Jump to content

Recommended Posts

I've recently got a virus in my computer that caused constant popups and such, but a Malwarebyte was able to get rid of most of the most troubling probelms; but somethings still in my system that won't go away.

Whenever I scan my computer, Rootkit.Trace and Trojan.Agent keeps showing up and when I restart my computer after the scan, it continues to reside in my computer.

And I believe this is related since it's been happening since the day I got the virus, but every few hours or so, and everytime I start my computer up, Norton alerts me that it's unable to remove Trojan.Metajuan.

On top of that, I'm getting error pops up from Google Installer.

So basically, my symptoms are:

  • Constant Norton alerts of a failure to remove Trojan.Metajuan
  • Google Installer errors
  • Google links leading to popups
  • Trojan.Agent + Rootkit.Trace showing up on Malwarebytes after every scan
  • Computer freezing a few times a day
  • Computers been alot more slower than it use to be

And also, I changed my Malwarebyte's name to winlogon.exe so it'll be runable, if it helps.

Here's my Malwarebytes Log:

Malwarebytes' Anti-Malware 1.39

Database version: 2573

Windows 5.1.2600 Service Pack 3

8/7/2009 1:29:39 AM

mbam-log-2009-08-07 (01-29-39).txt

Scan type: Quick Scan

Objects scanned: 91918

Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

And HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:25:33, on 8/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21073)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\DOCUMENTS AND SETTINGS\DAN\DESKTOP\NEW FOLDER\a2service.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys\WUSB300N\WLService.exe

C:\Program Files\Linksys\WUSB300N\WUSB300N.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\AOL\1236714453\ee\AOLSoftware.exe

C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1236714453\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"

O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Dan\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} (DVROcxEx Control) - http://69.136.66.28:227/DVROcxEx.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\DOCUMENTS AND SETTINGS\DAN\DESKTOP\NEW FOLDER\a2service.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1ca15fcb186a094) (gupdate1ca15fcb186a094) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe

O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe

O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe

O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe

O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe

O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe

O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 9388 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

Link to post
Share on other sites

Thanks for the reply, miekiemoes.

Here's my combofix log:

ComboFix 09-08-06.01 - Dan 08/07/2009 12:34.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1629 [GMT -4:00]

Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Dan\APPLIC~1\inst.exe

c:\program files\Antispyware

c:\program files\Antispyware\Antispyware.url

c:\program files\Antispyware\DataBase.ref

c:\program files\Antispyware\vistaCPtasks.xml

C:\test.txt

c:\windows\Installer\caf39a7.msp

c:\windows\Installer\caf39a9.msp

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\drivers\UACmsqtqskwpb.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\UACaistsmlwbl.db

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjoeerdbfch.dat

c:\windows\system32\UACledplfxoyi.dll

c:\windows\system32\UACpktarrvxew.dll

c:\windows\system32\UACqibeklnbgr.dll

c:\windows\system32\UACtoligappot.dll

c:\windows\system32\UACvvrdomujhi.dll

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))

.

2009-08-07 06:26 . 2009-08-07 06:26 -------- d-----w- C:\381af0e9803ba69753

2009-08-07 06:25 . 2009-08-07 15:55 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-07 04:55 . 2009-08-07 04:55 -------- d-----w- c:\program files\Trend Micro

2009-08-05 23:10 . 2009-08-05 23:10 -------- d-----w- c:\program files\Haali

2009-08-05 22:21 . 2009-08-06 18:27 -------- d-----w- C:\ConverterOutput

2009-08-05 22:21 . 2009-02-26 20:34 94650 ----a-w- c:\windows\system32\HKCU_GNU.reg

2009-08-05 22:21 . 2009-02-26 20:34 2004 ----a-w- c:\windows\system32\HKLM_GNU.reg

2009-08-05 22:21 . 2008-12-18 05:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-05 22:21 . 2008-06-15 14:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-05 22:21 . 2008-02-04 01:26 364544 ----a-w- c:\windows\system32\cdg.dll

2009-08-05 22:21 . 2006-09-27 21:46 348160 ----a-w- c:\windows\system32\cdga.dll

2009-08-05 22:21 . 2006-07-18 01:42 14909 ----a-w- c:\windows\system32\A_reg.reg

2009-08-05 22:21 . 2009-08-05 22:21 -------- d-----w- c:\program files\Cucusoft

2009-08-05 22:00 . 2009-08-05 22:00 -------- d-----w- c:\program files\WinSCP

2009-08-05 21:42 . 2009-08-05 21:42 -------- d-----w- c:\program files\4Media

2009-08-05 21:36 . 2009-08-06 18:46 -------- d-----w- c:\docume~1\Dan\APPLIC~1\vlc

2009-08-05 21:35 . 2009-08-05 21:35 -------- d-----w- c:\program files\VideoLAN

2009-08-05 19:03 . 2009-08-05 19:03 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Temp

2009-08-05 19:03 . 2009-08-05 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2009-08-05 18:47 . 2009-08-05 18:47 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Real

2009-08-05 18:46 . 2009-08-05 18:46 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-05 18:46 . 2009-08-05 18:46 -------- d-----w- c:\program files\Real

2009-08-05 18:44 . 2009-08-05 18:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-08-02 06:32 . 2009-08-02 06:33 -------- d-----w- c:\docume~1\Dan\APPLIC~1\Antispyware

2009-08-02 02:35 . 2009-08-02 02:35 -------- d-----w- c:\docume~1\Dan\APPLIC~1\Malwarebytes

2009-08-02 02:29 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-02 02:24 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 02:24 . 2009-08-02 02:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-08-01 23:38 . 2009-08-01 23:38 -------- d-----w- c:\documents and settings\Dan\DoctorWeb

2009-08-01 21:31 . 2009-08-07 04:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-01 20:44 . 2009-08-01 20:44 -------- d-----r- c:\program files\Norton Support

2009-08-01 20:44 . 2009-08-01 20:44 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Symantec

2009-08-01 20:31 . 2009-08-02 06:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\13377654

2009-07-29 15:11 . 2009-06-29 16:23 17408 -c----w- c:\windows\system32\dllcache\corpol.dll

2009-07-22 05:51 . 2009-07-22 05:51 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Yahoo

2009-07-22 05:50 . 2009-07-22 17:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

2009-07-22 05:49 . 2009-07-22 05:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo!

2009-07-15 18:32 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2009-07-15 18:32 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2009-07-11 07:03 . 2009-07-15 01:23 -------- d-----w- c:\program files\AutoHotkey

2009-07-10 20:40 . 2009-07-10 22:50 -------- d-----w- c:\docume~1\Dan\APPLIC~1\Audacity

2009-07-08 19:14 . 2009-07-08 19:14 -------- d-----w- c:\program files\DivX

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-07 16:33 . 2009-03-10 20:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Sonic

2009-08-07 16:30 . 2009-06-13 03:27 -------- d-----w- c:\docume~1\Dan\APPLIC~1\LimeWire

2009-08-05 18:47 . 2009-04-03 21:29 -------- d-----w- c:\program files\Common Files\Real

2009-08-05 18:44 . 2009-03-10 19:16 -------- d-----w- c:\program files\Google

2009-08-01 21:03 . 2009-08-01 21:07 170818 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2009-07-22 05:51 . 2009-04-03 21:29 -------- d-----w- c:\program files\Yahoo!

2009-07-18 04:28 . 2009-05-01 02:54 -------- d-----w- c:\docume~1\Dan\APPLIC~1\Azureus

2009-07-17 01:59 . 2009-03-10 19:21 41264 ----a-w- c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-14 04:31 . 2009-07-17 01:16 28932 ----a-w- c:\windows\Fonts\Rmnce_fatal_Srif.ttf

2009-07-11 03:49 . 2009-03-10 20:01 -------- d-----w- c:\docume~1\Dan\APPLIC~1\Vso

2009-06-29 16:23 . 2007-06-24 07:40 828928 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:23 . 2007-06-24 07:41 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:23 . 2007-06-24 07:41 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-27 21:51 . 2009-06-27 21:51 -------- d-----w- c:\program files\Linksys

2009-06-25 15:17 . 2009-03-10 19:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-25 04:56 . 2009-06-25 04:56 -------- d-----w- c:\program files\MixMeister BPM Analyzer

2009-06-24 18:37 . 2009-06-24 18:38 20044 ----a-w- c:\windows\Fonts\YolksEmoticons.otf

2009-06-24 00:40 . 2009-06-24 00:40 -------- d-----w- c:\docume~1\Dan\APPLIC~1\WindSolutions

2009-06-23 03:46 . 2009-06-23 03:45 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PMB Files

2009-06-23 03:45 . 2009-06-23 03:45 -------- d-----w- c:\program files\Pando Networks

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\program files\iTunes

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\program files\iPod

2009-06-19 18:59 . 2009-03-10 20:43 -------- d-----w- c:\program files\Common Files\Apple

2009-06-19 18:58 . 2009-03-10 20:14 -------- d-----w- c:\program files\Bonjour

2009-06-19 18:57 . 2009-06-19 18:57 -------- d-----w- c:\program files\QuickTime

2009-06-19 18:55 . 2009-03-10 20:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple

2009-06-16 14:36 . 2007-06-24 07:40 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2007-06-24 07:38 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-13 20:02 . 2009-03-10 20:45 -------- d-----w- c:\docume~1\Dan\APPLIC~1\Apple Computer

2009-06-13 03:26 . 2009-06-13 03:25 -------- d-----w- c:\program files\LimeWire

2009-06-13 03:25 . 2009-06-13 03:26 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-13 03:25 . 2009-06-13 03:25 -------- d-----w- c:\program files\Java

2009-06-12 17:01 . 2009-07-17 01:16 34156 ----a-w- c:\windows\Fonts\CaviarDreams_Bold.ttf

2009-06-12 17:01 . 2009-07-17 01:16 35124 ----a-w- c:\windows\Fonts\CaviarDreams.ttf

2009-06-12 07:01 . 2009-03-10 19:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-06-12 02:06 . 2009-03-12 03:42 -------- d-----w- c:\docume~1\Dan\APPLIC~1\Roxio

2009-06-05 15:42 . 2009-06-19 18:55 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-05 15:42 . 2009-03-10 20:43 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-03 19:09 . 2007-06-24 07:39 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-23 03:13 . 2009-05-23 03:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-05-23 03:13 . 2009-05-23 03:13 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-05-23 03:13 . 2009-05-23 03:14 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-10 39408]

"cdloader"="c:\documents and settings\Dan\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"HostManager"="c:\program files\Common Files\AOL\1236714453\ee\AOLSoftware.exe" [2008-11-06 41264]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]

"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-13 136600]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-05 198160]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-5-22 139776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1236714453\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Documents and Settings\\Dan\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Documents and Settings\\Dan\\My Documents\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Documents and Settings\\Dan\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58683:TCP"= 58683:TCP:Pando Media Booster

"58683:UDP"= 58683:UDP:Pando Media Booster

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/22/2009 11:13 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/22/2009 11:13 PM 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/22/2009 11:13 PM 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys [7/30/2009 7:48 PM 276344]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/22/2009 11:13 PM 115560]

R2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [6/27/2009 5:51 PM 53307]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/22/2009 11:13 PM 101936]

S2 gupdate1ca15fcb186a094;Google Update Service (gupdate1ca15fcb186a094);c:\program files\Google\Update\GoogleUpdate.exe [8/5/2009 2:43 PM 133104]

S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]

S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]

S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]

S2 wjysofqm;wjysofqm;c:\windows\system32\drivers\zdtjfvx.sys --> c:\windows\system32\drivers\zdtjfvx.sys [?]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]

S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [8/14/2008 12:23 AM 1124848]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://69.136.66.28:227/DVROcxEx.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-07 12:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

.

Completion time: 2009-08-07 12:42

ComboFix-quarantined-files.txt 2009-08-07 16:42

Pre-Run: 90,116,673,536 bytes free

Post-Run: 90,705,436,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

232 --- E O F --- 2009-08-07 06:30

And the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:44:15, on 8/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21073)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\DOCUMENTS AND SETTINGS\DAN\DESKTOP\NEW FOLDER\a2service.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys\WUSB300N\WLService.exe

C:\Program Files\Linksys\WUSB300N\WUSB300N.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1236714453\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"

O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Dan\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} (DVROcxEx Control) - http://69.136.66.28:227/DVROcxEx.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\DOCUMENTS AND SETTINGS\DAN\DESKTOP\NEW FOLDER\a2service.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1ca15fcb186a094) (gupdate1ca15fcb186a094) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe

O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe

O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe

O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe

O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe

O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe

O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 8830 bytes

Link to post
Share on other sites

  • Staff

Hi,

You were dealing with a rootkit that was locking mbam detection for it. Next version of mbam will be able to deal with it :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

It's been working very well since I've followed your instructions; for almost 6 hours. But when I closed two of my internet explorers windows and opened a new one, the Norton's alert of the Metajuan.Trojan popped up, and at the same time when i was opening Limewire, my taskbar frozed for a bit with my startup menu up. This may be because I had too many things going on with my computer though (had a game up, a new internet explorers window opening up, and Limewire opening up).

Well for the most part everything seems to be fine, my latest Malwarebytes quick scan didn't find anything, the only thing that seems to be out of place is the Norton alerts. Anyways, thanks ALOT for the help, miekiemoes, you've helped me alot. =P I'll let you know how everything goes as the day goes on.

Link to post
Share on other sites

  • Staff

Hi,

Can you tell me what file Norton alerts? What file and in what folder it is present.

Do you let Norton delete it?

When do you get that alert? Because from what I'm understanding here is, you get it when you open Limewire?

Most probably you got infected via Limewire as well, because after all, you never know what you download. Could be a file in your "completed" or "incompleted" folder (shared folder) which is infected.

Also, I do not recommend to have Limewire startup with Windows anyway, so I suggest you disable its startup via msconfig.

Link to post
Share on other sites

Sorry for the late reply, been too busy to stay on long enough to type this out. =]

Here's a picture of the alert.

nortong.jpg

And no, from the past few days; from what I observed, it pops up whenever I start my computer up. And it pops up at random after that, about every few hours or so. For the most part, things been okay with my computer thanks to your help. Only symptoms I've seen so far is my computer freezing (then unfreezing after a minute or two, but sometimes only the taskbar freezes).

and I think when I don't have an internet connect, it kind of seems it ceases to exist (something i observed during my fight with the trojan). If that helps.

I haven't ran a Malwarebytes scan in a while; I'm gonna do one now. =P

Link to post
Share on other sites

  • Staff

Hi,

Can't you generate a logfile where Norton is detecting this file? Because I can't do anything with above info if I don't know where it is detected. All it says is that it detected this infection.

Also, please redownload and rerun Combofix again, this to make sure nothing jumped in again while you were using limewire. After all, p2p programs are always a risk and main cause of an infected computer.

Link to post
Share on other sites

Here's the new Combofix log; and when my norton finishes scanning, I'll post a pic of the info/location/etc of the trojan. =]

ComboFix 09-08-10.06 - Dan 08/13/2009 0:27.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1309 [GMT -4:00]

Running from: c:\documents and settings\Dan\Desktop\abc.exe

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\test.txt

.

((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))

.

2009-08-13 01:13 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-08-13 00:20 . 2009-08-13 04:17 -------- d-----w- c:\documents and settings\Dan\Tracing

2009-08-13 00:16 . 2009-08-13 00:16 -------- d-----w- c:\program files\Microsoft

2009-08-13 00:16 . 2009-08-13 00:16 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-13 00:15 . 2009-08-13 00:16 -------- d-----w- c:\program files\Windows Live

2009-08-13 00:13 . 2009-08-13 00:13 -------- d-----w- c:\program files\Common Files\Windows Live

2009-08-12 23:37 . 2009-07-13 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVENG.SYS

2009-08-12 23:37 . 2009-07-13 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVEX15.SYS

2009-08-12 23:37 . 2009-05-23 03:13 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\EECTRL.SYS

2009-08-12 23:37 . 2009-05-23 03:13 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\ERASER.SYS

2009-08-12 23:37 . 2009-05-23 03:13 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVENG32.DLL

2009-08-12 23:37 . 2009-05-23 03:13 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVEX32A.DLL

2009-08-12 23:37 . 2009-05-23 03:13 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\ECMSVR32.DLL

2009-08-12 23:37 . 2009-05-23 03:13 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\CCERASER.DLL

2009-08-12 18:19 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe

2009-08-12 18:19 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe

2009-08-12 18:19 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll

2009-08-12 18:19 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll

2009-08-12 18:19 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

2009-08-12 18:19 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-12 18:18 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-12 05:39 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys

2009-08-12 05:39 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys

2009-08-12 05:39 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\Scxpx86.dll

2009-08-12 05:39 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSxpx86.dll

2009-08-12 05:39 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSviA64.sys

2009-08-11 04:21 . 2009-08-11 04:21 528088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-08-11 03:50 . 2009-08-11 04:14 64597 ----a-w- c:\windows\War3Unin.dat

2009-08-11 03:50 . 2009-08-11 03:55 2829 ----a-w- c:\windows\War3Unin.pif

2009-08-11 03:50 . 2009-08-11 03:55 139264 ----a-w- c:\windows\War3Unin.exe

2009-08-11 03:42 . 2009-08-12 22:19 -------- d-----w- c:\program files\Warcraft III

2009-08-11 03:31 . 2007-08-30 12:00 244608 ----a-w- c:\windows\system32\drivers\c2scsi.sys

2009-08-11 03:21 . 2009-08-11 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-08-11 03:21 . 2009-08-11 15:37 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2009-08-11 02:46 . 2009-08-11 02:46 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-08-11 02:46 . 2009-08-11 03:26 -------- d-----w- c:\documents and settings\Dan\Application Data\DAEMON Tools Lite

2009-08-08 16:21 . 2009-08-08 16:21 -------- d-sh--w- C:\found.000

2009-08-07 18:04 . 2009-08-07 18:04 -------- d-s---w- C:\Combo-Fix

2009-08-07 06:26 . 2009-08-07 06:26 -------- d-----w- C:\381af0e9803ba69753

2009-08-07 06:25 . 2009-08-07 15:55 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-07 04:55 . 2009-08-07 04:55 -------- d-----w- c:\program files\Trend Micro

2009-08-07 04:54 . 2009-08-07 04:54 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-05 23:10 . 2009-08-05 23:10 -------- d-----w- c:\program files\Haali

2009-08-05 22:21 . 2009-08-12 23:23 -------- d-----w- C:\ConverterOutput

2009-08-05 22:21 . 2009-02-26 20:34 94650 ----a-w- c:\windows\system32\HKCU_GNU.reg

2009-08-05 22:21 . 2009-02-26 20:34 2004 ----a-w- c:\windows\system32\HKLM_GNU.reg

2009-08-05 22:21 . 2008-12-18 05:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-05 22:21 . 2008-06-15 14:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-05 22:21 . 2008-02-04 01:26 364544 ----a-w- c:\windows\system32\cdg.dll

2009-08-05 22:21 . 2006-09-27 21:46 348160 ----a-w- c:\windows\system32\cdga.dll

2009-08-05 22:21 . 2006-07-18 01:42 14909 ----a-w- c:\windows\system32\A_reg.reg

2009-08-05 22:21 . 2009-08-05 22:21 -------- d-----w- c:\program files\Cucusoft

2009-08-05 21:36 . 2009-08-11 03:22 -------- d-----w- c:\documents and settings\Dan\Application Data\vlc

2009-08-05 21:35 . 2009-08-05 21:35 -------- d-----w- c:\program files\VideoLAN

2009-08-05 19:03 . 2009-08-05 19:03 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Temp

2009-08-05 19:03 . 2009-08-05 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2009-08-05 18:47 . 2009-08-05 18:47 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Real

2009-08-05 18:46 . 2009-08-05 18:46 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-05 18:46 . 2009-08-05 18:46 -------- d-----w- c:\program files\Real

2009-08-05 18:44 . 2009-08-05 18:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-08-02 06:32 . 2009-08-02 06:33 -------- d-----w- c:\documents and settings\Dan\Application Data\Antispyware

2009-08-02 02:35 . 2009-08-02 02:35 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2009-08-02 02:29 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-02 02:24 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 02:24 . 2009-08-02 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-01 23:38 . 2009-08-01 23:38 -------- d-----w- c:\documents and settings\Dan\DoctorWeb

2009-08-01 21:31 . 2009-08-07 04:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-01 20:44 . 2009-08-01 20:44 -------- d-----r- c:\program files\Norton Support

2009-08-01 20:44 . 2009-08-01 20:44 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Symantec

2009-08-01 20:31 . 2009-08-02 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\13377654

2009-07-30 23:48 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys

2009-07-30 23:48 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys

2009-07-30 23:48 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll

2009-07-30 23:48 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll

2009-07-30 23:48 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys

2009-07-29 15:11 . 2009-06-29 16:23 17408 -c----w- c:\windows\system32\dllcache\corpol.dll

2009-07-22 05:51 . 2009-07-22 05:51 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Yahoo

2009-07-22 05:49 . 2009-08-09 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-07-15 18:32 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2009-07-15 18:32 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-13 04:20 . 2009-06-13 03:27 -------- d-----w- c:\documents and settings\Dan\Application Data\LimeWire

2009-08-13 04:16 . 2009-03-10 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-08-09 14:27 . 2009-04-03 21:29 -------- d-----w- c:\program files\Yahoo!

2009-08-08 21:17 . 2009-03-10 19:21 41264 ----a-w- c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 18:47 . 2009-04-03 21:29 -------- d-----w- c:\program files\Common Files\Real

2009-08-05 18:44 . 2009-03-10 19:16 -------- d-----w- c:\program files\Google

2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 21:03 . 2009-08-01 21:07 170818 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2009-07-18 04:28 . 2009-05-01 02:54 -------- d-----w- c:\documents and settings\Dan\Application Data\Azureus

2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:31 . 2009-07-17 01:16 28932 ----a-w- c:\windows\Fonts\Rmnce_fatal_Srif.ttf

2009-07-14 03:43 . 2007-06-24 07:41 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-07-11 03:49 . 2009-03-10 20:01 -------- d-----w- c:\documents and settings\Dan\Application Data\Vso

2009-07-10 22:50 . 2009-07-10 20:40 -------- d-----w- c:\documents and settings\Dan\Application Data\Audacity

2009-07-08 19:14 . 2009-07-08 19:14 -------- d-----w- c:\program files\DivX

2009-06-29 16:23 . 2007-06-24 07:40 828928 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:23 . 2007-06-24 07:41 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:23 . 2007-06-24 07:41 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-27 21:51 . 2009-06-27 21:51 -------- d-----w- c:\program files\Linksys

2009-06-25 15:17 . 2009-03-10 19:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-24 18:37 . 2009-06-24 18:38 20044 ----a-w- c:\windows\Fonts\YolksEmoticons.otf

2009-06-24 00:40 . 2009-06-24 00:40 -------- d-----w- c:\documents and settings\Dan\Application Data\WindSolutions

2009-06-23 03:46 . 2009-06-23 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-06-23 03:45 . 2009-06-23 03:45 -------- d-----w- c:\program files\Pando Networks

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\program files\iTunes

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\program files\iPod

2009-06-19 18:59 . 2009-03-10 20:43 -------- d-----w- c:\program files\Common Files\Apple

2009-06-19 18:58 . 2009-03-10 20:14 -------- d-----w- c:\program files\Bonjour

2009-06-19 18:57 . 2009-06-19 18:57 -------- d-----w- c:\program files\QuickTime

2009-06-19 18:55 . 2009-03-10 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-06-19 18:52 . 2009-06-19 18:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-16 14:36 . 2007-06-24 07:40 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2007-06-24 07:38 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-13 03:25 . 2009-06-13 03:26 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-13 03:25 . 2009-06-13 03:25 152576 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_11\lzma.dll

2009-06-12 17:01 . 2009-07-17 01:16 34156 ----a-w- c:\windows\Fonts\CaviarDreams_Bold.ttf

2009-06-12 17:01 . 2009-07-17 01:16 35124 ----a-w- c:\windows\Fonts\CaviarDreams.ttf

2009-06-12 12:31 . 2004-08-03 23:56 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2005-05-10 23:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-03 23:56 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2009-03-10 19:53 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2007-06-24 07:40 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 15:42 . 2009-06-19 18:55 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-05 15:42 . 2009-03-10 20:43 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-03 19:09 . 2007-06-24 07:39 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-23 03:13 . 2009-05-23 03:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-05-23 03:13 . 2009-05-23 03:13 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-05-23 03:13 . 2009-05-23 03:14 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2009-05-23 03:13 . 2009-05-23 03:13 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2009-05-23 03:13 . 2009-05-23 03:13 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2009-05-23 03:13 . 2009-05-23 03:13 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-10 39408]

"cdloader"="c:\documents and settings\Dan\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"HostManager"="c:\program files\Common Files\AOL\1236714453\ee\AOLSoftware.exe" [2008-11-06 41264]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]

"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-13 136600]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-05 198160]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-5-22 139776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1236714453\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Documents and Settings\\Dan\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Documents and Settings\\Dan\\My Documents\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Documents and Settings\\Dan\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58683:TCP"= 58683:TCP:Pando Media Booster

"58683:UDP"= 58683:UDP:Pando Media Booster

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/22/2009 11:13 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/22/2009 11:13 PM 258608]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [8/10/2009 11:31 PM 244608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/22/2009 11:13 PM 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/12/2009 1:39 AM 276344]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/22/2009 11:13 PM 115560]

R2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [6/27/2009 5:51 PM 53307]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/8/2009 12:33 PM 101936]

S2 gupdate1ca15fcb186a094;Google Update Service (gupdate1ca15fcb186a094);c:\program files\Google\Update\GoogleUpdate.exe [8/5/2009 2:43 PM 133104]

S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]

S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]

S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]

S2 wjysofqm;wjysofqm;c:\windows\system32\drivers\zdtjfvx.sys --> c:\windows\system32\drivers\zdtjfvx.sys [?]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]

S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [8/14/2008 12:23 AM 1124848]

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:43]

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:43]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://69.136.66.28:227/DVROcxEx.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-13 00:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

.

Completion time: 2009-08-13 0:33

ComboFix-quarantined-files.txt 2009-08-13 04:33

ComboFix2.txt 2009-08-07 16:42

Pre-Run: 89,994,510,336 bytes free

Post-Run: 90,079,682,560 bytes free

254 --- E O F --- 2009-08-13 01:14

Link to post
Share on other sites

  • Staff

Hmm,

This is strange. Combofix actually already deleted that file as you will see under the "deleted" part in your Combofix log, so not sure why Norton comes up with it again. Combofix doesn't list the presence of this infection anymore.

If this one was still present, you certainly would have noticed it.

Anyway, let's have a look anyway and delete it with a script, because I see there's an orphaned driver to delete as well there..

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Rootkit::

c:\windows\system32\UACaistsmlwbl.db

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjoeerdbfch.dat

c:\windows\system32\UACledplfxoyi.dll

c:\windows\system32\UACpktarrvxew.dll

c:\windows\system32\UACqibeklnbgr.dll

c:\windows\system32\UACtoligappot.dll

c:\windows\system32\UACvvrdomujhi.dll

c:\windows\system32\drivers\UACmsqtqskwpb.sys

Driver::

UACd.sys

wjysofqm

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Here you go.

ComboFix 09-08-10.06 - Dan 08/13/2009 10:38.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1327 [GMT -4:00]

Running from: c:\documents and settings\Dan\Desktop\abc.exe

Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\test.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_wjysofqm

((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))

.

2009-08-13 01:13 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-08-13 00:20 . 2009-08-13 14:10 -------- d-----w- c:\documents and settings\Dan\Tracing

2009-08-13 00:16 . 2009-08-13 00:16 -------- d-----w- c:\program files\Microsoft

2009-08-13 00:16 . 2009-08-13 00:16 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-13 00:15 . 2009-08-13 00:16 -------- d-----w- c:\program files\Windows Live

2009-08-13 00:13 . 2009-08-13 00:13 -------- d-----w- c:\program files\Common Files\Windows Live

2009-08-12 23:37 . 2009-07-13 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVENG.SYS

2009-08-12 23:37 . 2009-07-13 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVEX15.SYS

2009-08-12 23:37 . 2009-05-23 03:13 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\EECTRL.SYS

2009-08-12 23:37 . 2009-05-23 03:13 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\ERASER.SYS

2009-08-12 23:37 . 2009-05-23 03:13 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVENG32.DLL

2009-08-12 23:37 . 2009-05-23 03:13 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\NAVEX32A.DLL

2009-08-12 23:37 . 2009-05-23 03:13 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\ECMSVR32.DLL

2009-08-12 23:37 . 2009-05-23 03:13 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090812.008\CCERASER.DLL

2009-08-12 18:19 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe

2009-08-12 18:19 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe

2009-08-12 18:19 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll

2009-08-12 18:19 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll

2009-08-12 18:19 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

2009-08-12 18:19 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-12 18:18 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-12 05:39 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys

2009-08-12 05:39 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys

2009-08-12 05:39 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\Scxpx86.dll

2009-08-12 05:39 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSxpx86.dll

2009-08-12 05:39 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSviA64.sys

2009-08-11 04:21 . 2009-08-11 04:21 528088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-08-11 03:50 . 2009-08-11 04:14 64597 ----a-w- c:\windows\War3Unin.dat

2009-08-11 03:50 . 2009-08-11 03:55 2829 ----a-w- c:\windows\War3Unin.pif

2009-08-11 03:50 . 2009-08-11 03:55 139264 ----a-w- c:\windows\War3Unin.exe

2009-08-11 03:42 . 2009-08-13 05:48 -------- d-----w- c:\program files\Warcraft III

2009-08-11 03:31 . 2007-08-30 12:00 244608 ----a-w- c:\windows\system32\drivers\c2scsi.sys

2009-08-11 03:21 . 2009-08-11 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-08-11 03:21 . 2009-08-11 15:37 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2009-08-11 02:46 . 2009-08-11 02:46 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-08-11 02:46 . 2009-08-11 03:26 -------- d-----w- c:\documents and settings\Dan\Application Data\DAEMON Tools Lite

2009-08-08 16:21 . 2009-08-08 16:21 -------- d-sh--w- C:\found.000

2009-08-07 18:04 . 2009-08-07 18:04 -------- d-s---w- C:\Combo-Fix

2009-08-07 06:26 . 2009-08-07 06:26 -------- d-----w- C:\381af0e9803ba69753

2009-08-07 06:25 . 2009-08-07 15:55 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-07 04:55 . 2009-08-07 04:55 -------- d-----w- c:\program files\Trend Micro

2009-08-07 04:54 . 2009-08-07 04:54 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-05 23:10 . 2009-08-05 23:10 -------- d-----w- c:\program files\Haali

2009-08-05 22:21 . 2009-08-12 23:23 -------- d-----w- C:\ConverterOutput

2009-08-05 22:21 . 2009-02-26 20:34 94650 ----a-w- c:\windows\system32\HKCU_GNU.reg

2009-08-05 22:21 . 2009-02-26 20:34 2004 ----a-w- c:\windows\system32\HKLM_GNU.reg

2009-08-05 22:21 . 2008-12-18 05:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-05 22:21 . 2008-06-15 14:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-05 22:21 . 2008-02-04 01:26 364544 ----a-w- c:\windows\system32\cdg.dll

2009-08-05 22:21 . 2006-09-27 21:46 348160 ----a-w- c:\windows\system32\cdga.dll

2009-08-05 22:21 . 2006-07-18 01:42 14909 ----a-w- c:\windows\system32\A_reg.reg

2009-08-05 22:21 . 2009-08-05 22:21 -------- d-----w- c:\program files\Cucusoft

2009-08-05 21:36 . 2009-08-13 14:43 -------- d-----w- c:\documents and settings\Dan\Application Data\vlc

2009-08-05 21:35 . 2009-08-05 21:35 -------- d-----w- c:\program files\VideoLAN

2009-08-05 19:03 . 2009-08-05 19:03 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Temp

2009-08-05 19:03 . 2009-08-05 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2009-08-05 18:47 . 2009-08-05 18:47 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Real

2009-08-05 18:46 . 2009-08-05 18:46 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-05 18:46 . 2009-08-05 18:46 -------- d-----w- c:\program files\Real

2009-08-05 18:44 . 2009-08-05 18:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-08-02 06:32 . 2009-08-02 06:33 -------- d-----w- c:\documents and settings\Dan\Application Data\Antispyware

2009-08-02 02:35 . 2009-08-02 02:35 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2009-08-02 02:29 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-02 02:24 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 02:24 . 2009-08-02 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-01 23:38 . 2009-08-01 23:38 -------- d-----w- c:\documents and settings\Dan\DoctorWeb

2009-08-01 21:31 . 2009-08-07 04:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-01 20:44 . 2009-08-01 20:44 -------- d-----r- c:\program files\Norton Support

2009-08-01 20:44 . 2009-08-01 20:44 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Symantec

2009-08-01 20:31 . 2009-08-02 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\13377654

2009-07-30 23:48 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys

2009-07-30 23:48 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys

2009-07-30 23:48 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll

2009-07-30 23:48 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll

2009-07-30 23:48 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys

2009-07-29 15:11 . 2009-06-29 16:23 17408 -c----w- c:\windows\system32\dllcache\corpol.dll

2009-07-22 05:51 . 2009-07-22 05:51 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Yahoo

2009-07-22 05:49 . 2009-08-09 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-07-15 18:32 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2009-07-15 18:32 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-13 14:45 . 2009-06-13 03:27 -------- d-----w- c:\documents and settings\Dan\Application Data\LimeWire

2009-08-13 14:45 . 2009-03-10 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-08-09 14:27 . 2009-04-03 21:29 -------- d-----w- c:\program files\Yahoo!

2009-08-08 21:17 . 2009-03-10 19:21 41264 ----a-w- c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 18:47 . 2009-04-03 21:29 -------- d-----w- c:\program files\Common Files\Real

2009-08-05 18:44 . 2009-03-10 19:16 -------- d-----w- c:\program files\Google

2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 21:03 . 2009-08-01 21:07 170818 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2009-07-18 04:28 . 2009-05-01 02:54 -------- d-----w- c:\documents and settings\Dan\Application Data\Azureus

2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:31 . 2009-07-17 01:16 28932 ----a-w- c:\windows\Fonts\Rmnce_fatal_Srif.ttf

2009-07-14 03:43 . 2007-06-24 07:41 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-07-11 03:49 . 2009-03-10 20:01 -------- d-----w- c:\documents and settings\Dan\Application Data\Vso

2009-07-10 22:50 . 2009-07-10 20:40 -------- d-----w- c:\documents and settings\Dan\Application Data\Audacity

2009-07-08 19:14 . 2009-07-08 19:14 -------- d-----w- c:\program files\DivX

2009-06-29 16:23 . 2007-06-24 07:40 828928 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:23 . 2007-06-24 07:41 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:23 . 2007-06-24 07:41 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-27 21:51 . 2009-06-27 21:51 -------- d-----w- c:\program files\Linksys

2009-06-25 15:17 . 2009-03-10 19:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-24 18:37 . 2009-06-24 18:38 20044 ----a-w- c:\windows\Fonts\YolksEmoticons.otf

2009-06-24 00:40 . 2009-06-24 00:40 -------- d-----w- c:\documents and settings\Dan\Application Data\WindSolutions

2009-06-23 03:46 . 2009-06-23 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-06-23 03:45 . 2009-06-23 03:45 -------- d-----w- c:\program files\Pando Networks

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\program files\iTunes

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-19 18:59 . 2009-06-19 18:59 -------- d-----w- c:\program files\iPod

2009-06-19 18:59 . 2009-03-10 20:43 -------- d-----w- c:\program files\Common Files\Apple

2009-06-19 18:58 . 2009-03-10 20:14 -------- d-----w- c:\program files\Bonjour

2009-06-19 18:57 . 2009-06-19 18:57 -------- d-----w- c:\program files\QuickTime

2009-06-19 18:55 . 2009-03-10 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-06-19 18:52 . 2009-06-19 18:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-16 14:36 . 2007-06-24 07:40 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2007-06-24 07:38 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-13 03:25 . 2009-06-13 03:26 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-13 03:25 . 2009-06-13 03:25 152576 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_11\lzma.dll

2009-06-12 17:01 . 2009-07-17 01:16 34156 ----a-w- c:\windows\Fonts\CaviarDreams_Bold.ttf

2009-06-12 17:01 . 2009-07-17 01:16 35124 ----a-w- c:\windows\Fonts\CaviarDreams.ttf

2009-06-12 12:31 . 2004-08-03 23:56 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2005-05-10 23:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-03 23:56 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2009-03-10 19:53 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2007-06-24 07:40 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 15:42 . 2009-06-19 18:55 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-05 15:42 . 2009-03-10 20:43 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-03 19:09 . 2007-06-24 07:39 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-23 03:13 . 2009-05-23 03:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-05-23 03:13 . 2009-05-23 03:13 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-05-23 03:13 . 2009-05-23 03:14 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2009-05-23 03:13 . 2009-05-23 03:13 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2009-05-23 03:13 . 2009-05-23 03:13 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2009-05-23 03:13 . 2009-05-23 03:13 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_04.31.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-13 14:45 . 2009-08-13 14:45 16384 c:\windows\Temp\Perflib_Perfdata_890.dat

+ 2009-08-13 14:45 . 2009-08-13 14:45 16384 c:\windows\Temp\Perflib_Perfdata_2cc.dat

+ 2009-08-13 14:44 . 2009-08-13 14:44 16384 c:\windows\Temp\Perflib_Perfdata_240.dat

+ 2009-08-13 14:42 . 2009-08-13 14:42 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat

+ 2009-08-13 14:42 . 2009-08-13 14:42 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat

+ 2009-08-13 14:42 . 2009-08-13 14:42 237568 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT

+ 2009-08-13 14:42 . 2009-08-13 14:42 233472 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat

+ 2009-08-13 14:42 . 2009-08-13 14:42 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT

+ 2009-08-13 14:42 . 2009-08-13 14:42 6942720 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-10 39408]

"cdloader"="c:\documents and settings\Dan\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"HostManager"="c:\program files\Common Files\AOL\1236714453\ee\AOLSoftware.exe" [2008-11-06 41264]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]

"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-13 136600]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-05 198160]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-5-22 139776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1236714453\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Documents and Settings\\Dan\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Documents and Settings\\Dan\\My Documents\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Documents and Settings\\Dan\\My Documents\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58683:TCP"= 58683:TCP:Pando Media Booster

"58683:UDP"= 58683:UDP:Pando Media Booster

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/22/2009 11:13 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/22/2009 11:13 PM 258608]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [8/10/2009 11:31 PM 244608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/22/2009 11:13 PM 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/12/2009 1:39 AM 276344]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/22/2009 11:13 PM 115560]

R2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [6/27/2009 5:51 PM 53307]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/8/2009 12:33 PM 101936]

S2 gupdate1ca15fcb186a094;Google Update Service (gupdate1ca15fcb186a094);c:\program files\Google\Update\GoogleUpdate.exe [8/5/2009 2:43 PM 133104]

S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]

S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]

S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]

S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [8/14/2008 12:23 AM 1124848]

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:43]

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://69.136.66.28:227/DVROcxEx.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-13 10:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2328)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\documents and settings\Dan\Desktop\New Folder\a2service.exe

c:\program files\Common Files\aol\acs\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Linksys\WUSB300N\WUSB300N.exe

c:\windows\system32\WgaTray.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-08-13 10:51 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-13 14:51

ComboFix2.txt 2009-08-13 04:33

ComboFix3.txt 2009-08-07 16:42

Pre-Run: 73,029,353,472 bytes free

Post-Run: 72,913,727,488 bytes free

292 --- E O F --- 2009-08-13 01:14

Link to post
Share on other sites

  • Staff

Hi,

According to the log, the infection is not present anymore either. Combofix didn't delete the big set of files we've added in the CFScript since they are not even present there. Combofix should actually show and delete them already though (as you've noticed in the first post).

So not sure why Norton is still flagging them, but that could be a glitch as well.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then perform a full scan with norton afterwards.

Link to post
Share on other sites

Done. A full Nortan scan came up with just a tracking cookie; not the metajuan. I'm still getting the popups even after that. So I guess it is a glitch. =] I just remembered I read something a weekish ago about someone having the same Norton Pop Ups and I think they said it was just a glitch too. I guess that's it then, thanks ALOT for the saving my computer, miekiemoes!

Link to post
Share on other sites

  • Staff

Glad I could help. ;)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.