Jump to content

Root kit on my system ?


Recommended Posts

;) My system keeps accessing the some of the following sites per wireshark. I then receive messages from Symantec that an attack from the site was blocked.

01n02n4cx00.cc

19js810300z.com

30xc1cjh91.com

7gafd33ja90a.com

j00k877x.cc

lj1i16b0.com

m01n83kjf7.com

n16fa53.com

n1mo661s6cx0.com

zz87jhfda88.com

www1.softhelper10.com

91.212.226.59

91.212.226.67

I have blocked these sites via the hosts file

DDS (Ver_10-03-17.01) - NTFSx86

Run by swr at 7:27:32.18 on Thu 06/17/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1403 [GMT -6:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\cisvc.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\Temp\Hijackthis\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

mURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\Userinit.exe

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} -

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot

mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe

mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe

mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe

mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe

mRun: [start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: aurorabankfsb.com\home

Trusted Zone: aurorabankfsb.com\remote

Trusted Zone: aurorabankfsb.com\www

Trusted Zone: select2perform.com\www

Trusted Zone: usps.gov\webvpn

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237131535109

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258154378171

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

DPF: {BAC16126-1812-41A1-AD18-66B3FC8DFEDA} - hxxps://fdicdrr.policytech.com/includes/objects/WordModule.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {EBE67253-D4EA-11D3-845A-00500483D287} - file://e:\vwr_data\dcm_vwr.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6015/mcfscan.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll

Notify: khfFXpqn - khfFXpqn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Authentication Packages = msv1_0 relog_ap

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\swr\applic~1\mozilla\firefox\profiles\5w6orxtl.default\

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AACMgt;AACMgt;c:\windows\system32\drivers\aacmgt.sys [2006-9-3 93591]

R0 aarsi3x;aarsi3x;c:\windows\system32\drivers\aarsi3x.sys [2004-11-11 197120]

R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [2008-2-2 133760]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-17 28552]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-25 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-25 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-25 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-8 331640]

R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-3-25 117640]

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-1-26 14976]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100616.039\NAVENG.SYS [2010-6-17 85552]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100616.039\NAVEX15.SYS [2010-6-17 1347504]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-2-25 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-2-25 8320]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-2-9 42752]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-2-9 23936]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-10-26 91841]

=============== Created Last 30 ================

2010-06-17 12:51:18 0 ----a-w- c:\documents and settings\swr\defogger_reenable

2010-06-16 17:08:34 0 d-----w- c:\temp\Hijackthis

2010-06-11 17:56:14 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-06 23:43:14 11366400 ----a-w- c:\documents and settings\swr\s-1-5-21-448539723-861567501-839522115-1003.rrr

2010-05-24 04:26:53 0 d-----w- c:\docume~1\swr\applic~1\Windows Search

==================== Find3M ====================

2010-05-12 01:45:32 24152 ----a-w- c:\docume~1\swr\applic~1\GDIPFONTCACHEV1.DAT

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 21:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 21:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 17:17:51 249856 ------w- c:\windows\Setup1.exe

2010-04-21 17:17:49 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-03-25 20:27:06 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-03-25 20:27:00 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-03-24 08:22:15 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-03-23 20:05:44 760 ----a-w- C:\error.reg

2009-09-14 02:59:07 1309413 ----a-w- c:\program files\NetMeeting.zip

2009-08-28 18:55:20 524667454 ----a-w- c:\program files\SkillSoft.zip

2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

2003-07-28 13:16:52 36864 ----a-w- c:\windows\inf\i386\Vizmicro.dll

2003-07-28 13:16:26 172032 ----a-w- c:\windows\inf\i386\viceo.dll

2003-07-28 13:01:10 36207 ----a-w- c:\windows\inf\i386\9320FW.bin

2003-07-28 13:01:10 274432 ----a-w- c:\windows\inf\i386\9320LLD.dll

2003-07-28 13:01:10 155648 ----a-w- c:\windows\inf\i386\rtscan.dll

2001-08-04 01:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys

2010-02-19 01:02:33 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 7:28:44.14 ===============

GMER log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-18 03:08:44

Windows 5.1.2600 Service Pack 3

Running: ji91h61p.exe; Driver: C:\DOCUME~1\swr\LOCALS~1\Temp\kxtdqpow.sys

---- System - GMER 1.0.15 ----

SSDT 89C4AD80 ZwAlertResumeThread

SSDT 89C4C4A8 ZwAlertThread

SSDT 89D55B58 ZwAllocateVirtualMemory

SSDT 89C22628 ZwAssignProcessToJobObject

SSDT 89E053F8 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9EE9130]

SSDT 8A055EA8 ZwCreateMutant

SSDT 89AEADD8 ZwCreateSymbolicLinkObject

SSDT 89E8AFB0 ZwCreateThread

SSDT 89C42D80 ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA9EE93B0]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9EE9910]

SSDT 8A059D28 ZwDuplicateObject

SSDT 89DAE9D0 ZwFreeVirtualMemory

SSDT 89C2BA88 ZwImpersonateAnonymousToken

SSDT 89C59D80 ZwImpersonateThread

SSDT 89E51DC0 ZwLoadDriver

SSDT 89C1A770 ZwMapViewOfSection

SSDT 89CA9D58 ZwOpenEvent

SSDT 89C93E88 ZwOpenProcess

SSDT 89C12D80 ZwOpenProcessToken

SSDT 89C35368 ZwOpenSection

SSDT 89BF32D8 ZwOpenThread

SSDT 89AEAE68 ZwProtectVirtualMemory

SSDT 89BB4B08 ZwResumeThread

SSDT 89BD1628 ZwSetContextThread

SSDT 8A04F2F8 ZwSetInformationProcess

SSDT 89C276F8 ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9EE9B60]

SSDT 89C9C8C8 ZwSuspendProcess

SSDT 89BD32C0 ZwSuspendThread

SSDT 89BD97A8 ZwTerminateProcess

SSDT 89C163C0 ZwTerminateThread

SSDT 89C34D80 ZwUnmapViewOfSection

SSDT 89CC7658 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D1C 805045B8 4 Bytes JMP 12CECF97

? SYMEFA.SYS The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8DCB380, 0x33F867, 0xE8000020]

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB008CA00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[1020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A

.text C:\WINDOWS\Explorer.EXE[1020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:\WINDOWS\System32\svchost.exe[1800] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A

.text C:\WINDOWS\System32\svchost.exe[1800] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A

.text C:\WINDOWS\System32\svchost.exe[1800] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

.text C:\WINDOWS\System32\svchost.exe[1800] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A

.text C:\WINDOWS\System32\svchost.exe[1800] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0Z386EX2\bullet[1] 0 bytes

---- EOF - GMER 1.0.15 ----

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 1/11/2008 8:30:51 PM

System Uptime: 6/17/2010 7:25:40 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5E3 Deluxe

Processor: Intel® Core2 Duo CPU E6750 @ 2.66GHz | LGA775 | 2666/333mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 138 GiB total, 30.866 GiB free.

D: is FIXED (NTFS) - 279 GiB total, 38.589 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}

Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard

Device ID: ACPI\PNP0303\4&B6AFFD&0

Manufacturer: (Standard keyboards)

Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&B6AFFD&0

Service: i8042prt

==== System Restore Points ===================

RP1: 5/1/2010 2:59:18 AM - System Checkpoint

RP2: 5/1/2010 6:42:16 PM - Installed Sony Recorder Driver

RP3: 5/2/2010 7:40:59 PM - System Checkpoint

RP4: 5/3/2010 7:50:57 PM - System Checkpoint

RP5: 5/4/2010 8:50:56 PM - System Checkpoint

RP6: 5/5/2010 11:31:42 PM - System Checkpoint

RP7: 5/7/2010 12:02:53 AM - System Checkpoint

RP8: 5/8/2010 12:30:05 PM - System Checkpoint

RP9: 5/9/2010 1:15:27 PM - System Checkpoint

RP10: 5/10/2010 3:03:12 PM - System Checkpoint

RP11: 5/11/2010 3:14:23 PM - System Checkpoint

RP12: 5/12/2010 9:27:22 AM - Software Distribution Service 3.0

RP13: 5/12/2010 10:48:17 AM - Installed Microsoft Office Enterprise 2007

RP14: 5/12/2010 10:55:45 AM - Printer Driver Send To Microsoft OneNote Driver Installed

RP15: 5/12/2010 11:21:47 AM - Installed Windows XP KB915800-v4.

RP16: 5/12/2010 11:21:59 AM - Installed Windows XP Windows Search 4.0.

RP17: 5/12/2010 11:26:31 AM - Removed Ad-Aware Email Scanner for Outlook

RP18: 5/12/2010 11:27:58 AM - Installed Palm Outlook Conduits Updater.

RP19: 5/12/2010 10:22:06 PM - Software Distribution Service 3.0

RP20: 5/13/2010 10:42:13 PM - System Checkpoint

RP21: 5/14/2010 9:58:53 AM - Software Distribution Service 3.0

RP22: 5/14/2010 10:06:48 AM - Printer Driver Send To Microsoft OneNote Driver Installed

RP23: 5/14/2010 11:05:29 AM - Software Distribution Service 3.0

RP24: 5/14/2010 11:09:29 AM - Software Distribution Service 3.0

RP25: 5/16/2010 10:20:24 AM - System Checkpoint

RP26: 5/17/2010 10:20:43 AM - System Checkpoint

RP27: 5/18/2010 10:48:25 AM - System Checkpoint

RP28: 5/19/2010 11:05:13 AM - System Checkpoint

RP29: 5/20/2010 12:40:15 PM - System Checkpoint

RP30: 5/21/2010 1:36:51 PM - System Checkpoint

RP31: 5/22/2010 1:58:02 PM - System Checkpoint

RP32: 5/23/2010 3:54:00 PM - System Checkpoint

RP33: 5/24/2010 11:33:28 PM - System Checkpoint

RP34: 5/26/2010 12:20:54 AM - System Checkpoint

RP35: 5/27/2010 12:36:31 AM - Software Distribution Service 3.0

RP36: 5/28/2010 12:49:06 PM - System Checkpoint

RP37: 5/29/2010 2:35:55 PM - System Checkpoint

RP38: 5/30/2010 5:55:34 PM - System Checkpoint

RP39: 5/31/2010 6:06:01 PM - System Checkpoint

RP40: 6/1/2010 6:39:45 PM - System Checkpoint

RP41: 6/2/2010 8:16:21 PM - System Checkpoint

RP42: 6/4/2010 10:23:05 AM - Software Distribution Service 3.0

RP43: 6/5/2010 11:13:21 AM - System Checkpoint

RP44: 6/6/2010 6:42:17 PM - System Checkpoint

RP45: 6/7/2010 6:58:27 PM - System Checkpoint

RP46: 6/9/2010 8:43:19 AM - System Checkpoint

RP47: 6/11/2010 12:36:17 PM - System Checkpoint

RP48: 6/11/2010 2:23:10 PM - Software Distribution Service 3.0

RP49: 6/12/2010 2:39:49 PM - System Checkpoint

RP50: 6/13/2010 7:13:01 PM - System Checkpoint

RP51: 6/15/2010 8:51:11 AM - System Checkpoint

RP52: 6/16/2010 8:57:04 AM - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)

Acronis

Edited by Maurice Naggar
Placed logs in-line
Link to post
Share on other sites

Hello Rackman.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not Rackman and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

You must disable Spybot's Tea Timer and keep it disabled while we look for malware and make changes.

Right click the Spybot Icon (blue icon with lock teatimer-systemtray-en.1.png) in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

Step 2

Your logs showed some peer-to-peer filesharing apps: Bittorrent.

De-install it and confirm having done so in your next reply.

Filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Step 3

Disable the options "Automatically detect settings" and "Use automatic configuration script."

To do this:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Apply changes & OK

Step 4

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 5

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 6

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 7

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 8

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the MBAM scan log

and C:\combofix.txt

and tell me, How is your system now ?

Link to post
Share on other sites

Bit torrent has been removed.

My problem is resolved. :P

Thank you

Here is the combofix log

ComboFix 10-06-18.03 - swr 06/19/2010 0:49.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1644 [GMT -6:00]

Running from: c:\documents and settings\swr\Desktop\Combo-Fix.exe

AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\swr\Local Settings\Application Data\Windows Server

c:\documents and settings\swr\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\swr\Local Settings\Application Data\Windows Server\uses32.dat

C:\feed.txt

c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini

c:\windows\system32\Ijl11.dll

c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))

.

2010-06-18 22:17 . 2010-06-18 22:18 -------- d-----w- c:\program files\ERUNT

2010-06-11 17:56 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-05-24 04:26 . 2010-05-24 04:26 -------- d-----w- c:\documents and settings\swr\Application Data\Windows Search

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-17 12:04 . 2010-05-12 17:22 -------- d-----w- c:\program files\Windows Desktop Search

2010-06-16 13:21 . 2010-03-18 23:13 -------- d-----w- c:\documents and settings\swr\Application Data\Wireshark

2010-06-14 16:37 . 2009-09-23 21:44 -------- d-----w- c:\program files\Coupons

2010-06-11 20:31 . 2010-05-12 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-06 23:50 . 2008-11-23 01:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-05 01:09 . 2010-04-04 15:05 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-01 02:05 . 2008-01-26 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2010-05-19 00:51 . 2008-01-26 16:45 -------- d-----w- c:\documents and settings\swr\Application Data\Passlogix

2010-05-17 03:43 . 2010-05-17 03:43 -------- d-----w- c:\program files\American Systems

2010-05-14 18:41 . 2008-05-20 01:05 73504 ----a-w- c:\documents and settings\swr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-14 16:05 . 2010-05-12 16:54 -------- d-----w- c:\program files\Microsoft Works

2010-05-12 17:28 . 2010-05-12 17:28 10134 ----a-r- c:\documents and settings\swr\Application Data\Microsoft\Installer\{616A66CD-D36D-4E24-8B67-33AFDFF48061}\ARPPRODUCTICON.exe

2010-05-12 17:27 . 2010-05-12 17:27 -------- d-----w- c:\program files\Palm Inc

2010-05-12 17:27 . 2009-02-01 01:10 -------- d-----w- c:\program files\Palm

2010-05-12 17:26 . 2009-01-25 19:33 -------- d-----w- c:\program files\Lavasoft

2010-05-12 16:54 . 2010-02-10 02:07 -------- d-----w- c:\program files\MSBuild

2010-05-12 16:53 . 2010-05-12 16:53 -------- d-----w- c:\program files\Microsoft.NET

2010-05-12 16:51 . 2010-05-12 16:51 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-05-07 13:44 . 2008-11-16 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-07 13:44 . 2008-11-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-06 10:41 . 2004-08-04 02:07 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 17:55 . 2008-04-07 22:50 -------- d-----w- c:\documents and settings\swr\Application Data\TaxCut

2010-05-02 05:22 . 2004-08-04 02:07 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 00:42 . 2010-05-02 00:42 -------- d-----w- c:\program files\Sony

2010-05-02 00:42 . 2008-01-12 03:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-01 09:21 . 2010-03-24 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 21:39 . 2010-03-24 04:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 21:39 . 2010-03-24 04:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 17:35 . 2008-11-16 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-04-21 17:18 . 2010-04-21 17:17 -------- d-----w- c:\program files\WingDir

2010-04-21 17:17 . 2010-04-21 17:17 249856 ------w- c:\windows\Setup1.exe

2010-04-21 17:17 . 2010-04-21 17:17 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-04-21 17:05 . 2008-01-26 16:42 -------- d-----w- c:\program files\MagicDVDRipper

2010-04-20 05:30 . 2004-08-04 02:07 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-03-25 20:27 . 2010-03-25 20:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-03-25 20:27 . 2010-03-25 20:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-03-25 20:27 . 2010-03-25 23:21 482432 ----a-w- c:\windows\system32\drivers\cchpx86.sys

2010-03-25 20:27 . 2010-03-25 23:21 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

2010-03-25 20:27 . 2010-03-25 23:21 310320 ----a-w- c:\windows\system32\drivers\SymEFA.sys

2010-03-25 20:27 . 2010-03-25 23:21 217136 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-03-25 20:27 . 2010-03-25 23:21 259632 ----a-w- c:\windows\system32\drivers\BHDrvx86.sys

2010-03-25 20:27 . 2010-03-25 20:27 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-03-25 20:27 . 2008-10-30 01:41 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-03-25 20:27 . 2008-10-30 01:41 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-03-25 01:04 . 2010-03-25 01:04 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe

2010-03-24 08:22 . 2008-01-12 05:28 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-03-24 08:10 . 2008-11-17 00:57 8 ----a-w- c:\windows\system32\nvModes.dat

2010-03-23 20:05 . 2010-03-23 20:05 760 ----a-w- C:\error.reg

2009-09-14 02:59 . 2009-09-14 02:59 1309413 ----a-w- c:\program files\NetMeeting.zip

2009-08-28 18:55 . 2009-08-28 18:55 524667454 ----a-w- c:\program files\SkillSoft.zip

2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]

"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108]

"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]

"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-07-30 98304]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]

"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-09 8527872]

"nwiz"="nwiz.exe" [2007-10-09 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-09 81920]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

c:\documents and settings\swr\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 AACMgt;AACMgt;c:\windows\system32\drivers\aacmgt.sys [9/3/2006 2:18 AM 93591]

R0 aarsi3x;aarsi3x;c:\windows\system32\drivers\aarsi3x.sys [11/11/2004 7:09 PM 197120]

R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [2/2/2008 11:27 AM 133760]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/17/2010 12:41 PM 28552]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [3/25/2010 5:21 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [3/25/2010 5:21 PM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [3/25/2010 5:21 PM 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100617.005\IDSXpx86.sys [6/19/2010 12:33 AM 331640]

R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [3/25/2010 5:20 PM 117640]

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [1/26/2008 10:49 AM 14976]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 2:00 AM 102448]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2/25/2009 7:08 PM 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2/25/2009 7:08 PM 8320]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2/9/2010 7:52 PM 42752]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2/9/2010 8:17 PM 23936]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]

S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [10/26/2008 2:54 PM 91841]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: aurorabankfsb.com\home

Trusted Zone: aurorabankfsb.com\remote

Trusted Zone: aurorabankfsb.com\www

Trusted Zone: select2perform.com\www

Trusted Zone: usps.gov\webvpn

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

DPF: {BAC16126-1812-41A1-AD18-66B3FC8DFEDA} - hxxps://fdicdrr.policytech.com/includes/objects/WordModule.cab

DPF: {EBE67253-D4EA-11D3-845A-00500483D287} - file://e:\vwr_data\dcm_vwr.cab

FF - ProfilePath - c:\documents and settings\swr\Application Data\Mozilla\Firefox\Profiles\5w6orxtl.default\

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Notify-khfFXpqn - khfFXpqn.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-19 00:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]

"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-861567501-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1368)

c:\windows\system32\relog_ap.dll

.

Completion time: 2010-06-19 00:55:51

ComboFix-quarantined-files.txt 2010-06-19 06:55

Pre-Run: 33,112,137,728 bytes free

Post-Run: 33,058,115,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0742EF99C8669971F5A501BAB17CE73B

Link to post
Share on other sites

Kindly have patience, we need to do just a bit more checking.

Step 1

Please download >> DrWeb-CureIt << and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Step 2

Download and SAVE HijackThis

Save the HJT to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.

Do a "Scan and Save log".

Step 3

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Step 4

Please copy & paste contents of the last MBAM scan log

copy of contents of the DRWEb Cure-It report

Hijackthis log

Checkup.txt

Have patience and do these, so that we have no oversights, and also to reduce chances of your having to return into this sub-forum, or getting re-infected.

Link to post
Share on other sites

Here are the log files:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4208

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/17/2010 6:54:39 AM

mbam-log-2010-06-17 (06-54-39).txt

Scan type: Quick scan

Objects scanned: 144027

Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

{DDE19280-9D20-40A9-9954-7095B86018F6}.qbd\data001;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{BA1E01D7-726;Trojan.Loader.553;;

{DDE19280-9D20-40A9-9954-7095B86018F6}.qbd;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{BA1E01D7-726;Container contains infected objects;Moved.;

{71A531FD-B483-4085-A686-9C5E91087CDD}.qbd\data001;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{E93D7502-BB3;Trojan.Fakealert.15118;;

{71A531FD-B483-4085-A686-9C5E91087CDD}.qbd;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup\{E93D7502-BB3;Container contains infected objects;Moved.;

RegUBP2b-swr.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

tcpip.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers;BackDoor.Tdss.2459;Cured.;

A0010351.ocx;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Adware.Coupons.34;Incurable.Moved.;

A0010371.reg;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.StartPage.1505;Deleted.;

A0010372.exe;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.Fakealert.11681;Incurable.Moved.;

A0010373.exe;C:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.Fakealert.11681;Incurable.Moved.;

CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;

A0010374.exe\data273;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56\A0010374.exe;Program.SrvAny;;

A0010374.exe\data278;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56\A0010374.exe;Tool.InstSrv;;

A0010374.exe\data295;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56\A0010374.exe;Program.SrvAny;;

A0010374.exe;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Container contains infected objects;Moved.;

A0010375.exe;D:\System Volume Information\_restore{0BB774D2-63FA-4136-8A31-36D5B66C7E00}\RP56;Trojan.Fakealert.11681;Incurable.Moved.;

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:52:48 AM, on 6/21/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Logitech\Gaming Software\LWEMon.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\Program Files\Raxco\PerfectDisk2008\PDEngine.exe

C:\Program Files\Raxco\PerfectDisk2008\PDAgentS1.exe

C:\Program Files\Raxco\PerfectDisk2008\PerfectDisk.exe

C:\Documents and Settings\swr\Desktop\HJT\HiJackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\IPSBHO.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://home.aurorabankfsb.com

O15 - Trusted Zone: http://remote.aurorabankfsb.com

O15 - Trusted Zone: http://www.aurorabankfsb.com

O15 - Trusted Zone: www.select2perform.com

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237131535109

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1258154378171

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab

O16 - DPF: {BAC16126-1812-41A1-AD18-66B3FC8DFEDA} (PPM WordModule) - https://fdicdrr.policytech.com/includes/obj.../WordModule.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O16 - DPF: {EBE67253-D4EA-11D3-845A-00500483D287} (ImageViewer Class) - file://E:\vwr_data\dcm_vwr.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...015/mcfscan.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll

O20 - Winlogon Notify: khfFXpqn - Invalid registry found

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PDEngine.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--

End of file - 11486 bytes

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java SE Runtime Environment 6

Adobe Flash Player

Mozilla Firefox (3.5.5) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

Step 1

Right click the Spybot Icon (blue icon with lock teatimer-systemtray-en.1.png) in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

Step 2

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Step 3

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Windows 7/XP/Vista/2000/2003/2008 Offline and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, select Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-s.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:

Click the Update tab. un-check the line if it is checked.

Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: Java 6 Update 20 from Sun Microsystems Inc.

Step 4

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now icon_question.gif

Link to post
Share on other sites

Java has been updated. Here is the log.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, June 22, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, June 21, 2010 17:44:44

Records in database: 4306235

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

Scan statistics:

Objects scanned: 270715

Threats found: 4

Infected objects found: 9

Suspicious objects found: 0

Scan duration: 05:24:50

File name / Threat / Threats count

C:\Documents and Settings\swr\DoctorWeb\Quarantine\6d1d8a0e-4f6ce360 Infected: Trojan-Downloader.Java.Agent.ak 1

C:\Program Files\MagicDVDRipper\MagicDVDRipper.bad Infected: Trojan.Win32.Cosmu.mjj 1

C:\Program Files\MagicDVDRipper\MagicDVDRipper.exe Infected: Trojan.Win32.Cosmu.mjj 1

C:\Program Files\Scansoft\PaperPort\Visioneer.exe Infected: Backdoor.Win32.Rbot.akpt 1

C:\swr\4 gb thumb drive encr bu\8100.exe Infected: Backdoor.Win32.Rbot.akpt 1

C:\swr\MagicDVD Ripper\MagicDVDRipper432.exe Infected: Trojan.Win32.Cosmu.yhk 1

C:\swr\MagicDVD Ripper\MagicDVDRipper521.exe Infected: Trojan.Win32.Cosmu.mjj 1

C:\swr\Malware\MagicDVDRipper.exe Infected: Trojan.Win32.Cosmu.mjj 1

D:\Data traveler bu\8100.exe Infected: Backdoor.Win32.Rbot.akpt 1

Selected area has been scanned.

Link to post
Share on other sites

Do one MBAM scan, first doing an Update.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with MBAM scan log.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4224

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/22/2010 8:19:14 AM

mbam-log-2010-06-22 (08-19-14).txt

Scan type: Quick scan

Objects scanned: 149772

Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM did not detect any of the items found by Kasperski.

I had detected a possible issue with MagicDVDripper in the past and contacted them. Here is their reply.

I'm so sorry for this inconvenience. We can guarantee our program is 100% clean. It may be ripper use some resource when running that the anti-spy softwares focus on. Now please use the the following way to try again:

1) close the our program Magic DVD Ripper

2) add ripper to the white list of the anti-spy softwares

3) launch the program again, let us know the result.

Best regards,

Sam - Customer service representative

Magic DVD Software (http://www.magicdvdripper.com)

The fresh download showed the same test results.

Link to post
Share on other sites

Please download Rooter.exe and save to your desktop.

alternate download link

  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.

Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Link to post
Share on other sites

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows XP . (5.1.2600) Service Pack 3

[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel

.

[wscsvc] (Security Center) RUNNING (state:4)

[sharedAccess] RUNNING (state:4)

Windows Firewall -> Disabled !

.

Internet Explorer 8.0.6001.18702

Mozilla Firefox 3.5.5 (en-US)

.

A:\ [Removable]

C:\ [Fixed-NTFS] .. ( Total:138 Go - Free:33 Go )

D:\ [Fixed-NTFS] .. ( Total:279 Go - Free:38 Go )

E:\ [CD_Rom]

.

Scan : 21:07.42

Path : C:\Documents and Settings\swr\Desktop\HJT\Rooter.exe

User : swr ( Administrator -> YES )

.

----------------------\\ Processes

.

Locked [system Process] (0)

______ System (4)

______ \SystemRoot\System32\smss.exe (764)

______ \??\C:\WINDOWS\system32\csrss.exe (1260)

______ \??\C:\WINDOWS\system32\winlogon.exe (1284)

______ C:\WINDOWS\system32\services.exe (1328)

______ C:\WINDOWS\system32\lsass.exe (1340)

______ C:\WINDOWS\system32\svchost.exe (1508)

______ C:\WINDOWS\system32\svchost.exe (1588)

______ C:\WINDOWS\System32\svchost.exe (1784)

______ C:\WINDOWS\system32\svchost.exe (340)

______ C:\WINDOWS\system32\svchost.exe (432)

______ C:\WINDOWS\system32\spoolsv.exe (592)

______ C:\WINDOWS\Explorer.EXE (984)

______ C:\Program Files\Scansoft\PaperPort\pptd40nt.exe (1132)

______ C:\WINDOWS\system32\taskswitch.exe (1168)

______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (1184)

______ C:\WINDOWS\system32\RUNDLL32.EXE (1224)

______ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (1228)

______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (1244)

______ C:\WINDOWS\system32\svchost.exe (1768)

______ C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (1840)

______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1860)

______ C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE (1884)

______ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe (1936)

______ C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (1960)

______ C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe (1996)

______ C:\WINDOWS\system32\nvsvc32.exe (272)

______ C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe (416)

______ C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe (2260)

______ C:\Program Files\CyberLink\Shared Files\RichVideo.exe (2552)

______ C:\WINDOWS\system32\svchost.exe (3020)

______ C:\WINDOWS\System32\alg.exe (368)

______ C:\Program Files\Raxco\PerfectDisk2008\PDAgentS1.exe (3104)

______ C:\Documents and Settings\swr\Desktop\HJT\Rooter.exe (2468)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:148696579584)

.

----------------------\\ Scheduled Tasks

.

C:\WINDOWS\Tasks\desktop.ini

C:\WINDOWS\Tasks\SA.DAT

.

----------------------\\ Registry

.

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 21:07.46

.

C:\Rooter$\Rooter_1.txt - (23/06/2010 | 21:07.46)

Link to post
Share on other sites

Close all open browsers at this point. And close any apps that you started. Let the next scan run un-impeded and don't run anything else nor use pc while it is in progress.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Using Internet Explorer browser only, go to BitDefender Quickscan website:

http://quickscan.bitdefender.com

and click "Start Scan".

Observe your browser in case it shows a notice/message bar to allow download and installation of a tool.

Press the Allow button and follow prompts.

Press the "Start Scan" once more.

You'll see the EULA in a pop-up window. Click the I accept & then the OK button

Note: The FAQ is here --> http://quickscan.bitdefender.com/faq/

and that QuickScan has no removal capability.

The site boasts a 60-second scan. Do have patience as it likely will take longer.

It may seem to stall at moments, but have patience; it will move on.

You'll see a progress bar at top right of window.

Hopefully you will see a No infections found in the bar-winddow. Press the View Log button.

The log report will show in your text editor.

Do a Select ALL, Copy. Then paste contents into your next reply.

RE-Enable your AntiVirus and AntiSpyware applications.

Link to post
Share on other sites

  • 2 weeks later...

Hello Rackman,

We need to cleanup after the tools I had you use.

The following few steps will remove tools we used; followed by advice on staying safer.

Go to Control Panel and Add-or-Remove programs.

De-install Kaspersky Online if present.

De-install BitDefender Online if present.

Look for it and click the line for it. Select Change/Remove to de-install it.

OK & Exit out of Control Panel

Delete Rooter.exe

Delete DrWeb Cure-it

We have to remove Combofix and all its associated folders.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste
    combo-fix /uninstall
    and then click OK.

In any event, proceed forward with the OTC step below, even if Combo-fix does not uninstall. OTC Cleanup will remove the remainders of it and the other tools used as well.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

We are finished here. Best regards.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.