Jump to content

Please Help - Browser hijacks & Viruses


AllanG

Recommended Posts

Good evening,

I have been suffering since this past Tuesday with some serious laptop nastiness. All of a sudden, when using FireFox 3.5.3 on my WinXP SP2 machine, I get random Google redirects to other strange websites like ResistryDefender, gcion, and others that offer to fix spyware. Sometimes, when I'm on a known good website, a new tab will open in FireFox all by itself and bring up one of these unwanted websites. FireFox has crashed several times as well. This is all behavior I have never seen in the past and I have always run Symantic AntiVirus and Symantic Client Firewall (both with newest rules/signatures).

The last 2 days, my Symantic AV was able to find and remove several viruses - JS.SecurityToolFraud.B , Bllodhound.Exploit.193, and Trojan.Pidief.G. MBAM was able to identify and remove Trojan.Vundo and Rootkit.TDSS.

I am attaching all the relevant details in the sincere desperate hope that you can help me. I have also disabled System Restore, ran Defogger, DDS and GMER

Thank you in advance....

First time I ran MBAM:

Malwarebytes' Anti-Malware 1.44

Database version: 3606

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/20/10 9:58:44 PM

mbam-log-2010-01-20 (21-58-44).txt

Scan type: Full Scan (C:\|)

Objects scanned: 284672

Time elapsed: 1 hour(s), 13 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\SQLLIB\bin\db2ccar.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DSP4XY3\z002102801r0409R0143fdeeXdac2d19aY9196a06aZ03003f3530dP000601080[1] (Rootkit.TDSS) -> Quarantined and deleted successfully.

*****************************************************

MBAM results from today:

Malwarebytes' Anti-Malware 1.44

Database version: 3619

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/23/10 11:07:12 AM

mbam-log-2010-01-23 (11-07-12).txt

Scan type: Full Scan (C:\|)

Objects scanned: 282127

Time elapsed: 1 hour(s), 10 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*********************************************

Defogger output:

defogger_disable by jpshortstuff (28.11.09.2)

Log created at 12:43 on 23/01/2010 (agunz)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

**********************************************

DDS.txt :

DDS (Ver_09-12-01.01) - NTFSx86

Run by agunz at 12:49:26.15 on 01/23/10

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2348 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Drivers\trcboot.exe

C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\C4ebreg\c4ebreg.exe

c:\sdwork\issimsvc.exe

C:\notes\ntmulti.exe

C:\Program Files\AT&T Network Client\NetCfgSv.EXE

c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\Drivers\ldlcserv.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\C4ebreg\isamtray.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Lexmark 8300 Series\lxcjmon.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\IBM\Personal Communications\tpam.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Belkin\F5D8011v1\Belkinwcui.exe

C:\Program Files\Lexmark 8300 Series\ezprint.exe

C:\Program Files\Quicken\bagent.exe

C:\Program Files\IBM\Infoprint Select\ipnotify.exe

C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe

C:\WINDOWS\system32\lxcjcoms.exe

C:\Documents and Settings\Administrator\Desktop\malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://w3.watson.ibm.com/

mDefault_Page_URL = hxxp://w3.ibm.com

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = <local>;*.local

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\ibm\java50\jre\bin\ssv.dll

uRun: [AWMON] "c:\program files\lavasoft\ad-aware se plus\Ad-Watch.exe"

uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [iSAMTray] "c:\program files\c4ebreg\isamtray.exe"

mRun: [stgclean] c:\sdwork\w32main2.exe /cleanup

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [TpShocks] TpShocks.exe

mRun: [TP4EX] tp4ex.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~2\symant~2\VPTray.exe

mRun: [<NO NAME>]

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"

mRun: [iSAM SMT Service] "c:\program files\c4ebreg\isamsmt.exe"

mRun: [RescueRecoverySetPW] c:\sdwork\Rescue&RecoverySetPW.lnk

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [Tpam.exe] "c:\program files\ibm\personal communications\tpam.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [F5D8011] c:\program files\belkin\f5d8011v1\Belkinwcui.exe

mRun: [MyHelpService] "c:\program files\ibm\my help\plugins\com.ibm.myhelp.installer\service\delayStart.exe"

mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup

mRun: [pmonmh] c:\program files\ibm\my help\plugins\\com.ibm.myhelp.common_1.2.23/pmonmh.exe

mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16

mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"

mRun: [sansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe

mRun: [iSSI Service] "c:\sdwork\issimsvc.exe"

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\infopr~1.lnk - c:\program files\ibm\infoprint select\ipnotify.exe

uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\ibm\java50\jre\bin\ssv.dll

LSP: c:\windows\system32\hummingbird\connectivity\8.00\socks\\hclsock5.dll

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.InsightNoHelp.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://usbldprt05.boulder.ibm.com/tools/print/plugin/gpwsx.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sappc\sapgui\SAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sappc\sapgui\SAPHTMLP.DLL

Notify: ACNotify - ACNotify.dll

Notify: atmgrtok - atmgrtok.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Notify: pcsinst - pcsinst.dll

Notify: tpfnf2 - notifyf2.dll

Notify: tphotkey - tphklock.dll

LSA: Notification Packages = scecli ACGina

mASetup: {3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C} - "c:\program files\hummingbird\connectivity\12.00\accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z8rf0hzz.default\

FF - prefs.js: browser.search.selectedEngine - IBM BluePages

FF - prefs.js: browser.startup.homepage - w3.ibm.com

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava11.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava12.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava13.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava14.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava32.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJPI150.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPOJI610.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\npwebscl.dll

FF - plugin: c:\program files\mozilla firefox\extensions\ibm-cck@firefox-extensions.ibm.com\platform\winnt_x86-msvc\plugins\npaddtonab.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npaddtonab.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npcpsweb.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstloader.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwebscl.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-28 19504]

R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]

R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-7-19 202400]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]

R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-9-27 116464]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-1 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-20 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\naveng.sys [2010-1-22 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\navex15.sys [2010-1-22 1323568]

S3 gwiopm;gwiopm;\??\c:\program files\wst\gwiopm.sys --> c:\program files\wst\gwiopm.sys [?]

S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [2009-10-9 6016]

S3 pf_usb;Kensington Digital Frame Service;c:\windows\system32\drivers\PF_USB.sys [2006-11-10 17036]

S3 XJCRNIFLTTK;XJCRNIFLTTK;c:\docume~1\admini~1\locals~1\temp\XJCRNIFLTTK.exe [2010-1-23 412544]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [2004-11-26 13696]

=============== Created Last 30 ================

2010-01-23 17:43:04 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-01-22 23:24:46 0 d-----w- c:\program files\Trend Micro

2010-01-21 01:15:18 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-01-21 01:15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-21 01:15:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-21 01:15:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-21 01:15:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-21 00:56:54 0 d-----w- c:\temp\SpyDLLRemover

2010-01-19 22:09:15 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-01-19 22:09:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-01-15 17:27:56 0 d-----w- c:\program files\My Company Name

2010-01-15 17:21:46 43627 ----a-w- c:\documents and settings\administrator\install.xml

2010-01-15 17:21:28 0 d-----w- C:\notes7bkp

==================== Find3M ====================

2010-01-21 13:59:10 874240 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-21 19:45:56 2256 ----a-w- c:\windows\current_settings.bin

2009-12-10 16:42:21 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2009-11-17 18:57:03 64792 ----a-w- c:\windows\isamunin.exe

2009-11-16 17:35:44 61520 ----a-w- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT

2009-10-29 05:48:04 662016 ----a-w- c:\windows\system32\wininet.dll

2008-05-14 18:49:48 139 ----a-w- c:\program files\wsmjunk.txt

============= FINISH: 12:50:09.50 ===============

****************************************************************

Attach.zip includes ARK.txt and Attach.TXT

Attach.zip

Thank you again, Allan

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Thank you for getting back to me :-)

Here is the log from ComboFix:

ComboFix 10-01-24.05 - agunz 01/25/10 13:38:58.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2465 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk

c:\recycler\S-1-5-21-1202660629-2077806209-682003330-500

c:\recycler\S-1-5-21-3030458479-2410203345-1438871821-500

c:\windows\winhelp.ini

c:\windows\system32\Drivers\iaStor.sys . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))

.

2010-01-22 23:50 . 2010-01-22 23:50 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-01-22 23:24 . 2010-01-22 23:24 -------- d-----w- c:\program files\Trend Micro

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-01-21 01:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-21 01:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-21 00:56 . 2010-01-21 00:56 -------- d-----w- c:\temp\SpyDLLRemover

2010-01-19 22:09 . 2010-01-22 12:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-01-19 22:09 . 2010-01-21 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-01-15 17:27 . 2010-01-15 17:27 -------- d-----w- c:\program files\My Company Name

2010-01-15 17:21 . 2010-01-15 17:21 -------- d-----w- C:\notes7bkp

2010-01-05 15:06 . 2010-01-05 15:06 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVENG.SYS

2010-01-05 15:06 . 2010-01-05 15:06 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVENG32.DLL

2010-01-05 15:06 . 2010-01-05 15:06 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVEX32A.DLL

2010-01-05 15:06 . 2010-01-05 15:06 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVEX15.SYS

2010-01-05 15:06 . 2010-01-05 15:06 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\EECTRL.SYS

2010-01-05 15:06 . 2010-01-05 15:06 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\CCERASER.DLL

2010-01-05 15:06 . 2010-01-05 15:06 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\ECMSVR32.DLL

2010-01-05 15:06 . 2010-01-05 15:06 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\ERASER.SYS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-25 18:51 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST

2010-01-25 18:50 . 2009-09-04 14:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox

2010-01-25 18:48 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg

2010-01-25 18:28 . 2006-11-10 17:32 -------- d-----w- c:\program files\Lx_cats

2010-01-25 16:50 . 2007-04-27 14:58 40 ----a-w- c:\windows\system32\profile.dat

2010-01-25 16:47 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-01-25 14:39 . 2006-08-26 02:10 -------- d-----w- c:\program files\AT&T Network Client

2010-01-24 16:10 . 2006-02-13 10:24 874240 ------w- c:\windows\system32\drivers\iaStor.sys

2010-01-23 03:56 . 2006-04-12 02:08 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-21 19:45 . 2007-04-17 14:02 2256 ----a-w- c:\windows\current_settings.bin

2009-12-21 12:51 . 2007-06-06 21:46 -------- d-----w- c:\program files\SanDisk

2009-12-21 12:50 . 2009-12-21 12:51 79872 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

2009-12-21 12:50 . 2009-12-21 12:50 574344 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe

2009-12-21 12:50 . 2009-12-21 12:50 354744 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe

2009-12-21 12:50 . 2009-12-21 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SanDisk

2009-12-10 16:42 . 2009-10-09 15:28 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe

2009-11-05 20:05 . 2005-04-04 18:17 61520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-29 05:48 . 2004-08-04 05:00 662016 ----a-w- c:\windows\system32\wininet.dll

2008-05-14 18:49 . 2008-05-14 18:49 139 ----a-w- c:\program files\wsmjunk.txt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2007-05-07 87592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.23" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ISAMTray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]

"stgclean"="c:\sdwork\w32main2.exe" [2009-11-24 297472]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-08-26 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-26 512000]

"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]

"TpShocks"="TpShocks.exe" [2007-09-28 181544]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-28 125168]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]

"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"F5D8011"="c:\program files\Belkin\F5D8011v1\Belkinwcui.exe" [2006-06-06 1613824]

"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2005-08-01 94208]

"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-10 241392]

"w32msgr"="c:\sdwork\w32maing.exe" [2010-01-25 266752]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2009-9-2 26785147]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Infoprint Select Notification.lnk - c:\program files\IBM\Infoprint Select\ipnotify.exe [2009-10-13 143360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2005-09-06 18:43 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2006-08-26 01:43 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pmonmh]

c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.23 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2005-08-01 12:05 94208 ----a-w- c:\program files\Lexmark 8300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D8011]

2006-06-06 03:23 1613824 ----a-w- c:\program files\Belkin\F5D8011v1\Belkinwcui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCJCATS]

2005-09-08 18:45 73728 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcjtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]

2007-05-07 18:17 87592 ----a-w- c:\program files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hummingbird\\Connectivity\\12.00\\Exceed\\exceed.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [09/28/07 4:28 PM 19504]

R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [09/27/06 7:33 PM 116464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [04/01/08 9:00 AM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/20/10 7:21 AM 102448]

S3 gwiopm;gwiopm;\??\c:\program files\wst\gwiopm.sys --> c:\program files\wst\gwiopm.sys [?]

S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/09/09 10:28 AM 6016]

S3 pf_usb;Kensington Digital Frame Service;c:\windows\system32\drivers\PF_USB.sys [11/10/06 12:13 PM 17036]

S3 XJCRNIFLTTK;XJCRNIFLTTK;c:\docume~1\ADMINI~1\LOCALS~1\Temp\XJCRNIFLTTK.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\XJCRNIFLTTK.exe [?]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [11/26/04 12:13 PM 13696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]

2006-06-29 12:00 99920 ----a-w- c:\program files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe

.

Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-26 06:19]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://w3.watson.ibm.com/

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

LSP: c:\windows\system32\Hummingbird\Connectivity\8.00\Socks\\hclsock5.dll

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.InsightNoHelp.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://usbldprt05.boulder.ibm.com/tools/print/plugin/gpwsx.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\

FF - prefs.js: browser.search.selectedEngine - IBM BluePages

FF - prefs.js: browser.startup.homepage - w3.ibm.com

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava11.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava12.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava13.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava14.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava32.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJPI150.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPOJI610.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\npwebscl.dll

FF - plugin: c:\program files\Mozilla Firefox\extensions\IBM-cck@firefox-extensions.ibm.com\platform\WINNT_x86-msvc\plugins\npaddtonab.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npaddtonab.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npcpsweb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npstloader.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwebscl.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AWMON - c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe

HKLM-Run-ISAM SMT Service - c:\program files\C4ebreg\isamsmt.exe

HKLM-Run-RescueRecoverySetPW - c:\sdwork\Rescue&RecoverySetPW.lnk

HKLM-Run-MyHelpService - c:\program files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delayStart.exe

HKLM-Run-PSQLLauncher - c:\program files\Thinkvantage Fingerprint Software\launcher.exe

HKLM-Run-SansaDispatch - c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe

Notify-ACNotify - ACNotify.dll

Notify-atmgrtok - atmgrtok.dll

MSConfigStartUp-MyHelpService - c:\program files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delayStart.exe

MSConfigStartUp-PSQLLauncher - c:\program files\Thinkvantage Fingerprint Software\launcher.exe

AddRemove-InstallShield_{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-25 13:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA00856]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74827b4

\Driver\iaStor -> iaStor.sys @ 0xf7b1bb58

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059c876

ParseProcedure -> ntoskrnl.exe @ 0x8057016c

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059c876

ParseProcedure -> ntoskrnl.exe @ 0x8057016c

NDIS: 11a/b/g Wireless LAN Mini PCI Express Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba75cbc3

PacketIndicateHandler -> NDIS.sys @ 0xba74aa0b

SendHandler -> NDIS.sys @ 0xba75eb31

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)

c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\windows\system32\tphklock.dll

c:\program files\IBM\Personal Communications\atmgrtok.dll

c:\program files\IBM\Personal Communications\MILLUTIL.DLL

c:\windows\system32\pcsinst.dll

- - - - - - - > 'lsass.exe'(1124)

c:\windows\system32\Hummingbird\Connectivity\8.00\Socks\hclsock5.dll

- - - - - - - > 'explorer.exe'(4528)

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\Drivers\trcboot.exe

c:\program files\IBM\Personal Communications\PCS_AGNT.EXE

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\windows\system32\acs.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

c:\notes\ntmulti.exe

c:\program files\AT&T Network Client\NetCfgSv.EXE

c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\windows\System32\TPHDEXLG.exe

c:\windows\system32\TpKmpSVC.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\Drivers\ldlcserv.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\lenovo\system update\suservice.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\TpShocks.exe

c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\lxcjcoms.exe

.

**************************************************************************

.

Completion time: 2010-01-25 13:55:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-25 18:55

Pre-Run: 31,065,747,456 bytes free

Post-Run: 31,120,400,384 bytes free

- - End Of File - - FF28A4481E55A589A7CE126D36BAF6FF

Link to post
Share on other sites

  • Staff

Hi,

Your iastor.sys file is infected and it looks like we have to replace the infected iastor.sys manually then...

This is a really important system file and there are always risks involved when we have to replace it manually, so that's why it's always a good idea to backup any important data you don't want to lose, this in case anything goes wrong. We will also use Hiren boot cd afterwards to replace it. There are other methods but I've seen too many cases already where it failed, or something went wrong in between, so with the hiren boot cd (instructions will follow afterwards), it's always a bit safer since, even though something goes wrong, you'll still be able to access your data.

Anyway,

Let's have a look first where we can find copies of that file on your system....

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *iastor.sys*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Here are the results of SystemLook:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:15 on 25/01/2010 by agunz (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"

C:\pnp\001\IASTOR.SYS --a--- 874240 bytes [23:59 29/11/1979] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\iaStor.sys ------ 874240 bytes [10:24 13/02/2006] [16:10 24/01/2010] 309C4D86D989FB1FCF64BD30DC81C51B

-=End Of File=-

Link to post
Share on other sites

  • Staff

Hi,

It looks like we can restore it with this copy:

C:\pnp\001\IASTOR.SYS

I suggest you create an extra copy first, just in case..

So, navigate to your C:\Windows folder and create a new folder in there called iabackup

Then, copy and paste the C:\pnp\001\IASTOR.SYS into the C:\Windows\iabackup folder (the folder you just created)

Please make sure you copy the IASTOR.SYS from the C:\pnp\001 folder into there and not the iastor.sys present in your C:\Windows\system32\drivers folder.

Then, to verify if you did right, run Systemlook again with exactly the same command you used before and paste the new log in your next reply.

Link to post
Share on other sites

Here is the newest SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:30 on 25/01/2010 by agunz (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"

C:\pnp\001\IASTOR.SYS --a--- 874240 bytes [23:59 29/11/1979] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\iabackup\IASTOR.SYS --a--- 874240 bytes [19:29 25/01/2010] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\iaStor.sys ------ 874240 bytes [10:24 13/02/2006] [16:10 24/01/2010] 309C4D86D989FB1FCF64BD30DC81C51B

-=End Of File=-

Link to post
Share on other sites

  • Staff

Ok, now the big/risky work..

Let's see how this goes.....

Please visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html

Just extract everything into a folder & double click on "BurnToCD.cmd" in order to burn it to cd.

Then, Boot the computer using the Hiren CD which you just burned. When you get to this screen, select "Start Mini Windows Xp"

HirenBootCD_menu.png

It will then look like this:

hirenboocd_desktop.png

In the Hiren Boot "Mini Windows Xp"

1) Locate this file - C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS

2) Rename it to IASTOR.SYS.BAD

3) Then copy the iastor.sys from the C:\pnp\001 folder to the C:\WINDOWS\SYSTEM32\DRIVERS folder

or you can also use the one from C:\WINDOWS\iabackup\IASTOR.SYS to copy to your C:\WINDOWS\SYSTEM32\DRIVERS folder.

When finsihed, restart the machine & boot back to your normal OS

Let me know how that went.

Link to post
Share on other sites

I was able to boot off the Hiren CD and I swapped the iastor.sys file. Here is an updated SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 15:09 on 25/01/2010 by agunz (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"

C:\pnp\001\IASTOR.SYS --a--- 874240 bytes [23:59 29/11/1979] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\iabackup\IASTOR.SYS --a--- 874240 bytes [19:29 25/01/2010] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\IASTOR.SYS --a--- 874240 bytes [15:04 25/01/2010] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\iaStor.sys.BAD --a--- 874240 bytes [10:24 13/02/2006] [16:10 24/01/2010] D8357FD6E769FB1263E27647EC0F3A2E

-=End Of File=-

Link to post
Share on other sites

  • Staff

Well, it looks like that went well... :D

Now you can remove the C:\WINDOWS\system32\drivers\iaStor.sys.BAD (that's the bad one).

As you see in the log, it now displays another MD5 than the other legit ones. You couldn't see that when it was still active :)

Let me know in your next reply how things are now, if redirects have stopped.

Link to post
Share on other sites

Well, there were multiple viruses/malware as shown in the logs posted earlier. And I suspect that Symantic AV and MBAM may have been compromised, as well as my firewall. What should I run now to fully check my system? I am concerned that there may still be Trojans or even keyloggers hiding. My Firewall logs showed suspicious inbound and outbound activity. What should my next step be?

Thank you, Allan.

Link to post
Share on other sites

  • Staff

Hi,

You should be OK now though. It was the infected iastor.sys causing the main problems.

There are still some small steps to perform to get rid of some orhaned entries and an unwanted application..

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Then, to deal with an orphaned entry, go to start > run and copy and paste next command in the field:

sc delete XJCRNIFLTTK hit enter

sc delete gwiopm hit enter

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Don't worry about your mbam and symantec compromised. This variant doesn't compromise it. I guess you think this because it didn't detect this infected system file? In a way it's normal; because most scanners have problems to detect this one since it uses advanced techniques to bypass detection. For example, when it's active, scanners see the legitimate iastor.sys since it has the legitimate MD5, but once unloaded, as you've seen in your latest systemlook log, the iastor.sys.bad has another MD5 :D

Malwarebytes does prevent this infection though since the realtime scanner blocks its installer and the malicious pages where it was downloaded, so it won't be able to install in the first place.

You can have a latest check with Eset online scanner to see if there are any inactive leftovers present (from other infections you were dealing with):

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply and also let me know how things are now.

Link to post
Share on other sites

Well, looks like there are still problems. ESET found the following:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=0c6d77a2179a1c4da2f2470feab1fecb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-25 10:20:44

# local_time=2010-01-25 05:20:44 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 168473 168473 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=143833

# found=1

# cleaned=1

# scan_time=4084

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LUQYBXMP\i[2].js HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

I will now update and run MBAM, reboot and run MBAM again, then run Symantic AV, and post what I get.

Link to post
Share on other sites

Hi, I ran a number of different scans.

First I ran MBAM, then rebooted, then ran MBAM again:

First time:

Malwarebytes' Anti-Malware 1.44

Database version: 3638

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/25/10 5:29:50 PM

mbam-log-2010-01-25 (17-29-50).txt

Scan type: Quick Scan

Objects scanned: 129321

Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**************************************************************

Second time:

Malwarebytes' Anti-Malware 1.44

Database version: 3638

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/25/10 5:39:30 PM

mbam-log-2010-01-25 (17-39-30).txt

Scan type: Quick Scan

Objects scanned: 129384

Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***************************************************************

Next I ran Symantic AV which was clean.

Then I ran GMER. Here is the ark.txt:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-01-25 20:40:34

Windows 5.1.2600 Service Pack 2

Running: df8ledyk.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgddrpog.sys

---- System - GMER 1.0.15 ----

SSDT 8A075500 ZwConnectPort

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9DFC8350]

SSDT 8AB34008 ZwQueryValueKey

SSDT 8A0998C0 ZwResumeThread

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9DFC8580]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

***************************************************************8

Next I ran ComboFix, here is the log:

ComboFix 10-01-25.02 - agunz 01/25/10 21:12:35.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2211 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))

.

2010-01-25 15:04 . 2006-08-26 00:53 874240 ----a-w- c:\windows\system32\drivers\IASTOR.SYS

2010-01-22 23:50 . 2010-01-22 23:50 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-01-22 23:24 . 2010-01-22 23:24 -------- d-----w- c:\program files\Trend Micro

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-01-21 01:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-21 01:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-21 00:56 . 2010-01-21 00:56 -------- d-----w- c:\temp\SpyDLLRemover

2010-01-19 22:09 . 2010-01-22 12:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-01-19 22:09 . 2010-01-21 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-01-15 17:27 . 2010-01-15 17:27 -------- d-----w- c:\program files\My Company Name

2010-01-15 17:21 . 2010-01-15 17:21 -------- d-----w- C:\notes7bkp

2010-01-05 15:06 . 2010-01-05 15:06 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVENG.SYS

2010-01-05 15:06 . 2010-01-05 15:06 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVENG32.DLL

2010-01-05 15:06 . 2010-01-05 15:06 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVEX32A.DLL

2010-01-05 15:06 . 2010-01-05 15:06 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVEX15.SYS

2010-01-05 15:06 . 2010-01-05 15:06 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\EECTRL.SYS

2010-01-05 15:06 . 2010-01-05 15:06 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\CCERASER.DLL

2010-01-05 15:06 . 2010-01-05 15:06 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\ECMSVR32.DLL

2010-01-05 15:06 . 2010-01-05 15:06 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\ERASER.SYS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-25 22:33 . 2009-09-04 14:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox

2010-01-25 22:31 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg

2010-01-25 22:30 . 2007-04-27 14:58 40 ----a-w- c:\windows\system32\profile.dat

2010-01-25 21:09 . 2010-01-25 21:09 -------- d-----w- c:\program files\ESET

2010-01-25 21:01 . 2008-04-01 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-01-25 18:51 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST

2010-01-25 18:28 . 2006-11-10 17:32 -------- d-----w- c:\program files\Lx_cats

2010-01-25 16:47 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-01-25 14:39 . 2006-08-26 02:10 -------- d-----w- c:\program files\AT&T Network Client

2010-01-23 03:56 . 2006-04-12 02:08 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-21 19:45 . 2007-04-17 14:02 2256 ----a-w- c:\windows\current_settings.bin

2009-12-21 12:51 . 2007-06-06 21:46 -------- d-----w- c:\program files\SanDisk

2009-12-21 12:50 . 2009-12-21 12:51 79872 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

2009-12-21 12:50 . 2009-12-21 12:50 574344 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe

2009-12-21 12:50 . 2009-12-21 12:50 354744 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe

2009-12-21 12:50 . 2009-12-21 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SanDisk

2009-12-10 16:42 . 2009-10-09 15:28 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe

2009-11-05 20:05 . 2005-04-04 18:17 61520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-29 05:48 . 2004-08-04 05:00 662016 ------w- c:\windows\system32\wininet.dll

2008-05-14 18:49 . 2008-05-14 18:49 139 ----a-w- c:\program files\wsmjunk.txt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2007-05-07 87592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.23" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ISAMTray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]

"stgclean"="c:\sdwork\w32main2.exe" [2009-11-24 297472]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-08-26 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-26 512000]

"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]

"TpShocks"="TpShocks.exe" [2007-09-28 181544]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-28 125168]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]

"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"F5D8011"="c:\program files\Belkin\F5D8011v1\Belkinwcui.exe" [2006-06-06 1613824]

"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2005-08-01 94208]

"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-10 241392]

"w32msgr"="c:\sdwork\w32maing.exe" [2010-01-25 266752]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2009-9-2 26785147]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Infoprint Select Notification.lnk - c:\program files\IBM\Infoprint Select\ipnotify.exe [2009-10-13 143360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2005-09-06 18:43 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2006-08-26 01:43 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pmonmh]

c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.23 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2005-08-01 12:05 94208 ----a-w- c:\program files\Lexmark 8300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D8011]

2006-06-06 03:23 1613824 ----a-w- c:\program files\Belkin\F5D8011v1\Belkinwcui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCJCATS]

2005-09-08 18:45 73728 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcjtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]

2007-05-07 18:17 87592 ----a-w- c:\program files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hummingbird\\Connectivity\\12.00\\Exceed\\exceed.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [09/28/07 4:28 PM 19504]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/20/10 7:21 AM 102448]

S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/09/09 10:28 AM 6016]

S3 pf_usb;Kensington Digital Frame Service;c:\windows\system32\drivers\PF_USB.sys [11/10/06 12:13 PM 17036]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [11/26/04 12:13 PM 13696]

--- Other Services/Drivers In Memory ---

*Deregistered* - pgddrpog

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]

2006-06-29 12:00 99920 ----a-w- c:\program files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe

.

Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-26 06:19]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://w3.watson.ibm.com/

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

LSP: c:\windows\system32\Hummingbird\Connectivity\8.00\Socks\\hclsock5.dll

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.InsightNoHelp.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://usbldprt05.boulder.ibm.com/tools/print/plugin/gpwsx.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\

FF - prefs.js: browser.search.selectedEngine - IBM BluePages

FF - prefs.js: browser.startup.homepage - w3.ibm.com

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava11.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava12.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava13.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava14.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava32.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJPI150.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPOJI610.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\npwebscl.dll

FF - plugin: c:\program files\Mozilla Firefox\extensions\IBM-cck@firefox-extensions.ibm.com\platform\WINNT_x86-msvc\plugins\npaddtonab.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npaddtonab.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npcpsweb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npstloader.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwebscl.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-25 21:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)

c:\windows\system32\tphklock.dll

c:\windows\system32\pcsinst.dll

c:\windows\system32\igfxdev.dll

c:\windows\system32\notifyf2.dll

- - - - - - - > 'lsass.exe'(1116)

c:\windows\system32\Hummingbird\Connectivity\8.00\Socks\hclsock5.dll

- - - - - - - > 'explorer.exe'(2724)

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

.

Completion time: 2010-01-25 21:17:55

ComboFix-quarantined-files.txt 2010-01-26 02:17

ComboFix2.txt 2010-01-25 18:55

Pre-Run: 30,655,586,304 bytes free

Post-Run: 30,621,433,856 bytes free

- - End Of File - - 5C71555FD0825F930B1051145EB3CA3B

********************************************************************

I then rebooted and ran ESET again. Here is that log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=0c6d77a2179a1c4da2f2470feab1fecb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-25 10:20:44

# local_time=2010-01-25 05:20:44 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 168473 168473 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=143833

# found=1

# cleaned=1

# scan_time=4084

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LUQYBXMP\i[2].js HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=0c6d77a2179a1c4da2f2470feab1fecb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-26 03:41:13

# local_time=2010-01-25 10:41:13 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 187472 187472 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=143954

# found=0

# cleaned=0

# scan_time=4314

***************************************************************

Do you see anything else that needs to be cleaned or tweaked? Should I run defogger now to re-enable the CD Emulation Drivers?

Thank you so much again.

Allan.......

Link to post
Share on other sites

I am running Symantic AntiVirus and during the scan I notice, as the text flies by, some disturbing names, like fauxvirus\carny-ride and a number of others. It does not get flagged as a virus but it still seems to see it during the scan. Is there another scan I can run to verify?

Thanks in advance.....

Link to post
Share on other sites

  • Staff

Hi,

What you scanners find are mainly leftovers in your temporary internet files. The txt files are most probably cookies from the pages that were presented (redirected) while you were infected.

Ccleaner is a good tool to use once in a while to clean your cache / temp folders.

You can delete that file manually if you want (if still there), because some scanners have problems with deleting js files:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LUQYBXMP\i[2].js

Also,

Download CCleaner

1. During the install uncheck to install the Yahoo Toolbar

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

Link to post
Share on other sites

I will run CCleaner next.

I just ran Rootkit Revealer and there are some new entries here. Should I be concerned?

HKU\S-1-5-21-3174464135-1247663815-95215442-500\Console 1/25/2010 10:55 PM 0 bytes Security mismatch.

HKU\S-1-5-21-3174464135-1247663815-95215442-500\Console\Command Prompt 1/25/2010 10:55 PM 0 bytes Security mismatch.

HKLM\SECURITY\Policy\Secrets\SAC* 4/4/2005 12:57 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 4/4/2005 12:57 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\IGS\C4EBReg\Utilization\off\CpuTotalMinutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\C4EBReg\Utilization\off\MemoryTotalMinutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\C4EBReg\Utilization\off\SwapTotalMinutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\C4EBReg\Utilization\off\NetworkTotalMinutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\C4EBReg\Utilization\off\CpuHigh1Minutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\C4EBReg\Utilization\off\CpuHigh2Minutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\C4EBReg\Utilization\off\CpuHigh3Minutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\ISAMsmt\1\Minutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\ISAMsmt\27\Minutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\ISAMsmt\3\Minutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\IGS\ISAMsmt\5\Minutes 1/26/2010 1:16 AM 4 bytes Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\parent.lock 1/26/2010 1:21 AM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\sessionstore.js 1/26/2010 1:39 AM 60.20 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Desktop\spybotsd162.exe 1/26/2010 1:39 AM 15.65 MB Hidden from Windows API.

C:\Documents and Settings\Administrator\Desktop\spybotsd162.exe:Zone.Identifier 1/26/2010 1:39 AM 46 bytes Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\0792A1A7d01 1/26/2010 1:28 AM 29.23 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\0AE88F7Dd01 1/26/2010 1:26 AM 45.51 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\0C3629DAd01 1/26/2010 1:26 AM 24.86 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\0EBE1C02d01 1/26/2010 1:28 AM 43.87 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\118A2475d01 1/26/2010 1:22 AM 17.37 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\129B26E0d01 1/26/2010 1:27 AM 22.06 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\15A4BE36d01 1/26/2010 1:26 AM 16.90 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\17FEC841d01 1/26/2010 1:26 AM 16.75 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\19C25A41d01 1/26/2010 1:26 AM 38.90 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\1BDAE4E3d01 1/26/2010 1:26 AM 17.18 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\1D084530d01 1/26/2010 1:35 AM 77.74 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\23053BD4d01 1/26/2010 1:26 AM 22.16 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\264BB7B7d01 1/26/2010 1:37 AM 22.73 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\26A70346d01 1/26/2010 1:28 AM 16.95 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\280BE60Ed01 1/26/2010 1:38 AM 19.89 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\2A205243d01 1/26/2010 1:37 AM 20.51 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\2D66A356d01 1/26/2010 1:28 AM 33.17 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\3671B903d01 1/26/2010 1:26 AM 32.87 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\38A736BFd01 1/26/2010 1:26 AM 30.20 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\3BF5E2EAd01 1/26/2010 1:22 AM 16.49 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\3C784F70d01 1/26/2010 1:26 AM 27.53 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\3D93306Dd01 1/26/2010 1:35 AM 26.37 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\40B8FE28d01 1/26/2010 1:28 AM 24.02 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\413BC784d01 1/26/2010 1:28 AM 32.31 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\42BAE7E0d01 1/26/2010 1:28 AM 19.83 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\4BA51C35d01 1/26/2010 1:28 AM 33.22 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\4E794C70d01 1/26/2010 1:35 AM 18.99 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\4EDBA3D7d01 1/26/2010 1:26 AM 147.84 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\4FC9248Dd01 1/26/2010 1:26 AM 21.46 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\53572C1Fd01 1/26/2010 1:26 AM 52.65 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\54A698E7d01 1/26/2010 1:28 AM 38.69 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\56AC4320d01 1/26/2010 1:28 AM 29.32 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\5E6C0E1Fd01 1/26/2010 1:37 AM 21.19 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\622156BCd01 1/26/2010 1:35 AM 47.51 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\62B756F9d01 1/26/2010 1:26 AM 58.10 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\631C3F83d01 1/26/2010 1:25 AM 30.29 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\68C82743d01 1/26/2010 1:28 AM 37.23 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\68E19195d01 1/26/2010 1:28 AM 17.23 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\6A384445d01 1/26/2010 1:38 AM 15.65 MB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\6D268721d01 1/26/2010 1:35 AM 16.49 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\6EADE8C9d01 1/26/2010 1:26 AM 21.27 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\70615C9Bd01 1/26/2010 1:32 AM 26.66 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\71FD1ACDd01 1/26/2010 1:28 AM 17.63 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\7DB99F4Dd01 1/26/2010 1:28 AM 58.17 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\80E3A43Fd01 1/26/2010 1:28 AM 16.27 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\84C538BAd01 1/26/2010 1:28 AM 29.70 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\85A614D1d01 1/26/2010 1:26 AM 21.89 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\88106D69d01 1/26/2010 1:28 AM 63.31 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\88136D69d01 1/26/2010 1:28 AM 63.31 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\89C7974Fd01 1/26/2010 1:27 AM 27.39 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\8D2CF3A3d01 1/26/2010 1:26 AM 27.29 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\8F7DCE70d01 1/26/2010 1:26 AM 89.24 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\8FE32910d01 1/26/2010 1:27 AM 16.09 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\8FF398F1d01 1/26/2010 1:26 AM 49.59 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\964C0DAAd01 1/26/2010 1:28 AM 16.54 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\97D7136Cd01 1/26/2010 1:35 AM 55.25 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\98CCD800d01 1/26/2010 1:26 AM 17.81 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\9C6D7EE0d01 1/26/2010 1:28 AM 23.30 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\9C96060Fd01 1/26/2010 1:35 AM 62.38 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\A05A0E12d01 1/26/2010 1:26 AM 20.46 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\A4AD80CCd01 1/26/2010 1:26 AM 27.00 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\A592D934d01 1/26/2010 1:26 AM 18.93 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\A750D847d01 1/26/2010 1:26 AM 17.34 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\A80E7E4Cd01 1/26/2010 1:35 AM 22.78 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\A8B90427d01 1/26/2010 1:25 AM 21.33 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\A8C8ED38d01 1/26/2010 1:26 AM 42.83 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\AAC27B37d01 1/26/2010 1:28 AM 168.04 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\ADEF675Cd01 1/26/2010 1:37 AM 55.95 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\AE6E28F1d01 1/26/2010 1:26 AM 66.69 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\AE71697Ed01 1/26/2010 1:26 AM 23.69 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B0014DDAd01 1/26/2010 1:28 AM 18.22 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B0441388d01 1/26/2010 1:26 AM 30.52 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B1039690d01 1/26/2010 1:26 AM 23.46 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B2801D18d01 1/26/2010 1:28 AM 30.35 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B2CCB076d01 1/26/2010 1:26 AM 29.50 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B2CEB076d01 1/26/2010 1:26 AM 22.47 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B2CFB076d01 1/26/2010 1:26 AM 20.19 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B445A894d01 1/26/2010 1:37 AM 28.57 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B895BFEFd01 1/26/2010 1:27 AM 21.71 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\B9DC0295d01 1/26/2010 1:28 AM 16.68 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BA9D9359d01 1/26/2010 1:26 AM 64.34 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BC2524F7d01 1/26/2010 1:28 AM 24.20 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BC2535F7d01 1/26/2010 1:28 AM 28.79 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BCF03B5Cd01 1/26/2010 1:28 AM 78.17 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BD2524E7d01 1/26/2010 1:28 AM 29.82 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BE0706F7d01 1/26/2010 1:28 AM 29.66 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BE2524D7d01 1/26/2010 1:28 AM 26.92 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BE2535D7d01 1/26/2010 1:28 AM 25.51 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BF0706E7d01 1/26/2010 1:28 AM 25.26 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BF2524C7d01 1/26/2010 1:28 AM 31.16 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\BF505D3Dd01 1/26/2010 1:27 AM 16.24 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\C0CD8E4Cd01 1/26/2010 1:37 AM 23.63 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\C3A734FEd01 1/26/2010 1:38 AM 89.98 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\C58A4793d01 1/26/2010 1:28 AM 35.78 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\C70FB572d01 1/26/2010 1:28 AM 19.40 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\CE659253d01 1/26/2010 1:27 AM 42.71 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\D21D9BC8d01 1/26/2010 1:28 AM 23.16 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\D2DBDA13d01 1/26/2010 1:25 AM 19.83 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\DB686F35d01 1/26/2010 1:26 AM 36.08 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\E192EAFBd01 1/26/2010 1:26 AM 62.27 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\E2178F4Bd01 1/26/2010 1:37 AM 30.07 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\E4C1AD41d01 1/26/2010 1:28 AM 22.07 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\E893775Bd01 1/26/2010 1:28 AM 20.91 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\EB340477d01 1/26/2010 1:28 AM 56.77 KB Hidden from Windows API.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\Cache\EB8AC62Bd01 1/26/2010 1:28 AM 30.32 KB Hidden from Windows API.

C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0464NAV~.TMP 1/26/2010 1:22 AM 0 bytes Hidden from Windows API.

C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP4\A0000957.ini 1/25/2010 9:40 PM 15.52 KB Hidden from Windows API.

C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP4\A0000958.ini 1/25/2010 9:31 PM 336 bytes Hidden from Windows API.

Link to post
Share on other sites

  • Staff

Hi,

There's nothing to worry about what Rootkit Revealer sees here. Everything looks totally normal, also the references listed in your Firefox cache. Because the fact that you used Ccleaner explains them. Rootkit compares the results of a system scan at the highest level with that at the lowest level. If you browse in between or (in your case, used Ccleaner), it sees these changes in it and list them. That's why, if you run any rootkitscanner, always make sure all browsers are closed and you don't do anything else in between while it's scanning. Ideal is to run Rootkit revealer after a Windows reboot without you've been doing anything else yet.

Link to post
Share on other sites

Hello, That is good to know, thanks. Any idea what I am seeing when I run Symantec AntiVirus ( during the scan I notice, as the text flies by, some disturbing names, like fauxvirus\carny-ride and a number of others.) It does not get flagged as a virus but it still seems to see it during the scan. Is there another scan I can run to verify?

Link to post
Share on other sites

  • Staff

Hi,

You may want to read this thread: http://community.norton.com/t5/Other-Norto...-Ride/td-p/1811

Every Norton user appears to see the same. The admin explains this:

you can see the system scanning for "C:\FAUXVIRUS\carny ride.exe" - this is the full name of the malware. It has not FOUND this malware, nor does this path or malware exist on your system, the scanner is just telling you what it is looking for. If your system is infected at all, you will be alerted. There will be no ambiguity about Security Risks that are detected.
Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.