Jump to content

cant get rid of str.sys!

blaqson

By blaqson
in Resolved Malware Removal Logs

 Share

Recommended Posts

blaqson

blaqson

Posted
Posted

Malwarebytes Anti-Malware (MB) says str.sys (Rootkit.Agent) is found. I then instruct MB to fix/delete and reboot my laptop as instructed. After I reboot, I run MB again but str.sys is still there. Ive repeated the above several times with the same result. I've posted the MB log and HijackThis logs below.

Thanks

============================

Malwarebytes' Anti-Malware 1.39

Database version: 2547

Windows 5.1.2600 Service Pack 2

8/9/2009 6:25:00 PM

mbam-log-2009-08-09 (18-24-27).txt

Scan type: Quick Scan

Objects scanned: 80299

Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\1.tmp (Trojan.Agent) -> No action taken.

c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

==============================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:12:54 PM, on 8/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\PROGRA~1\SYMANT~1\DefWatch.exe

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\PROGRA~1\SYMANT~1\Rtvscan.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.sfbay.sun.com:8080

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110410772755

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O20 - AppInit_DLLs: C:\DOCUME~1\VIRGIN~1\LOCALS~1\Temp\01911kou.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 5035 bytes

Link to post
Share on other sites
sjpritch25

sjpritch25

Posted
Posted

Welcome to Malwarebytes !!!! :(

We need to see some additional information about what is happening in your machine.

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your next reply.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

===========================================================

Download GMER Antirootkit Here, click on Download EXE and save to your Desktop

  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.

    [*]Re-enable all active protection.

Link to post
Share on other sites
blaqson

blaqson

Posted
  • Author
Posted

Hi, thx for the quick response!

Here are the requested additional logs.

I paste the file attach.txt AND included it as a zip attachment - the documention was conflicting

===================================

DDS (Ver_09-07-30.01) - NTFSx86

Run by Virginia Arana at 19:44:54.02 on Sun 08/09/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.189 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\PROGRA~1\SYMANT~1\DefWatch.exe

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\PROGRA~1\SYMANT~1\Rtvscan.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Apoint\Apntex.exe

C:\Documents and Settings\Virginia Arana\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

uSearch Page = hxxp://www.google.com

uWindow Title = Microsoft Internet Explorer presented by Comcast

uSearch Bar = hxxp://www.google.com/ie

mWindow Title = Microsoft Internet Explorer presented by Comcast

uInternet Settings,ProxyServer = webcache.sfbay.sun.com:8080

uInternet Settings,ProxyOverride = <local>;*.local

mSearchAssistant = hxxp://www.google.com

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf

IE: &Search

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110410772755

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

AppInit_DLLs: c:\docume~1\virgin~1\locals~1\temp\01911kou.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-8-5 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-8-5 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-8-5 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090206.001\IDSxpx86.sys [2009-8-5 276344]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-3-9 272832]

R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2005-2-15 19328]

R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-8-5 115560]

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_antivirus_client_v8_1_0_825\Navapel.sys [2003-5-2 30208]

R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\Rtvscan.exe [2003-5-21 610304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-5 101936]

R3 NAVAP;NAVAP;c:\progra~1\symant~1\NAVAP.sys [2003-5-2 224256]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090801.003\NAVENG.sys [2009-8-1 87888]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090801.003\NAVEX15.sys [2009-8-1 875728]

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-3-9 37040]

S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-9 34760]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 mfzfhnedg;mfzfhnedg;\??\c:\windows\system32\drivers\vslzc.sys --> c:\windows\system32\drivers\vslzc.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2009-08-09 19:07 34,760 a------- c:\windows\system32\drivers\Partizan.sys

2009-08-09 19:07 32,480 a------- c:\windows\system32\Partizan.exe

2009-08-09 19:01 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys

2009-08-09 18:12 <DIR> --d----- c:\program files\Trend Micro

2009-08-06 22:21 153,104 a------- c:\windows\system32\drivers\tmcomm.sys

2009-08-06 22:21 <DIR> --d----- c:\documents and settings\virginia arana\log

2009-08-06 21:32 57,556 a------- c:\windows\guard.bmp

2009-08-06 21:32 <DIR> --d----- c:\program files\Greatis

2009-08-06 00:02 123 a------- c:\windows\rootkitno.ini

2009-08-05 23:57 <DIR> --d----- C:\RootkitNO

2009-08-05 22:39 2 a--shrot c:\windows\winstart.bat

2009-08-05 22:39 <DIR> --d----- c:\program files\UnHackMe

2009-08-05 21:37 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys

2009-08-05 21:37 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT

2009-08-05 21:37 805 a------- c:\windows\system32\drivers\SYMEVENT.INF

2009-08-05 21:36 <DIR> --d----- c:\windows\system32\drivers\N360

2009-08-05 21:36 <DIR> --d----- c:\program files\Norton 360

2009-08-05 21:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton

2009-08-05 21:26 <DIR> --d----- c:\program files\NortonInstaller

2009-08-05 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

2009-08-05 21:17 <DIR> --d----- c:\docume~1\virgin~1\applic~1\GetRightToGo

2009-08-02 21:51 <DIR> --d----- c:\program files\Sophos

2009-08-02 21:27 66 a------- c:\windows\wininit.ini

2009-08-02 21:25 <DIR> --d----- c:\docume~1\virgin~1\applic~1\TrojanHunter

2009-08-02 21:14 <DIR> --d----- c:\program files\TrojanHunter 5.1

2009-08-02 15:45 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-02 15:45 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-02 15:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-02 15:18 <DIR> --dsh--- c:\documents and settings\virginia arana\IECompatCache

2009-08-02 15:16 <DIR> --dsh--- c:\documents and settings\virginia arana\IETldCache

2009-08-02 14:20 <DIR> -cd-h--- c:\windows\ie8

2009-08-02 14:11 <DIR> --d----- C:\a8ad2203dd5d8c71bc

2009-08-01 19:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

2009-08-01 17:53 <DIR> --d----- c:\program files\CCleaner

2009-08-01 13:10 <DIR> --d----- c:\docume~1\virgin~1\applic~1\Malwarebytes

2009-08-01 13:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-07-31 20:16 <DIR> --d----- c:\windows\pss

2009-07-19 00:51 91 a------- c:\windows\system32\geyekrabivhoor.dat

2009-07-19 00:41 17,920 a------- c:\windows\system32\geyekrltqlhylb.dll

2009-07-19 00:40 50,590 a------- c:\windows\system32\geyekrjxblxewi.dat

2009-07-19 00:40 40,448 a------- c:\windows\system32\geyekrfxvakciq.dll

2009-07-19 00:40 65,536 a------- c:\windows\system32\drivers\GEYEKRRUMUPIWI.SYS.del

2009-07-19 00:20 18,262 a------- c:\docume~1\virgin~1\applic~1\edal.sys

2009-07-19 00:20 17,170 a------- c:\windows\dopih.reg

2009-07-19 00:20 14,148 a------- c:\windows\system32\acofaxikuc.db

2009-07-19 00:20 13,897 a------- c:\docume~1\alluse~1\applic~1\imesir.dll

2009-07-19 00:20 19,434 a------- c:\windows\ynygydas.vbs

2009-07-19 00:20 12,894 a------- c:\windows\aqafegirug.bat

2009-07-19 00:20 11,344 a------- c:\windows\system32\ogihilid.com

2009-07-19 00:20 18,601 a------- c:\windows\olapabo.sys

2009-07-19 00:20 18,094 a------- c:\windows\system32\oderotiq._sy

2009-07-19 00:20 15,133 a------- c:\windows\system32\anet.pif

2009-07-19 00:20 14,160 a------- c:\windows\doqyfapuv.dll

2009-07-19 00:20 11,421 a------- c:\docume~1\alluse~1\applic~1\ypyhynaqoq.bat

==================== Find3M ====================

2009-08-05 21:37 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS

2009-08-05 21:37 60,808 a------- c:\windows\system32\S32EVNT1.DLL

2009-07-19 00:20 16,814 a------- c:\program files\common files\ofajyseti.inf

2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll

2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll

============= FINISH: 19:45:53.16 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 3/9/2005 1:49:27 PM

System Uptime: 8/9/2009 7:08:51 PM (0 hours ago)

Processor: Intel® Pentium® M processor 1600MHz | N/A | 793/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 45 GiB total, 32.945 GiB free.

D: is FIXED (NTFS) - 6 GiB total, 2.868 GiB free.

E: is Removable

F: is CDROM ()

G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Universal Serial Bus (USB) Controller

Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_8140104D&REV_03\3&61AAA01&0&EF

Manufacturer:

Name: Universal Serial Bus (USB) Controller

PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_8140104D&REV_03\3&61AAA01&0&EF

Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

==== System Restore Points ===================

RP318: 7/19/2009 12:40:28 AM - System Checkpoint

RP319: 7/19/2009 12:40:29 AM - System Checkpoint

RP320: 7/19/2009 12:40:30 AM - System Checkpoint

RP321: 7/19/2009 12:40:31 AM - System Checkpoint

RP322: 7/19/2009 12:40:33 AM - System Checkpoint

RP323: 7/19/2009 12:40:34 AM - System Checkpoint

RP324: 7/19/2009 12:40:35 AM - System Checkpoint

RP325: 7/19/2009 12:40:35 AM - System Checkpoint

RP326: 7/19/2009 12:40:35 AM - System Checkpoint

RP327: 7/19/2009 12:40:36 AM - System Checkpoint

RP328: 7/19/2009 12:40:36 AM - System Checkpoint

RP329: 7/19/2009 12:40:36 AM - System Checkpoint

RP330: 7/19/2009 12:40:37 AM - System Checkpoint

RP331: 7/19/2009 12:40:37 AM - System Checkpoint

RP332: 7/19/2009 12:40:37 AM - Software Distribution Service 3.0

RP333: 7/19/2009 12:40:37 AM - System Checkpoint

RP334: 7/19/2009 12:40:38 AM - System Checkpoint

RP335: 7/19/2009 12:40:38 AM - System Checkpoint

RP336: 7/19/2009 12:40:38 AM - System Checkpoint

RP337: 7/19/2009 12:40:40 AM - System Checkpoint

RP338: 7/19/2009 12:40:41 AM - System Checkpoint

RP339: 7/19/2009 12:40:42 AM - System Checkpoint

RP340: 7/19/2009 12:40:43 AM - System Checkpoint

RP341: 7/19/2009 12:40:43 AM - System Checkpoint

RP342: 7/19/2009 12:40:44 AM - System Checkpoint

RP343: 7/19/2009 12:40:45 AM - System Checkpoint

RP344: 7/19/2009 12:40:46 AM - System Checkpoint

RP345: 7/19/2009 12:40:46 AM - System Checkpoint

RP346: 7/19/2009 12:40:47 AM - System Checkpoint

RP347: 7/19/2009 12:40:48 AM - System Checkpoint

RP348: 7/19/2009 12:40:49 AM - System Checkpoint

RP349: 7/19/2009 12:40:49 AM - System Checkpoint

RP350: 7/19/2009 12:40:49 AM - System Checkpoint

RP351: 7/19/2009 12:40:50 AM - System Checkpoint

RP352: 7/19/2009 12:40:50 AM - System Checkpoint

RP353: 7/19/2009 12:40:50 AM - Software Distribution Service 3.0

RP354: 7/19/2009 12:40:51 AM - System Checkpoint

RP355: 7/19/2009 12:40:51 AM - System Checkpoint

RP356: 7/19/2009 12:40:52 AM - System Checkpoint

RP357: 7/19/2009 12:40:53 AM - System Checkpoint

RP358: 7/19/2009 12:40:53 AM - System Checkpoint

RP359: 7/19/2009 12:40:55 AM - System Checkpoint

RP360: 7/19/2009 12:40:56 AM - System Checkpoint

RP361: 7/19/2009 12:40:57 AM - System Checkpoint

RP362: 7/19/2009 12:40:58 AM - System Checkpoint

RP363: 7/19/2009 12:40:58 AM - System Checkpoint

RP364: 7/19/2009 12:40:59 AM - System Checkpoint

RP365: 7/19/2009 12:41:01 AM - System Checkpoint

RP366: 7/19/2009 12:41:02 AM - System Checkpoint

RP367: 7/19/2009 12:41:02 AM - System Checkpoint

RP368: 7/19/2009 12:41:02 AM - System Checkpoint

RP369: 7/19/2009 12:41:02 AM - System Checkpoint

RP370: 7/19/2009 12:41:03 AM - System Checkpoint

RP371: 7/19/2009 12:41:03 AM - System Checkpoint

RP372: 7/19/2009 12:41:03 AM - System Checkpoint

RP373: 7/19/2009 12:41:03 AM - System Checkpoint

RP374: 7/19/2009 12:41:04 AM - System Checkpoint

RP375: 7/19/2009 12:41:04 AM - System Checkpoint

RP376: 7/19/2009 12:41:05 AM - System Checkpoint

RP377: 7/19/2009 12:41:06 AM - System Checkpoint

RP378: 7/19/2009 12:41:06 AM - Software Distribution Service 3.0

RP379: 7/19/2009 12:41:06 AM - System Checkpoint

RP380: 7/19/2009 12:41:06 AM - System Checkpoint

RP381: 8/5/2009 11:36:40 PM - RegRun Virus Scan

RP382: 8/5/2009 11:42:33 PM - RegRun Virus Scan

RP383: 8/5/2009 11:43:53 PM - RegRun Virus Scan

RP384: 8/5/2009 11:54:50 PM - RegRun Virus Scan

RP385: 8/6/2009 12:02:09 AM - RegRun Virus Scan

RP386: 8/9/2009 7:03:01 PM - RegRun Virus Scan

RP387: 8/9/2009 7:03:43 PM - RegRun Virus Scan

RP388: 8/9/2009 7:12:15 PM - RegRun Virus Scan

==== Installed Programs ======================

Adabas D 13.01.00

Adobe Download Manager 2.0 (Remove Only)

Adobe Flash Player 10 ActiveX

Adobe Reader 7.0.8

Apple Mobile Device Support

Apple Software Update

AT&T Global Network Client

ATI Control Panel

ATI Display Driver

ATI

Attach.zip

Attach.zip

Link to post
Share on other sites
sjpritch25

sjpritch25

Posted
Posted

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites
blaqson

blaqson

Posted
  • Author
Posted
Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.

  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

============================

Here are the new logs

ComboFix 09-08-10.03 - Virginia Arana 08/10/2009 22:32.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.211 [GMT -7:00]

Running from: c:\documents and settings\Virginia Arana\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\MPROTECT

c:\windows\Install.txt

c:\windows\system32\drivers\GEYEKRRUMUPIWI.SYS.del

c:\windows\system32\geyekrabivhoor.dat

c:\windows\system32\geyekrfxvakciq.dll

c:\windows\system32\geyekrjxblxewi.dat

c:\windows\system32\geyekrltqlhylb.dll

c:\windows\system32\Install.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_USBEWT

((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))

.

2009-08-10 01:12 . 2009-08-10 01:12 -------- d-----w- c:\program files\Trend Micro

2009-08-07 05:21 . 2009-08-07 05:21 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-08-07 05:21 . 2009-08-07 05:21 -------- d-----w- c:\documents and settings\Virginia Arana\log

2009-08-07 04:32 . 2009-08-07 04:32 -------- d-----w- c:\program files\Greatis

2009-08-06 06:57 . 2009-08-06 07:02 -------- d-----w- C:\RootkitNO

2009-08-06 06:46 . 2009-08-06 06:46 -------- d-----w- c:\documents and settings\Virginia Arana\Local Settings\Application Data\Help

2009-08-06 05:39 . 2009-08-10 02:01 2 --shatr- c:\windows\winstart.bat

2009-08-06 05:39 . 2009-08-11 05:22 -------- d-----w- c:\program files\UnHackMe

2009-08-06 04:55 . 2009-08-06 04:36 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

2009-08-06 04:36 . 2009-08-06 04:36 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\scxpx86.dll

2009-08-06 04:26 . 2009-08-06 04:26 -------- d-----w- c:\program files\NortonInstaller

2009-08-06 04:26 . 2009-08-06 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-06 04:17 . 2009-08-06 04:25 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\GetRightToGo

2009-08-03 04:51 . 2009-08-08 18:20 -------- d-----w- c:\program files\Sophos

2009-08-03 04:25 . 2009-08-03 04:25 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\TrojanHunter

2009-08-03 04:14 . 2009-08-06 04:13 -------- d-----w- c:\program files\TrojanHunter 5.1

2009-08-02 22:45 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-02 22:45 . 2009-08-02 22:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-02 22:45 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 22:25 . 2009-08-02 22:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-02 22:18 . 2009-08-02 22:18 -------- d-sh--w- c:\documents and settings\Virginia Arana\IECompatCache

2009-08-02 22:16 . 2009-08-02 22:16 -------- d-sh--w- c:\documents and settings\Virginia Arana\IETldCache

2009-08-02 21:20 . 2009-08-02 21:21 -------- dc-h--w- c:\windows\ie8

2009-08-02 21:11 . 2009-08-02 21:11 -------- d-----w- C:\a8ad2203dd5d8c71bc

2009-08-02 02:53 . 2009-08-06 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-08-02 00:53 . 2009-08-02 00:53 -------- d-----w- c:\program files\CCleaner

2009-08-01 20:10 . 2009-08-01 20:10 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\Malwarebytes

2009-08-01 20:10 . 2009-08-01 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-01 02:56 . 2009-08-06 04:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-19 07:20 . 2009-07-19 07:20 18262 ----a-w- c:\documents and settings\Virginia Arana\Application Data\edal.sys

2009-07-19 07:20 . 2009-07-19 07:20 17170 ----a-w- c:\windows\dopih.reg

2009-07-19 07:20 . 2009-07-19 07:20 13897 ----a-w- c:\documents and settings\All Users\Application Data\imesir.dll

2009-07-19 07:20 . 2009-07-19 07:20 11419 ----a-w- c:\documents and settings\Virginia Arana\Local Settings\Application Data\exylesim.bin

2009-07-19 07:20 . 2009-07-19 07:20 19434 ----a-w- c:\windows\ynygydas.vbs

2009-07-19 07:20 . 2009-07-19 07:20 12894 ----a-w- c:\windows\aqafegirug.bat

2009-07-19 07:20 . 2009-07-19 07:20 11344 ----a-w- c:\windows\system32\ogihilid.com

2009-07-19 07:20 . 2009-07-19 07:20 18601 ----a-w- c:\windows\olapabo.sys

2009-07-19 07:20 . 2009-07-19 07:20 18527 ----a-w- c:\documents and settings\Virginia Arana\Local Settings\Application Data\eqalah.dll

2009-07-19 07:20 . 2009-07-19 07:20 15133 ----a-w- c:\windows\system32\anet.pif

2009-07-19 07:20 . 2009-07-19 07:20 14160 ----a-w- c:\windows\doqyfapuv.dll

2009-07-19 07:20 . 2009-07-19 07:20 11421 ----a-w- c:\documents and settings\All Users\Application Data\ypyhynaqoq.bat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-06 04:55 . 2009-08-06 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-06 04:36 . 2009-08-06 04:36 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\Scxpx86.dll

2009-08-06 04:36 . 2009-08-06 04:36 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2009-08-06 04:36 . 2009-08-06 04:36 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\NAVENG32.DLL

2009-08-06 04:36 . 2009-08-06 04:36 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\NAVEX32A.DLL

2009-08-06 04:36 . 2009-08-06 04:36 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll

2009-08-06 04:36 . 2009-08-06 04:36 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\IDSxpx86.dll

2009-08-06 04:36 . 2009-08-06 04:36 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\ECMSVR32.DLL

2009-08-06 04:36 . 2009-08-06 04:36 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2009-08-06 04:36 . 2009-08-06 04:36 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090226.034\CCERASER.DLL

2009-08-06 04:36 . 2009-08-06 04:36 -------- d-----w- c:\program files\Norton 360

2009-08-06 04:36 . 2009-08-06 04:36 -------- d-----w- c:\program files\Windows Sidebar

2009-08-06 04:36 . 2005-03-09 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-07-19 07:20 . 2009-07-19 07:20 16814 ----a-w- c:\program files\Common Files\ofajyseti.inf

2009-07-16 21:42 . 2006-10-28 20:42 -------- d-----w- c:\documents and settings\Virginia Arana\Application Data\StarOffice8

2009-07-08 04:27 . 2009-07-08 04:26 -------- d-----w- c:\program files\iTunes

2009-07-08 04:26 . 2009-07-08 04:26 -------- d-----w- c:\program files\iPod

2009-07-08 04:26 . 2008-04-28 18:49 -------- d-----w- c:\program files\Common Files\Apple

2009-07-08 04:21 . 2009-07-08 04:20 -------- d-----w- c:\program files\QuickTime

2009-07-08 04:12 . 2009-07-08 04:12 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:27 . 2001-08-23 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-06-13 114688]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-18 294912]

"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]

"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5900:TCP"= 5900:TCP:VNC

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [8/5/2009 9:37 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [8/5/2009 9:37 PM 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [8/5/2009 9:37 PM 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\IDSxpx86.sys [8/5/2009 9:37 PM 276344]

R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2/15/2005 9:15 AM 19328]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [8/5/2009 9:37 PM 115560]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/5/2009 9:37 PM 101936]

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/9/2005 6:32 AM 37040]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 mfzfhnedg;mfzfhnedg;\??\c:\windows\system32\drivers\vslzc.sys --> c:\windows\system32\drivers\vslzc.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mWindow Title = Microsoft Internet Explorer presented by Comcast

uInternet Settings,ProxyServer = webcache.sfbay.sun.com:8080

uInternet Settings,ProxyOverride = <local>;*.local

IE: &Search

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-10 22:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\3.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2408)

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\msls31.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\progra~1\SYMANT~1\DefWatch.exe

c:\progra~1\AT&TGL~1\NetCfgSv.EXE

c:\progra~1\SYMANT~1\Rtvscan.exe

c:\program files\RealVNC\VNC4\WinVNC4.exe

c:\program files\Apoint\ApntEx.exe

.

**************************************************************************

.

Completion time: 2009-08-11 22:45 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-11 05:45

Pre-Run: 35,331,944,448 bytes free

Post-Run: 35,264,712,704 bytes free

191 --- E O F --- 2009-08-02 02:44

+++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:53:21 PM, on 8/10/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\PROGRA~1\SYMANT~1\DefWatch.exe

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\PROGRA~1\SYMANT~1\Rtvscan.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.sfbay.sun.com:8080

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110410772755

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 4788 bytes

Link to post
Share on other sites
blaqson

blaqson

Posted
  • Author
Posted
How is everything running??

Runs fine now after your help! Afterwards I ran AVG antivirus and it found a couple of viruses and got rid of them successfully. Also Malwarebytes scan showed everytthing was clean also. My friend should be happy that her laptop is working again. Thanks so much for your help.

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.