Jump to content

TidServ Blocked gone, but MBAM warns of blocked

de_novo
 Share

Recommended Posts

de_novo

de_novo

Posted
Posted

On return from vacation I noticed my machine was popping up webpages in IE, playing audio I didn't play. Web search showed it was TidServ. Attempts to fix have not worked.

I uninstalled old Symantec and installed newest Symantec Endpoint Protection (SEP), updated and scanned.

It did not find much, says Quarantined Cooper.Mine a Trojan.Gen

Now I started getting messages about blocking "tidserv request ..."

I noticed 3MThKEWF.EXE running in "C:\Doc & Setting\All Users\Application Data"

It was dated about mid point of my vacation 6/16 at 2am, I think

Renaming that caused it to just reappear.

I installed MalwareBytes free, registered Pro, updated and ran a complete scan.

The log is below (at bottom). It found Trojan.Downloader File Adware.ISTBar Spyware.Agent.H Disabled.SecurityCenter

Now MalWB generates the warning popups about blocked access instead of SEP warnings. So I think I'm not fixed.

On a fresh reboot opening the Symantec Endpoint Protection "View Network Activity" it shows net actvity by

3MThKEWF.EXE running in ...\All Users\Application Data

IExplore.exe, but I did not run IExplore.exe and TaskMan shows the owner is SYSTEM.

ntoskrnl.exe shows activity

If I block all access by 3MThKEWF.EXE and IExplore.exe then I still get popups about blocked activity. Here some sound files play too.

I ran TDSSKiller.exe. It found Drivers\PCI.Sys, said it fixed it and told me to reboot. So I did. Ran again and it found no problems. Log below.

I'm not fixed.

3MThKEWF.EXE continues to exist and is running. Also IExplore for the SYSTEM user.

MalWBytes still gives blocked messages

I hear some sound files play, they seem to get cut off

If I open IE (and unblock it in SEP) then I think I see it show some pages

Things have improved, I can get to WindowsUpdate.Microsoft.com in IE.

I have Easy CD & DVD Creator 6 asking me to insert the CD to install a feature, not usre why.

On reboot I ran GMER with IAT/EAT unchecked, log below.

I ran DDS, log below. I attached the Attach.txt zipped.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == DDS === \/\/\/\/\/\/\/\/\/\/\/\/

DDS (Ver_10-03-17.01) - NTFSx86

Run by Carl at 18:34:38.42 on Thu 06/24/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1150 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\SYSTEM32\GEARSEC.EXE

E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\msiexec.exe

C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe

C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe

C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe

E:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Carl\Desktop\dee-dee-sssABCD.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/MyHomePage.htm

uSearch Page = hxxp://www.google.com

uSearch Bar = about:blank

mSearch Bar = hxxp://www.google.com/

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://www.google.com/

mSearchAssistant = hxxp://www.google.com/

mCustomizeSearch = hxxp://www.google.com/

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: CAB Class: {c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} - c:\windows\system32\84jnbN3k.dll

BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"

mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"

mRun: [POINTER] point32.exe

mRun: [Matrox PowerDesk 8] c:\windows\system32\powerdesk8\Matrox.PowerDesk.exe /silent

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe

uPolicies-explorer: NoInstrumentation = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: uscourts.gov

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - g:\eudora\EuShlExt.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-1-7 77056]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-24 304464]

R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-21 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-24 20952]

R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [2004-6-10 465280]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100623.024\NAVENG.SYS [2010-6-23 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100623.024\NAVEX15.SYS [2010-6-23 1347504]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]

S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-06-24 20:15:46 45056 ----a-w- c:\windows\system32\84jnbN3k.dll

2010-06-24 14:59:56 0 d-----w- c:\docume~1\carl\applic~1\Malwarebytes

2010-06-24 14:59:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-24 14:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-24 14:59:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-24 12:39:29 70146 ----a-w- c:\docume~1\alluse~1\applic~1\3MThKEWF.exe

2010-06-21 20:44:00 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-06-21 20:42:56 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2010-06-21 20:42:41 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-21 20:42:41 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-21 20:42:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-06-21 20:42:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-21 15:29:42 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-06-21 15:29:40 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-06-16 21:05:17 58368 ----a-w- c:\windows\system32\mkfheogm_maybeVirus.dl_

2010-06-16 07:06:48 45056 ----a-w- c:\windows\system32\84jnbN3k_maybeVirus.dl_

2010-06-16 07:06:47 112 ----a-w- c:\docume~1\alluse~1\applic~1\q818282.dat

==================== Find3M ====================

2010-06-24 18:58:26 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-06-15 15:45:08 577536 ----a-w- c:\windows\system32\user32.DLL

2010-04-06 14:14:22 51787 ----a-w- c:\windows\fonts\AdobeFnt07.lst

2004-08-03 23:29:08 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:35:03.39 ===============

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == GMER === \/\/\/\/\/\/\/\/\/\/\/\/

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-24 18:26:37

Windows 5.1.2600 Service Pack 2

Running: g.mmm-e~r-random.exe; Driver: C:\DOCUME~1\Carl\LOCALS~1\Temp\pxddrpob.sys

---- System - GMER 1.0.15 ----

SSDT 89EFA738 ZwAlertResumeThread

SSDT 89EFA660 ZwAlertThread

SSDT 8A4123E0 ZwAllocateVirtualMemory

SSDT 89FB3680 ZwConnectPort

SSDT 89F79058 ZwCreateMutant

SSDT 8A097B68 ZwCreateThread

SSDT 89EEB8B0 ZwFreeVirtualMemory

SSDT 89EFA9B8 ZwImpersonateAnonymousToken

SSDT 89EFA810 ZwImpersonateThread

SSDT 8A090170 ZwMapViewOfSection

SSDT 89EFAB20 ZwOpenEvent

SSDT 89EFA188 ZwOpenProcessToken

SSDT 89D68280 ZwOpenThreadToken

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB4ACE880]

SSDT 89EF9F50 ZwResumeThread

SSDT 89EFA3D8 ZwSetContextThread

SSDT 8A404DB8 ZwSetInformationProcess

SSDT 8A4228E8 ZwSetInformationThread

SSDT 89EFABF8 ZwSuspendProcess

SSDT 89EFA588 ZwSuspendThread

SSDT 89EFA0B0 ZwTerminateProcess

SSDT 89EFA4B0 ZwTerminateThread

SSDT 89EFA300 ZwUnmapViewOfSection

SSDT 89DA7700 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2558 80501448 4 Bytes CALL BE9AC8F9

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB9C29900]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs A78BF400

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\WindowsXP-KB979559-x86-express-ENU.cab 262580 bytes

File C:\WINDOWS\KB979559.log 4756 bytes

File C:\WINDOWS\KB980218.log 4210 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BF5CE51F-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1D33F377-7FE0-11DF-80C9-00112F0FD8E3}.dat 0 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F9625F5B-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A1AC1C57-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DC00442D-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B81B9D41-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E35BC5E9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CDC07649-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{23893287-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8B69E81B-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B0A11CF3-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{009C802B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3C518409-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EA95E6B9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{618B1B3B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{165B9311-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B3360815-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5531AD0F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C5EE3EB9-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BFB7FE3B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D27C20A1-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6DEE12CF-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{08018B4F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{74291801-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{67B7D251-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F1D4CC3D-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D514D0F7-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{92AB2FF9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{36226A99-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7DE51123-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{76888FE7-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{84594EC5-7FE1-11DF-80C9-00112F0FD8E3}.dat 0 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2FFA7837-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E55F4199-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5154BCE9-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{17FD4E57-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C669B941-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B7AC8E3B-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4AFF7DD9-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F2003651-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7CC39519-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EBB21E4F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{80B4978F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0F61D1BF-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{37D273FB-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4287C487-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes

---- EOF - GMER 1.0.15 ----

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == TDDSKiller === \/\/\/\/\/\/\/\/\/\/\/\/

13:55:38:937 6048 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

13:55:38:937 6048 ================================================================================

13:55:38:937 6048 SystemInfo:

13:55:38:937 6048 OS Version: 5.1.2600 ServicePack: 2.0

13:55:38:937 6048 Product type: Workstation

13:55:38:937 6048 ComputerName: xxxx

13:55:38:937 6048 UserName: xxx

13:55:38:937 6048 Windows directory: C:\WINDOWS

13:55:38:937 6048 Processor architecture: Intel x86

13:55:38:937 6048 Number of processors: 1

13:55:38:937 6048 Page size: 0x1000

13:55:38:937 6048 Boot type: Normal boot

13:55:38:937 6048 ================================================================================

13:55:39:203 6048 Initialize success

13:55:39:203 6048

13:55:39:203 6048 Scanning Services ...

13:55:39:250 6048 Raw services enum returned 345 services

13:55:39:250 6048

13:55:39:250 6048 Scanning Drivers ...

13:55:39:875 6048 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

13:55:39:953 6048 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

13:55:40:062 6048 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

13:55:40:140 6048 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

13:55:40:328 6048 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

13:55:40:421 6048 ALCXWDM (9a6a99f0d75b457e3a2267776ebe9f47) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

13:55:40:562 6048 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

13:55:40:750 6048 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

13:55:40:812 6048 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

13:55:40:906 6048 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

13:55:40:984 6048 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

13:55:41:031 6048 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

13:55:41:093 6048 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

13:55:41:203 6048 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

13:55:41:234 6048 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

13:55:41:281 6048 Cdr4_xp (bb139f391a6bcc60c883ecc3709631b6) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

13:55:41:328 6048 Cdralw2k (ccca51c4c556ef95312a4fa8012e8d49) C:\WINDOWS\system32\drivers\Cdralw2k.sys

13:55:41:359 6048 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

13:55:41:406 6048 cdudf_xp (6596a79656368e84e386d5810e2deb9c) C:\WINDOWS\system32\drivers\cdudf_xp.sys

13:55:41:531 6048 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys

13:55:41:656 6048 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

13:55:41:734 6048 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

13:55:41:796 6048 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

13:55:41:843 6048 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

13:55:41:890 6048 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

13:55:42:000 6048 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

13:55:42:046 6048 DVDVRRdr_xp (c90b9e655ae95d95a83855c9ee6ec561) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys

13:55:42:109 6048 dvd_2K (9f883d432e64f6f46fef27ddbaaca2b9) C:\WINDOWS\system32\drivers\dvd_2K.sys

13:55:42:156 6048 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

13:55:42:218 6048 EL2000 (25fe70646afe37801ab540b5d3b12cf9) C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys

13:55:42:265 6048 ENTECH (bdd170fecb0e496a914318009d85b819) C:\WINDOWS\System32\DRIVERS\ENTECH.SYS

13:55:42:312 6048 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

13:55:42:375 6048 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

13:55:42:406 6048 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

13:55:42:515 6048 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

13:55:42:578 6048 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

13:55:42:625 6048 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

13:55:42:671 6048 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

13:55:42:703 6048 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

13:55:42:750 6048 gagp30kx (4216cd545e5c30807b560c5dcaa812e6) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys

13:55:42:796 6048 GEARAspiWDM (46f23cfc888b0a4397aae705c8af92af) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

13:55:42:843 6048 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

13:55:42:890 6048 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

13:55:42:984 6048 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

13:55:43:109 6048 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

13:55:43:140 6048 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

13:55:43:250 6048 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

13:55:43:281 6048 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys

13:55:43:343 6048 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

13:55:43:375 6048 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

13:55:43:437 6048 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

13:55:43:468 6048 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

13:55:43:515 6048 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

13:55:43:562 6048 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

13:55:43:609 6048 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

13:55:43:656 6048 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

13:55:43:734 6048 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

13:55:43:796 6048 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

13:55:43:890 6048 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

13:55:43:937 6048 mmc_2K (49e6197955269ae539b05e161adca0cf) C:\WINDOWS\system32\drivers\mmc_2K.sys

13:55:43:984 6048 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

13:55:44:046 6048 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

13:55:44:125 6048 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

13:55:44:171 6048 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

13:55:44:218 6048 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

13:55:44:296 6048 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

13:55:44:359 6048 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

13:55:44:390 6048 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

13:55:44:421 6048 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

13:55:44:468 6048 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

13:55:44:500 6048 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

13:55:44:546 6048 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

13:55:44:609 6048 MTXPARH (3b68ee6408a15ed198d4157341edb854) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys

13:55:44:640 6048 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

13:55:44:718 6048 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100623.024\NAVENG.SYS

13:55:44:750 6048 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100623.024\NAVEX15.SYS

13:55:44:796 6048 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

13:55:44:859 6048 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

13:55:44:890 6048 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

13:55:44:937 6048 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

13:55:44:984 6048 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

13:55:45:031 6048 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

13:55:45:078 6048 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

13:55:45:140 6048 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

13:55:45:203 6048 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

13:55:45:281 6048 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

13:55:45:328 6048 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

13:55:45:406 6048 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

13:55:45:484 6048 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

13:55:45:531 6048 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

13:55:45:578 6048 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

13:55:45:656 6048 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys

13:55:45:687 6048 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

13:55:45:750 6048 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

13:55:45:781 6048 PCI (18d9b9f58f233004377b9afc74f8742f) C:\WINDOWS\system32\DRIVERS\pci.sys

13:55:45:781 6048 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 18d9b9f58f233004377b9afc74f8742f, Fake md5: 8086d9979234b603ad5bc2f5d890b234

13:55:45:781 6048 File "C:\WINDOWS\system32\DRIVERS\pci.sys" infected by TDSS rootkit ... 13:55:46:125 6048 Backup copy found, using it..

13:55:46:156 6048 will be cured on next reboot

13:55:46:296 6048 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

13:55:46:609 6048 Point32 (08b11f5c60edca255b18cedef8efba2a) C:\WINDOWS\system32\DRIVERS\point32.sys

13:55:46:687 6048 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

13:55:46:734 6048 PQNTDrv (474543751522111dd7c0cf09e17f6d9f) C:\WINDOWS\system32\drivers\PQNTDrv.sys

13:55:46:781 6048 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

13:55:46:828 6048 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

13:55:46:859 6048 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

13:55:46:890 6048 pwd_2k (eaf307b15592d2e423148422596e5c2e) C:\WINDOWS\system32\drivers\pwd_2k.sys

13:55:47:125 6048 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

13:55:47:171 6048 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

13:55:47:234 6048 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

13:55:47:265 6048 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

13:55:47:328 6048 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

13:55:47:375 6048 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

13:55:47:437 6048 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

13:55:47:500 6048 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

13:55:47:562 6048 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

13:55:47:640 6048 RT2500 (4cd0fc7949d175cf9138dae23ae440ad) C:\WINDOWS\system32\DRIVERS\RT2500.sys

13:55:47:734 6048 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

13:55:47:781 6048 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

13:55:47:843 6048 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

13:55:47:890 6048 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

13:55:48:015 6048 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

13:55:48:062 6048 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

13:55:48:125 6048 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

13:55:48:171 6048 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS

13:55:48:265 6048 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

13:55:48:312 6048 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

13:55:48:390 6048 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

13:55:48:468 6048 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

13:55:48:515 6048 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

13:55:48:625 6048 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

13:55:48:671 6048 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

13:55:48:750 6048 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

13:55:48:890 6048 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

13:55:48:953 6048 SysPlant (1295b1da3e2a2c24c7d176f6e97afbd1) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys

13:55:49:015 6048 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

13:55:49:062 6048 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

13:55:49:093 6048 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

13:55:49:140 6048 Teefer2 (1de2e1357552a79f39bff003a11c533e) C:\WINDOWS\system32\DRIVERS\teefer2.sys

13:55:49:171 6048 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

13:55:49:265 6048 UdfReadr_xp (228606878da45208d8b1beeffe4b6d0b) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

13:55:49:312 6048 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

13:55:49:390 6048 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

13:55:49:453 6048 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

13:55:49:484 6048 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

13:55:49:531 6048 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

13:55:49:578 6048 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

13:55:49:609 6048 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

13:55:49:656 6048 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys

13:55:49:703 6048 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

13:55:49:734 6048 viasraid (45469fa05947d75874316649a22878d4) C:\WINDOWS\system32\drivers\viasraid.sys

13:55:49:796 6048 vmm (b06bf9cd4f91f4afe3f433ea1b7a358c) C:\WINDOWS\System32\drivers\vmm.sys

13:55:49:859 6048 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

13:55:49:906 6048 VPCNetS2 (11f77458f5d3abd76747a628e0da2f6b) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys

13:55:49:968 6048 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

13:55:50:062 6048 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

13:55:50:109 6048 WPS (c1620ebb375d3b02e31fd311c44fedeb) C:\WINDOWS\system32\drivers\wpsdrvnt.sys

13:55:50:187 6048 WpsHelper (a930c1d2a7d0cb01810c9912d101b83c) C:\WINDOWS\system32\drivers\WpsHelper.sys

13:55:50:250 6048 yukonwxp (a81a1f8c2a50f72fda9c686aa85bf151) C:\WINDOWS\system32\DRIVERS\yukonwxp.sys

13:55:50:265 6048 Reboot required for cure complete..

13:55:50:281 6048 Cure on reboot scheduled successfully

13:55:50:281 6048

13:55:50:281 6048 Completed

13:55:50:281 6048

13:55:50:281 6048 Results:

13:55:50:281 6048 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

13:55:50:281 6048 File objects infected / cured / cured on reboot: 1 / 0 / 1

13:55:50:281 6048

13:55:50:281 6048 KLMD(ARK) unloaded successfully

rebooted and ran TDSSKiller again, nothing was found:

14:01:56:453 2128 Completed

14:01:56:453 2128

14:01:56:453 2128 Results:

14:01:56:453 2128 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

14:01:56:453 2128 File objects infected / cured / cured on reboot: 0 / 0 / 0

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == MBAM Log === \/\/\/\/\/\/\/\/\/\/\/\/

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4233

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

6/24/2010 12:44:30 PM

mbam-log-2010-06-24 (12-44-30).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)

Objects scanned: 665160

Time elapsed: 2 hour(s), 31 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appintt_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\radmin\admdll.dll (PUP.RemoteAdmin) -> Not selected for removal.

C:\Program Files\radmin\raddrv.dll (PUP.RemoteAdmin) -> Not selected for removal.

C:\System Volume Information\_restore{C61C1574-B964-4E80-A3AB-04657FD7B0AF}\RP2079\A0212591.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\admdll.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\raddrv.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully.

Attach.txt.zip

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello de_novo! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

Please, uninstall the following applications:

  1. Adobe Acrobat 6.0 Standard

You can read, how to this here:

Step 2

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted

Hello de_novo! Welcome to Malwarebytes' Anti-Malware Forums!

Please, uninstall the following applications:

[*]Adobe Acrobat 6.0 Standard

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

I'm working on it.....might not have it done until 7/5 due to Holiday

Will I be able to reinstall Acrobat 6?

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted
In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log only

I did as you requested. Zipped Attach.txt attached. Will I be able to reinstall Acrobat 6?

Last week after a Windows Update and Reboot the AppData EXE was no longer running and the TidServ warnings had stopped.

MBAM, that I just ran, found the old files and got rid of them. Before I did that today it seemed like IE 8 would frequently crash opening a new tab, and then recover and open it fine.

One other oddity is I no longer see MalwareBytes in my tool tray, just the SEP icon. MBAM ran just fine for doing your tests. Orginally after I installed MBAM

Thanks for all the Help!

De Novo

\\\\\\\\\\\\\\\\\\\\\\\\ mbam-log-2010-07-01 (18-57-22).txt \\\\\\\\\\\\\\\\\\\\\\\

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4265

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

7/1/2010 6:57:22 PM

mbam-log-2010-07-01 (18-57-22).txt

Scan type: Quick scan

Objects scanned: 212210

Time elapsed: 10 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\ca.cab (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{833622f9-1720-4071-851a-8a5730c33565} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a1f2b3fc-1fc0-4562-9e6e-3a66e5c703e9} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ca.cab.1 (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\84jnbN3k.dll (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe__ (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe___ (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\3MThKEWF.ex_ (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\84jnbN3k_maybeVirus.dl_ (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

\\ end \\\\\\\\\\\\\\\\\\\\\\ mbam-log-2010-07-01 (18-57-22).txt \\\\\\\\\\\\\\\\\\\\\\\

\\\\\\\\\\\\\\\\\\\\\\\\ DDS.txt \\\\\\\\\\\\\\\\\\\\\\\

DDS (Ver_10-03-17.01) - NTFSx86

Run by Carl at 19:03:55.29 on Thu 07/01/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1510 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\SYSTEM32\GEARSEC.EXE

C:\Program Files\Expertcity\GoToMyPC\g2svc.exe

C:\Program Files\Expertcity\GoToMyPC\g2comm.exe

E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Expertcity\GoToMyPC\g2pre.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

C:\Program Files\Expertcity\GoToMyPC\g2tray.exe

E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\RDS\RMClient\PMCTray.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\Documents and Settings\Carl\Desktop\dee-dee-sssABCD.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/MyHomePage.htm

uSearch Page = hxxp://www.google.com

uSearch Bar = about:blank

mSearch Bar = hxxp://www.google.com/

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://www.google.com/

mSearchAssistant = hxxp://www.google.com/

mCustomizeSearch = hxxp://www.google.com/

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [POINTER] point32.exe

mRun: [Matrox PowerDesk 8] c:\windows\system32\powerdesk8\Matrox.PowerDesk.exe /silent

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"

mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"

mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe

uPolicies-explorer: NoInstrumentation = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: uscourts.gov

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - g:\eudora\EuShlExt.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-1-7 77056]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-24 304464]

R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-21 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-24 20952]

R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [2004-6-10 465280]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100630.032\NAVENG.SYS [2010-6-30 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100630.032\NAVEX15.SYS [2010-6-30 1347504]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]

S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-06-25 18:12:13 0 d-----w- c:\program files\Sonic

2010-06-25 18:12:06 0 d-----w- c:\program files\common files\Sonic Shared

2010-06-25 18:10:05 0 d-----w- c:\program files\DivX

2010-06-24 20:42:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 14:59:56 0 d-----w- c:\docume~1\carl\applic~1\Malwarebytes

2010-06-24 14:59:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-24 14:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-24 14:59:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 20:44:00 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-06-21 20:42:56 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2010-06-21 20:42:41 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-21 20:42:41 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-21 20:42:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-06-21 20:42:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-21 15:29:42 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-06-21 15:29:40 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-06-16 21:05:17 58368 ----a-w- c:\windows\system32\mkfheogm_maybeVirus.dl_

2010-06-16 07:06:47 112 ----a-w- c:\docume~1\alluse~1\applic~1\q818282.dat

==================== Find3M ====================

2010-06-24 18:58:26 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-06-15 15:45:08 577536 ----a-w- c:\windows\system32\user32.DLL

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-06 14:14:22 51787 ----a-w- c:\windows\fonts\AdobeFnt07.lst

============= FINISH: 19:04:39.17 ===============

\\ end \\\\\\\\\\\\\\\\\\\\\\ DDS.txt \\\\\\\\\\\\\\\\\\\\\\\

Attach.Txt.zip

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted

Per your instrux the combo fix log, also attached

ComboFix 10-07-06.01 - Earl 07/06/2010 12:42:03.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1435 [GMT -5:00]

Running from: c:\documents and settings\Earl\Desktop\Combo-Fix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\setup.exe

c:\windows\patch.exe

c:\windows\system32\gotomon.log

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FILEMON

-------\Service_FILEMON

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX

2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes

2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll

2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM

2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio

2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio

2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat

2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-06-21 20:44 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec

2010-06-21 20:27 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

Infected c:\windows\system32\user32.dll hex repaired

<pre>
c:\program files\Common Files\Roxio Shared\System\EngUtil .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\RDS\RMClient\JobHisInit .exe
c:\program files\RDS\RMClient\MplSetUp .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Symantec AntiVirus\VPTray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]

"POINTER"="point32.exe" [N/A]

"Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [N/A]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [N/A]

"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe

"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056]

R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952]

R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\diskspacecheck.job

- e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16]

2009-04-17 c:\windows\Tasks\getecf320 Train.job

- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]

2009-04-17 c:\windows\Tasks\getecf320.job

- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]

2010-07-06 c:\windows\Tasks\Internet Explorer.job

- c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09]

2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]

2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = file:///C:/MyHomePage.htm

mSearch Bar = hxxp://www.google.com/

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: uscourts.gov

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

.

------- File Associations -------

.

.txt=UltraEdit.txt

.

- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - g:\eudora\EuShlExt.dll

Notify-NavLogon - (no file)

SafeBoot-klmdb.sys

SafeBoot-Symantec Antvirus

AddRemove-{E2FDE250-942F-11DC-6784-0AD028DD18BE} - e:\clarion.net\Uninst_Clarion.Net

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-06 13:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,5d,05,95,43,50,e2,45,96,e0,5e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,5d,05,95,43,50,e2,45,96,e0,5e,\

[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)

@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1164)

c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(1060)

c:\windows\system32\WININET.dll

c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

.

------------------------ Other Running Processes ------------------------

.

e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\SYSTEM32\GEARSEC.EXE

c:\program files\Expertcity\GoToMyPC\g2svc.exe

c:\program files\Expertcity\GoToMyPC\g2comm.exe

c:\program files\Expertcity\GoToMyPC\g2pre.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Expertcity\GoToMyPC\g2tray.exe

c:\windows\system32\wdfmgr.exe

c:\windows\System32\MsPMSPSv.exe

e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Microsoft Hardware\Mouse\point32.exe

c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

c:\program files\RDS\RMClient\PMCTray.exe

.

**************************************************************************

.

Completion time: 2010-07-06 13:17:28 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-06 18:17

Pre-Run: 4,211,265,536 bytes free

Post-Run: 4,635,172,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C365D19D8025EB401E743151D7ECE310

combo_fix_log.txt

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

RenV::
c:\program files\Common Files\Roxio Shared\System\EngUtil .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\RDS\RMClient\JobHisInit .exe
c:\program files\RDS\RMClient\MplSetUp .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Symantec AntiVirus\VPTray .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted
Open Notepad and copy and paste the text in the code box below into it:

.....

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

Based on your prior instructions my ComboFix is named Combo-Fix.exe

When I dragged and dropped the CFscript.txt onto Combo-Fix.exe a message said a new version was available and asked me if I wanted to update. To be safe I answered NO.

I am rebooting then will download ComboFix from your BC site and drop the script on it.

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted
Open Notepad and copy and paste the text in the code box below into it:

KillAll::

RenV::
c:\program files\Common Files\Roxio Shared\System\EngUtil .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\RDS\RMClient\JobHisInit .exe
c:\program files\RDS\RMClient\MplSetUp .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Symantec AntiVirus\VPTray .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Downloaded new ComboFix.exe named it ComboFix.exe and put it on my Desktop

Dragged and dropped above CFScript.txt onto it.

CF ran, then without asking rebooted and opened the log. Here it is.....

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

ComboFix 10-07-06.02 - Earl 07/06/2010 16:33:51.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1516 [GMT -5:00]

Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Earl\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX

2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes

2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-06 21:33 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus

2010-07-06 21:33 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll

2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM

2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio

2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio

2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat

2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec

2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

<pre>
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]

"POINTER"="point32.exe" [N/A]

"Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-09 868352]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]

"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe

"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056]

R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952]

R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\diskspacecheck.job

- e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16]

2009-04-17 c:\windows\Tasks\getecf320 Train.job

- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]

2009-04-17 c:\windows\Tasks\getecf320.job

- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]

2010-07-06 c:\windows\Tasks\Internet Explorer.job

- c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09]

2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]

2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = file:///C:/MyHomePage.htm

mSearch Bar = hxxp://www.google.com/

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: uscourts.gov

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-06 16:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)

@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)

c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3928)

c:\windows\system32\WININET.dll

c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

.

------------------------ Other Running Processes ------------------------

.

e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\SYSTEM32\GEARSEC.EXE

c:\program files\Expertcity\GoToMyPC\g2svc.exe

c:\program files\Expertcity\GoToMyPC\g2comm.exe

c:\program files\Expertcity\GoToMyPC\g2pre.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\System32\MsPMSPSv.exe

c:\program files\Expertcity\GoToMyPC\g2tray.exe

c:\windows\system32\wscntfy.exe

e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Microsoft Hardware\Mouse\point32.exe

c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe

c:\program files\RDS\RMClient\PMCTray.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2010-07-06 16:47:48 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-06 21:47

ComboFix2.txt 2010-07-06 18:17

Pre-Run: 4,622,880,768 bytes free

Post-Run: 4,634,267,648 bytes free

- - End Of File - - 6CCCEDB750813412EC0C9144FEB86EC4

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

RenV::
c:\program files\Spybot - Search & Destroy\TeaTimer .exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted 
KillAll::

RenV::
c:\program files\Spybot - Search & Destroy\TeaTimer .exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

I ran the script. It rebooted then opened the log.

\\\\\\\\\\\\\\\\\\\ ComboFix Log \\\\\\\\\\\\\\\\\\\

ComboFix 10-07-06.02 - Earl 07/06/2010 17:46:44.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1520 [GMT -5:00]

Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Earl\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic

2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX

2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes

2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-06 21:33 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus

2010-07-06 21:33 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll

2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM

2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio

2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio

2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat

2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec

2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

<pre>
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]

"POINTER"="point32.exe" [N/A]

"Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-09 868352]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]

"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe

"MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup

"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056]

R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952]

R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\diskspacecheck.job

- e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16]

2009-04-17 c:\windows\Tasks\getecf320 Train.job

- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]

2009-04-17 c:\windows\Tasks\getecf320.job

- d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40]

2010-07-06 c:\windows\Tasks\Internet Explorer.job

- c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09]

2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31]

2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = file:///C:/MyHomePage.htm

mSearch Bar = hxxp://www.google.com/

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: uscourts.gov

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-06 17:57

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)

@Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1164)

c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(2808)

c:\windows\system32\WININET.dll

c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

.

------------------------ Other Running Processes ------------------------

.

e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\SYSTEM32\GEARSEC.EXE

c:\program files\Expertcity\GoToMyPC\g2svc.exe

c:\program files\Expertcity\GoToMyPC\g2comm.exe

c:\program files\Expertcity\GoToMyPC\g2pre.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Expertcity\GoToMyPC\g2tray.exe

c:\windows\system32\wdfmgr.exe

c:\windows\System32\MsPMSPSv.exe

c:\windows\system32\wscntfy.exe

e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Microsoft Hardware\Mouse\point32.exe

c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe

c:\program files\RDS\RMClient\PMCTray.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2010-07-06 18:02:15 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-06 23:02

ComboFix2.txt 2010-07-06 21:47

ComboFix3.txt 2010-07-06 18:17

Pre-Run: 4,649,140,224 bytes free

Post-Run: 4,627,718,144 bytes free

- - End Of File - - C29D2428B27F871AF084DCE73A817944

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted
How are things running now?

Everything seems fine. Have no messages from SEP. I see no unusual things running.

What about Acrobat 6 Pro? Does it have too many security holes?

Was any software uninstalled or deleted by ComboFix?

Roxio seems to be working.

Not sure why I have the Richo RMClient stuff running. I don't recall having Richo printers. Have very large 100 PPM Canon and Toshiba's that may have purchased Richo product.

An off topic question:

The machine from which I am posting this, and on the same network, is getting a SEP popup at times of "[sID 20495] FTP MS IIS Status DoS Detected". The logs show its from 0.0.0.0., i.e. not traceable. I do have IIS and SQL running for doing VS dev, but haven't done any in a long time . The FTP and SMTP servers are not running. I am on a network with 20 other PC's so it is possible its one of them. I am behind a NAT Router.

I don't have MBAM installed, but do have a license. Installing that would be my next step. Wondering if it is safe to run TDDSKiller and MBER to see if any TD or BootRec infections?

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted
What about Acrobat 6 Pro? Does it have too many security holes?

Absolutely. I don't know from where to start, so ...:

http://www.google.bg/search?hl=bg&q=Ad...q=&gs_rfai=

Was any software uninstalled or deleted by ComboFix?

Nope.

Wondering if it is safe to run TDDSKiller and MBER to see if any TD or BootRec infections?

Yeah, no problem.

Let me know how are things.

Link to post
Share on other sites
de_novo

de_novo

Posted
  • Author
Posted
How are things running now?

Wnen I reboot I do get an error:

---------------------------

ccApp.exe - Unable To Locate Component

---------------------------

This application has failed to start because ccL40.dll was not found. Re-installing the application may fix this problem.

---------------------------

OK

---------------------------

Link to post
Share on other sites
  • 2 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.