK
---------------------------