Jump to content

Infeceted with fsharproj.BHO


Recommended Posts

All,

Much to my dismay, I am infected and Google searches are redirecting.

I followed the instructions under "I'm infected - What do I do now?". Pasted or attached are my logs from Mbam, Defogger, DDS and GMER.

I have see conversation that says to not "attach" files, but the "I'm infected - What do I do now?" instructions say to attach the attach.txt and ark.txt files as attach.zip. If someone would like them pasted instead, let me know.

Thanks in advance for your assistance.

-Jim

==========================================================

==========================================================

==========================================================

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7341

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

8/1/2011 12:56:50 AM

mbam-log-2011-08-01 (00-56-50).txt

Scan type: Quick scan

Objects scanned: 192744

Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==========================================================

==========================================================

==========================================================

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 22:21 on 31/07/2011 (Jim Damato)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

==========================================================

==========================================================

==========================================================

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13

Run by Jim Damato at 22:25:05 on 2011-07-31

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1911.1017 [GMT -4:00]

.

AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r256076\wdm\stacsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe

C:\Apache2\bin\httpd.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Evernote\Evernote\EvernoteClipper.exe

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\system32\taskmgr.exe

C:\Apache2\bin\httpd.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\lxdocoms.exe

C:\mysql\bin\mysqld.exe

C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.bing.com

uSearch Bar = hxxp://www.bing.com/sphome.aspx

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.bing.com/sphome.aspx

BHO: {03b1b461-e0ae-4066-89ff-fdfef462f881} - c:\windows\system32\atrace32.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Norton Ghost 9.0] c:\program files\norton systemworks\norton ghost\agent\GhostTray.exe

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\jimdam~1\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe

StartupFolder: c:\docume~1\jimdam~1\startm~1\programs\startup\norton~2.lnk - c:\program files\norton systemworks\norton utilities\SYSDOC32.EXE

StartupFolder: c:\docume~1\jimdam~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272399186421

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secvpn.sec.gov/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://secret1.sec.gov/net6helper.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1 71.252.0.12

TCP: Interfaces\{250F3D67-8AB9-45D6-8D6B-9B42DC77A9B6} : DhcpNameServer = 192.168.1.1 71.252.0.12

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Notify: igfxcui - igfxdev.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jim damato\application data\mozilla\firefox\profiles\ctk4i731.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\documents and settings\jim damato\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [2010-4-22 16176]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\SymDS.sys [2011-7-31 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\SymEFA.sys [2011-7-31 744568]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\bashdefs\20110723.001\BHDrvx86.sys [2011-7-23 815736]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\Ironx86.sys [2011-7-31 136312]

R2 Apache2.2;Apache2.2;c:\apache2\bin\httpd.exe [2011-6-5 18432]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 197992]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181608]

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.6.0.29\ccSvcHst.exe [2011-7-31 130008]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2010-5-7 819352]

R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [2010-4-22 41648]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-4-22 112512]

R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-4-22 134144]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-4-22 143968]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-31 105592]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\ipsdefs\20110729.030\IDSXpx86.sys [2011-7-29 355256]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-4-22 215040]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\virusdefs\20110731.003\naveng.sys [2011-7-31 86008]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\virusdefs\20110731.003\navex15.sys [2011-7-31 1542392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometer\InstallFilterService.exe [2010-4-22 60928]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdoserv.exe [2010-7-8 94208]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79208]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-4-22 171520]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-01 01:22:55 744568 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\SymEFA.sys

2011-08-01 01:22:55 516216 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\srtsp.sys

2011-08-01 01:22:55 50168 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\srtspx.sys

2011-08-01 01:22:55 369784 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\symtdi.sys

2011-08-01 01:22:55 340088 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\SymDS.sys

2011-08-01 01:22:55 331384 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\symtdiv.sys

2011-08-01 01:22:55 296568 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\symnets.sys

2011-08-01 01:22:55 136312 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\Ironx86.sys

2011-08-01 01:22:45 -------- d-----w- c:\windows\system32\drivers\nav\1206000.01D

2011-08-01 01:22:45 -------- d-----w- c:\windows\system32\drivers\NAV

2011-08-01 01:22:44 -------- d-----w- c:\program files\Norton AntiVirus

2011-08-01 01:14:52 -------- d-----w- c:\documents and settings\all users\application data\PCSettings

2011-08-01 01:14:42 -------- d-----w- c:\program files\NortonInstaller

2011-08-01 01:14:42 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller

2011-08-01 01:10:55 -------- d-----w- c:\documents and settings\all users\application data\Norton

2011-07-31 23:08:25 -------- d-----w- c:\program files\CCleaner

2011-07-31 22:53:49 -------- d-----w- c:\documents and settings\jim damato\application data\Malwarebytes

2011-07-31 22:53:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-31 22:53:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-31 22:53:35 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-31 22:53:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-27 02:29:09 -------- d-----w- c:\program files\iTunes

2011-07-27 02:18:09 -------- d-----w- c:\program files\Bonjour

2011-07-26 01:02:08 0 ---ha-w- c:\documents and settings\jim damato\cnqqlobbuq.tmp

2011-07-25 08:55:22 358400 ----a-w- c:\windows\system32\atrace32.dll

2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

.

==================== Find3M ====================

.

2011-08-01 01:23:01 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-08-01 01:23:01 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-06-02 14:07:35 1867904 ----a-w- c:\windows\system32\win32k.sys

2011-05-10 12:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-05-10 12:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

.

============= FINISH: 22:25:19.26 ===============

==========================================================

==========================================================

==========================================================

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-08-01 00:54:57

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925041 rev.D005

Running: jg6qbrts.exe; Driver: C:\DOCUME~1\JIMDAM~1\LOCALS~1\Temp\ugroipob.sys

---- System - GMER 1.0.15 ----

SSDT 8805E008 ZwAlertResumeThread

SSDT 8803D128 ZwAlertThread

SSDT 87FBCB88 ZwAllocateVirtualMemory

SSDT 87FB62E8 ZwAssignProcessToJobObject

SSDT 882DE8D0 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0x96CEA710]

SSDT 8835D9D0 ZwCreateMutant

SSDT 88011150 ZwCreateSymbolicLinkObject

SSDT 87FCA248 ZwCreateThread

SSDT 87FBB268 ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0x96CEA990]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x96CEAEF0]

SSDT 8808E558 ZwDuplicateObject

SSDT 87FE90C8 ZwFreeVirtualMemory

SSDT 882770E8 ZwImpersonateAnonymousToken

SSDT 8805E0A0 ZwImpersonateThread

SSDT 88353840 ZwLoadDriver

SSDT 883C9100 ZwMapViewOfSection

SSDT 8835D8F0 ZwOpenEvent

SSDT 87FE33A0 ZwOpenProcess

SSDT 87FC7360 ZwOpenProcessToken

SSDT 88356EA8 ZwOpenSection

SSDT 87FE32D0 ZwOpenThread

SSDT 88011220 ZwProtectVirtualMemory

SSDT 882BD8C0 ZwResumeThread

SSDT 882E48E8 ZwSetContextThread

SSDT 880243A8 ZwSetInformationProcess

SSDT 87FBB348 ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x96CEB140]

SSDT 88356F48 ZwSuspendProcess

SSDT 877BF5A0 ZwSuspendThread

SSDT 87FCA348 ZwTerminateProcess

SSDT 877BF660 ZwTerminateThread

SSDT 88024498 ZwUnmapViewOfSection

SSDT 87FBCAB8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C30 805044CC 4 Bytes [E8, 62, FB, 87]

.text ntkrnlpa.exe!ZwCallbackReturn + 2C61 805044FD 3 Bytes CALL CF34CD2F

.text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045E4 4 Bytes CALL FAD86D59

.text ntkrnlpa.exe!ZwCallbackReturn + 2F38 805047D4 4 Bytes [E8, 48, 2E, 88]

? SYMDS.SYS The system cannot find the file specified. !

? SYMEFA.SYS The system cannot find the file specified. !

init C:\WINDOWS\system32\Drivers\CtAudDrv.sys entry point in "init" section [0xA5F82D50]

? C:\DOCUME~1\JIMDAM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1956] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device ftdisk.sys (FT Disk Driver/Microsoft Corporation)

AttachedDevice PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

Device 93B26D20

---- EOF - GMER 1.0.15 ----

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Logs as requested..... MBAM, ComboFix and DDS all run on a fresh start-up with Norton turned off.

=====================================================================

MBAM ================================================================

=====================================================================

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7367

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

8/4/2011 9:27:21 AM

mbam-log-2011-08-04 (09-27-07).txt

Scan type: Quick scan

Objects scanned: 193421

Time elapsed: 9 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=====================================================================

ComboFix ============================================================

=====================================================================

ComboFix 11-08-04.01 - Jim Damato 08/04/2011 9:29.2.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1911.1080 [GMT -4:00]

Running from: c:\documents and settings\Jim Damato\Desktop\ComboFix.exe

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\install.rdf

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\install.rdf

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\install.rdf

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\install.rdf

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\install.rdf

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\install.rdf

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\install.rdf

c:\documents and settings\Jim Damato\cnqqlobbuq.tmp

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\install.rdf

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\install.rdf

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\install.rdf

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\install.rdf

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\install.rdf

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\install.rdf

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\install.rdf

c:\windows\system32\AutoRun.inf

c:\windows\system32\Cache

.

.

((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))

.

.

2011-08-01 01:22 . 2011-08-01 01:22 -------- d-----w- c:\windows\system32\drivers\NAV

2011-08-01 01:22 . 2011-08-01 01:22 -------- d-----w- c:\program files\Norton AntiVirus

2011-08-01 01:22 . 2011-08-01 01:22 -------- d-----w- c:\program files\Windows Sidebar

2011-08-01 01:14 . 2011-08-01 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2011-08-01 01:14 . 2011-08-01 01:14 -------- d-----w- c:\program files\NortonInstaller

2011-08-01 01:10 . 2011-08-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2011-07-31 23:08 . 2011-07-31 23:08 -------- d-----w- c:\program files\CCleaner

2011-07-31 22:53 . 2011-07-31 22:53 -------- d-----w- c:\documents and settings\Jim Damato\Application Data\Malwarebytes

2011-07-31 22:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-31 22:53 . 2011-07-31 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-31 22:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-31 22:53 . 2011-07-31 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-27 02:29 . 2011-07-27 02:30 -------- d-----w- c:\program files\iTunes

2011-07-27 02:18 . 2011-07-27 02:18 -------- d-----w- c:\program files\Bonjour

2011-07-25 08:55 . 2011-07-25 08:55 358400 ----a-w- c:\windows\system32\atrace32.dll

2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-05 21:07 . 2011-07-05 21:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-01 01:23 . 2010-05-07 16:27 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-08-01 01:23 . 2010-05-07 16:27 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-06-02 14:07 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys

2011-05-10 12:06 . 2010-08-14 17:07 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-05-10 12:06 . 2010-08-14 17:07 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-05-12 20:42 . 2010-05-12 20:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2010-05-12 21:22 . 2010-05-12 21:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2010-05-12 20:43 . 2010-05-12 20:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2010-05-12 20:42 . 2010-05-12 20:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2010-05-12 20:42 . 2010-05-12 20:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2010-05-12 20:41 . 2010-05-12 20:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2010-05-12 20:42 . 2010-05-12 20:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2010-05-12 20:42 . 2010-05-12 20:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2010-04-14 17:55 . 2010-04-14 17:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2010-05-12 20:43 . 2010-05-12 20:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2011-07-08 07:16 . 2011-05-18 01:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03B1B461-E0AE-4066-89FF-FDFEF462F881}]

2011-07-25 08:55 358400 ----a-w- c:\windows\system32\atrace32.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-01-07 1602856]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-11 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-11 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-11 144920]

"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]

"Norton Ghost 9.0"="c:\program files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]

.

c:\documents and settings\Jim Damato\Start Menu\Programs\Startup\

EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2011-6-28 974848]

Norton System Doctor.lnk - c:\program files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE [2004-8-30 83040]

Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-25 135680]

.

c:\documents and settings\JimAdmin\Start Menu\Programs\Startup\

Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-25 135680]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Jim Damato^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Jim Damato\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]

2008-12-17 05:41 729088 ----a-w- c:\windows\system32\AESTFltr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeFallProtection]

2009-07-22 12:52 2384896 ----a-w- c:\program files\STMicroelectronics\Accelerometer\FF_Protection.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-07-19 22:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 9500 Series Fax Server]

2010-02-10 09:21 311976 ----a-w- c:\program files\Lexmark 9500 Series\fm3032.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdoamon]

2010-02-10 09:22 25256 ----a-w- c:\program files\Lexmark 9500 Series\lxdoamon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdomon.exe]

2010-02-10 09:22 455336 ----a-w- c:\program files\Lexmark 9500 Series\lxdomon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]

2009-12-14 13:28 495711 ----a-w- c:\program files\IDT\WDM\sttray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"JavaQuickStarterService"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\WINDOWS\\system32\\lxdocoms.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"=

"c:\\Program Files\\Eclipse\\eclipse.exe"=

"c:\\Apache2\\bin\\httpd.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 3:33 AM 138780]

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [4/22/2010 6:39 AM 16176]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\SymDS.sys [7/31/2011 9:22 PM 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\SymEFA.sys [7/31/2011 9:22 PM 744568]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110723.001\BHDrvx86.sys [7/23/2011 12:32 AM 815736]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 4:22 PM 65584]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 4:13 AM 46779]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\Ironx86.sys [7/31/2011 9:22 PM 136312]

R2 Apache2.2;Apache2.2;c:\apache2\bin\httpd.exe [6/5/2011 1:00 AM 18432]

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [7/31/2011 9:22 PM 130008]

R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [4/22/2010 6:39 AM 41648]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/22/2010 9:21 AM 112512]

R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [4/22/2010 6:47 AM 134144]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [4/22/2010 6:47 AM 143968]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2011 9:23 PM 105592]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110803.030\IDSXpx86.sys [8/3/2011 7:18 PM 355256]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [4/22/2010 9:22 AM 215040]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\Accelerometer\InstallFilterService.exe [4/22/2010 6:39 AM 60928]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdoserv.exe [7/8/2010 9:00 AM 94208]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [4/22/2010 9:22 AM 171520]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]

.

2011-07-25 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2004-11-04 05:19]

.

2011-08-03 c:\windows\Tasks\Symantec Drmc.job

- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-10-27 18:48]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

TCP: DhcpNameServer = 192.168.1.1 71.252.0.12

FF - ProfilePath - c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-04 09:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="c:\mysql\bin\mysqld MySQL"

.

Completion time: 2011-08-04 09:38:16

ComboFix-quarantined-files.txt 2011-08-04 13:38

.

Pre-Run: 178,201,616,384 bytes free

Post-Run: 179,845,148,672 bytes free

.

- - End Of File - - 124E3E7833B30662628FBFA773C126CA

=====================================================================

DDS =================================================================

=====================================================================

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13

Run by Jim Damato at 10:10:23 on 2011-08-04

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1911.1300 [GMT -4:00]

.

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r256076\wdm\stacsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\MXOALDR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Evernote\Evernote\EvernoteClipper.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\system32\taskmgr.exe

C:\Apache2\bin\httpd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Apache2\bin\httpd.exe

C:\WINDOWS\system32\lxdocoms.exe

C:\mysql\bin\mysqld.exe

C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: {03b1b461-e0ae-4066-89ff-fdfef462f881} - c:\windows\system32\atrace32.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Norton Ghost 9.0] c:\program files\norton systemworks\norton ghost\agent\GhostTray.exe

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\jimdam~1\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe

StartupFolder: c:\docume~1\jimdam~1\startm~1\programs\startup\norton~2.lnk - c:\program files\norton systemworks\norton utilities\SYSDOC32.EXE

StartupFolder: c:\docume~1\jimdam~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272399186421

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secvpn.sec.gov/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://secret1.sec.gov/net6helper.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1 71.252.0.12

TCP: Interfaces\{250F3D67-8AB9-45D6-8D6B-9B42DC77A9B6} : DhcpNameServer = 192.168.1.1 71.252.0.12

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Notify: igfxcui - igfxdev.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jim damato\application data\mozilla\firefox\profiles\ctk4i731.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\documents and settings\jim damato\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [2010-4-22 16176]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\SymDS.sys [2011-7-31 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\SymEFA.sys [2011-7-31 744568]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\bashdefs\20110723.001\BHDrvx86.sys [2011-7-23 815736]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\Ironx86.sys [2011-7-31 136312]

R2 Apache2.2;Apache2.2;c:\apache2\bin\httpd.exe [2011-6-5 18432]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 197992]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181608]

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.6.0.29\ccSvcHst.exe [2011-7-31 130008]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2010-5-7 819352]

R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [2010-4-22 41648]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-4-22 112512]

R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-4-22 134144]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-4-22 143968]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-31 105592]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\ipsdefs\20110803.030\IDSXpx86.sys [2011-8-3 355256]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-4-22 215040]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometer\InstallFilterService.exe [2010-4-22 60928]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdoserv.exe [2010-7-8 94208]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79208]

S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\virusdefs\20110803.036\NAVENG.SYS [2011-8-4 86136]

S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\virusdefs\20110803.036\NAVEX15.SYS [2011-8-4 1576312]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-4-22 171520]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-04 13:41:06 0 ---ha-w- c:\documents and settings\jim damato\cnqqlobbuq.tmp

2011-08-04 03:53:54 -------- d-sha-r- C:\cmdcons

2011-08-04 03:51:49 98816 ----a-w- c:\windows\sed.exe

2011-08-04 03:51:49 518144 ----a-w- c:\windows\SWREG.exe

2011-08-04 03:51:49 256000 ----a-w- c:\windows\PEV.exe

2011-08-04 03:51:49 208896 ----a-w- c:\windows\MBR.exe

2011-08-01 01:22:55 744568 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\SymEFA.sys

2011-08-01 01:22:55 516216 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\srtsp.sys

2011-08-01 01:22:55 50168 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\srtspx.sys

2011-08-01 01:22:55 369784 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\symtdi.sys

2011-08-01 01:22:55 340088 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\SymDS.sys

2011-08-01 01:22:55 331384 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\symtdiv.sys

2011-08-01 01:22:55 296568 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\symnets.sys

2011-08-01 01:22:55 136312 ----a-r- c:\windows\system32\drivers\nav\1206000.01d\Ironx86.sys

2011-08-01 01:22:45 -------- d-----w- c:\windows\system32\drivers\nav\1206000.01D

2011-08-01 01:22:45 -------- d-----w- c:\windows\system32\drivers\NAV

2011-08-01 01:22:44 -------- d-----w- c:\program files\Norton AntiVirus

2011-08-01 01:14:52 -------- d-----w- c:\documents and settings\all users\application data\PCSettings

2011-08-01 01:14:42 -------- d-----w- c:\program files\NortonInstaller

2011-08-01 01:14:42 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller

2011-08-01 01:10:55 -------- d-----w- c:\documents and settings\all users\application data\Norton

2011-07-31 23:08:25 -------- d-----w- c:\program files\CCleaner

2011-07-31 22:53:49 -------- d-----w- c:\documents and settings\jim damato\application data\Malwarebytes

2011-07-31 22:53:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-31 22:53:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-31 22:53:35 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-31 22:53:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-27 02:29:09 -------- d-----w- c:\program files\iTunes

2011-07-27 02:18:09 -------- d-----w- c:\program files\Bonjour

2011-07-25 08:55:22 358400 ----a-w- c:\windows\system32\atrace32.dll

2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

.

==================== Find3M ====================

.

2011-08-01 01:23:01 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-08-01 01:23:01 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-06-02 14:07:35 1867904 ----a-w- c:\windows\system32\win32k.sys

2011-05-10 12:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-05-10 12:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

.

============= FINISH: 10:10:35.09 ===============

Link to post
Share on other sites

Hello,

Here is the log from VirusTotal and the file attached.

File name:

atrace32.dll

Submission date:

2011-08-04 20:59:17 (UTC)

Current status:

finished

Result:

26/ 43 (60.5%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.08.04.01 2011.08.04 Trojan/Win32.BHO

AntiVir 7.11.12.216 2011.08.04 TR/Kazy.32028.3

Antiy-AVL 2.0.3.7 2011.08.04 -

Avast 4.8.1351.0 2011.08.04 Win32:Malware-gen

Avast5 5.0.677.0 2011.08.04 Win32:Malware-gen

AVG 10.0.0.1190 2011.08.04 Downloader.Generic11.BKNM

BitDefender 7.2 2011.08.04 Gen:Variant.Kazy.32028

CAT-QuickHeal 11.00 2011.08.04 -

ClamAV 0.97.0.0 2011.08.04 -

Commtouch 5.3.2.6 2011.08.04 -

Comodo 9630 2011.08.04 -

DrWeb 5.0.2.03300 2011.08.04 -

Emsisoft 5.1.0.8 2011.08.04 Trojan-Downloader.Win32.Tracur!IK

eSafe 7.0.17.0 2011.08.04 -

eTrust-Vet 36.1.8484 2011.08.04 -

F-Prot 4.6.2.117 2011.08.04 -

F-Secure 9.0.16440.0 2011.08.04 Gen:Variant.Kazy.32028

Fortinet 4.2.257.0 2011.08.04 W32/Tracur.C!tr

GData 22 2011.08.04 Gen:Variant.Kazy.32028

Ikarus T3.1.1.104.0 2011.08.04 Trojan-Downloader.Win32.Tracur

Jiangmin 13.0.900 2011.08.04 Trojan/BHO.pep

K7AntiVirus 9.109.4973 2011.08.02 Riskware

Kaspersky 9.0.0.837 2011.08.04 Trojan.Win32.BHO.bpda

McAfee 5.400.0.1158 2011.08.04 Generic.bfr!cj

McAfee-GW-Edition 2010.1D 2011.08.04 Generic.bfr!cj

Microsoft 1.7104 2011.08.04 TrojanDownloader:Win32/Tracur.Q

NOD32 6351 2011.08.04 -

Norman 6.07.10 2011.08.04 -

nProtect 2011-08-04.01 2011.08.04 Gen:Variant.Kazy.32028

Panda 10.0.3.5 2011.08.04 Generic Trojan

PCTools 8.0.0.5 2011.08.04 -

Prevx 3.0 2011.08.04 Medium Risk Malware

Rising 23.69.03.03 2011.08.04 -

Sophos 4.67.0 2011.08.04 Mal/Tracur-C

SUPERAntiSpyware 4.40.0.1006 2011.08.04 -

Symantec 20111.2.0.82 2011.08.04 WS.Reputation.1

TheHacker 6.7.0.1.270 2011.08.04 Trojan/BHO.bpda

TrendMicro 9.200.0.1012 2011.08.04 TROJ_GEN.R47C2GS

TrendMicro-HouseCall 9.200.0.1012 2011.08.04 TROJ_GEN.R47C2GS

VBA32 3.12.16.4 2011.08.04 -

VIPRE 10066 2011.08.04 Trojan.Win32.Generic!BT

ViRobot 2011.8.4.4605 2011.08.04 -

VirusBuster 14.0.152.1 2011.08.04 -

Additional information

MD5 : 9f1f68c03b0b8fd8c6571de6db735fc1

SHA1 : f511e62521f1ff8e1e5150ffbf76a1865017cdcc

SHA256: ebe813030eabbe40e363916ad6b6e6d6cb03bfb66d01657ffb38a661ca790fcc

ssdeep: 6144:vg+VGkrY5h5tcbpDuQf4k1sZ8CeEmFeKWkd4RAJlwG:4Cx8htwh74k1sheEmFeHAJlw

File size : 358400 bytes

First seen: 2011-07-25 02:31:42

Last seen : 2011-08-04 20:59:17

TrID:

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

VXD Driver (0.1%)

sigcheck:

publisher....:

copyright....: Copyright © 2006 CrypKey (Canada) Inc.

product......: Network License Configuration

description..: Network License Configuration DLL

original name: CKConfig.DLL

internal name: CKConfig

file version.: 1, 0, 0, 4

comments.....:

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x7E7B

timedatestamp....: 0x49FC537E (Sat May 02 14:06:54 2009)

machinetype......: 0x14c (I386)

[[ 8 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x9000, 0x8A00, 6.54, a206684115911956bb6570e3fcc69491

.data, 0xA000, 0x23000, 0x22C00, 7.46, 61db00566c6aaa25b8da3c70932e7e4a

.rdata, 0x2D000, 0x28000, 0x27200, 7.51, e7428497ff1929fcc5db690dd77bf813

.bss, 0x55000, 0x33000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

.edata, 0x88000, 0x1000, 0x200, 3.32, cdff190b2b29f4c321ebf2edb52541b2

.idata, 0x89000, 0x1000, 0x600, 5.20, f7f68eb528d523e4180aadb3efc368ac

.rsrc, 0x8A000, 0x4000, 0x4000, 3.83, 96609a117e987a0aa8637c63befb11a0

.reloc, 0x8E000, 0x2F7, 0x400, 5.05, 2dc491d0b1e0b5985ea94eca115df3e6

[[ 7 import(s) ]]

ADVAPI32.dll: CryptGetKeyParam, CryptReleaseContext, EnumServicesStatusW, AbortSystemShutdownA

KERNEL32.dll: GetModuleHandleA, GetFileTime, InterlockedExchange, LoadLibraryA, VirtualAlloc, VirtualFree, GetCurrentProcessId, ExitProcess, GetProcAddress

USER32.dll: WaitForInputIdle, WINNLSGetIMEHotkey, SendMessageCallbackW, IsCharUpperA, GetKeyboardLayoutNameW, ChangeDisplaySettingsExW, CharToOemA, CharUpperBuffA, CloseClipboard, RegisterClassExW, EnumDesktopsA, GetKeyboardLayout, GetClipboardOwner, GetClipboardFormatNameA

MSVCRT.dll: exit, fprintf, strpbrk, __p__commode

ole32.dll: IsEqualGUID, CreateAntiMoniker, CoTaskMemAlloc, CoFileTimeNow, IsValidPtrIn

COMCTL32.dll: ImageList_Remove, ImageList_DrawEx

SETUPAPI.dll: SetupRemoveSectionFromDiskSpaceListW, SetupQueueRenameSectionA, SetupFindFirstLineW, SetupGetSourceFileSizeA, SetupScanFileQueueW

[[ 8 export(s) ]]

AXlXLaCTfmcpgOheAno, NXSytiqlppxbr, XcypqoqlnYzoUYtholcax, bavyeLgbecDRpsn, dZjwlwjmVyjbDQe, eIKrrisjwIFlHWwHdW, rWtjzPhziqoztuQ, sisPnngyyZbsyWkiyko

Prevx Info:

http://info.prevx.com/aboutprogramtext.asp?PX5=96B62C7C00104C53788E05FCF0381B00BFEB6338

ExifTool:

file metadata

CharacterSet: Unicode

CodeSize: 36864

Comments:

CompanyName:

EntryPoint: 0x7e7b

FileDescription: Network License Configuration DLL

FileFlagsMask: 0x003f

FileOS: Win32

FileSize: 350 kB

FileSubtype: 0

FileType: Win32 DLL

FileVersion: 1, 0, 0, 4

FileVersionNumber: 1.0.0.4

ImageVersion: 1.0

InitializedDataSize: 369664

InternalName: CKConfig

LanguageCode: English (U.S.)

LegalCopyright: Copyright © 2006 CrypKey (Canada) Inc.

LegalTrademarks:

LinkerVersion: 2.38

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

ObjectFileType: Dynamic link library

OriginalFilename: CKConfig.DLL

PEType: PE32

PrivateBuild:

ProductName: Network License Configuration

ProductVersion: 1, 0, 0, 4

ProductVersionNumber: 1.0.0.4

SpecialBuild:

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2009:05:02 16:06:54+02:00

UninitializedDataSize: 208896

atrace32.zip

Link to post
Share on other sites

  • Staff

You did. My mistake. :)

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=91288
Collect::
c:\windows\system32\atrace32.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03B1B461-E0AE-4066-89FF-FDFEF462F881}]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Latest ComboFix log....

ComboFix 11-08-04.02 - Jim Damato 08/04/2011 17:41:49.3.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1911.991 [GMT -4:00]

Running from: c:\documents and settings\Jim Damato\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jim Damato\Desktop\CFScript.txt

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

file zipped: c:\windows\system32\atrace32.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\chrome.manifest

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\chrome\xulcache.jar

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\defaults\preferences\xulcache.js

c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\install.rdf

c:\documents and settings\Jim Damato\cnqqlobbuq.tmp

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\chrome.manifest

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\chrome\xulcache.jar

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\defaults\preferences\xulcache.js

c:\documents and settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\install.rdf

c:\windows\system32\atrace32.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))

.

.

2011-08-01 01:22 . 2011-08-01 01:22 -------- d-----w- c:\windows\system32\drivers\NAV

2011-08-01 01:22 . 2011-08-01 01:22 -------- d-----w- c:\program files\Norton AntiVirus

2011-08-01 01:22 . 2011-08-01 01:22 -------- d-----w- c:\program files\Windows Sidebar

2011-08-01 01:14 . 2011-08-01 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2011-08-01 01:14 . 2011-08-01 01:14 -------- d-----w- c:\program files\NortonInstaller

2011-08-01 01:10 . 2011-08-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2011-07-31 23:08 . 2011-07-31 23:08 -------- d-----w- c:\program files\CCleaner

2011-07-31 22:53 . 2011-07-31 22:53 -------- d-----w- c:\documents and settings\Jim Damato\Application Data\Malwarebytes

2011-07-31 22:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-31 22:53 . 2011-07-31 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-31 22:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-31 22:53 . 2011-07-31 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-27 02:29 . 2011-07-27 02:30 -------- d-----w- c:\program files\iTunes

2011-07-27 02:18 . 2011-07-27 02:18 -------- d-----w- c:\program files\Bonjour

2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-04 21:17 . 2011-08-04 21:17 314105 ----a-w- c:\windows\system32\atrace32.zip

2011-08-01 01:23 . 2010-05-07 16:27 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-08-01 01:23 . 2010-05-07 16:27 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-06-02 14:07 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys

2011-05-10 12:06 . 2010-08-14 17:07 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-05-10 12:06 . 2010-08-14 17:07 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-05-12 20:42 . 2010-05-12 20:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2010-05-12 21:22 . 2010-05-12 21:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2010-05-12 20:43 . 2010-05-12 20:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2010-05-12 20:42 . 2010-05-12 20:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2010-05-12 20:42 . 2010-05-12 20:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2010-05-12 20:41 . 2010-05-12 20:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2010-05-12 20:42 . 2010-05-12 20:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2010-05-12 20:42 . 2010-05-12 20:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2010-04-14 17:55 . 2010-04-14 17:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2010-05-12 20:43 . 2010-05-12 20:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2011-07-08 07:16 . 2011-05-18 01:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-04_13.36.54 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-25 16:16 . 2011-08-04 13:18 577964 c:\windows\system32\perfh009.dat

+ 2008-04-25 16:16 . 2011-08-04 13:53 577964 c:\windows\system32\perfh009.dat

+ 2008-04-25 16:16 . 2011-08-04 13:53 114712 c:\windows\system32\perfc009.dat

- 2008-04-25 16:16 . 2011-08-04 13:18 114712 c:\windows\system32\perfc009.dat

+ 2011-04-26 00:23 . 2011-08-04 21:50 226109 c:\windows\system32\inetsrv\MetaBase.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-01-07 1602856]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-11 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-11 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-11 144920]

"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]

"Norton Ghost 9.0"="c:\program files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]

.

c:\documents and settings\Jim Damato\Start Menu\Programs\Startup\

EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2011-6-28 974848]

Norton System Doctor.lnk - c:\program files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE [2004-8-30 83040]

Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-25 135680]

.

c:\documents and settings\JimAdmin\Start Menu\Programs\Startup\

Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-25 135680]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Jim Damato^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Jim Damato\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]

2008-12-17 05:41 729088 ----a-w- c:\windows\system32\AESTFltr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeFallProtection]

2009-07-22 12:52 2384896 ----a-w- c:\program files\STMicroelectronics\Accelerometer\FF_Protection.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-07-19 22:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 9500 Series Fax Server]

2010-02-10 09:21 311976 ----a-w- c:\program files\Lexmark 9500 Series\fm3032.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdoamon]

2010-02-10 09:22 25256 ----a-w- c:\program files\Lexmark 9500 Series\lxdoamon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdomon.exe]

2010-02-10 09:22 455336 ----a-w- c:\program files\Lexmark 9500 Series\lxdomon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]

2009-12-14 13:28 495711 ----a-w- c:\program files\IDT\WDM\sttray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"JavaQuickStarterService"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\WINDOWS\\system32\\lxdocoms.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"=

"c:\\Program Files\\Eclipse\\eclipse.exe"=

"c:\\Apache2\\bin\\httpd.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 3:33 AM 138780]

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [4/22/2010 6:39 AM 16176]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\SymDS.sys [7/31/2011 9:22 PM 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\SymEFA.sys [7/31/2011 9:22 PM 744568]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110723.001\BHDrvx86.sys [7/23/2011 12:32 AM 815736]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 4:22 PM 65584]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 4:13 AM 46779]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\Ironx86.sys [7/31/2011 9:22 PM 136312]

R2 Apache2.2;Apache2.2;c:\apache2\bin\httpd.exe [6/5/2011 1:00 AM 18432]

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [7/31/2011 9:22 PM 130008]

R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [4/22/2010 6:39 AM 41648]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/22/2010 9:21 AM 112512]

R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [4/22/2010 6:47 AM 134144]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [4/22/2010 6:47 AM 143968]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2011 9:23 PM 105592]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110803.030\IDSXpx86.sys [8/3/2011 7:18 PM 355256]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [4/22/2010 9:22 AM 215040]

S?2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\Accelerometer\InstallFilterService.exe [4/22/2010 6:39 AM 60928]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdoserv.exe [7/8/2010 9:00 AM 94208]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 CFcatchme;CFcatchme;\??\c:\docume~1\JIMDAM~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\JIMDAM~1\LOCALS~1\Temp\CFcatchme.sys [?]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [4/22/2010 9:22 AM 171520]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]

.

2011-07-25 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2004-11-04 05:19]

.

2011-08-03 c:\windows\Tasks\Symantec Drmc.job

- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-10-27 18:48]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

TCP: DhcpNameServer = 192.168.1.1 71.252.0.12

FF - ProfilePath - c:\documents and settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-04 17:52

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="c:\mysql\bin\mysqld MySQL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(4820)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\drivers\audio\r256076\wdm\stacsv.exe

c:\program files\Citrix\ICA Client\wfcrun32.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\GEARSec.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\windows\system32\lxdocoms.exe

c:\mysql\bin\mysqld.exe

c:\program files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\progra~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2011-08-04 17:53:12 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-04 21:53

.

Pre-Run: 179,850,891,264 bytes free

Post-Run: 179,840,217,088 bytes free

.

- - End Of File - - 277D28599CDE03522EE3A886650DAABE

Upload was successful

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

screen317,

Thank you kindly for your help with my virus infection. I will be purchasing a copy of MBAM in appreciation.

My follow-up question is this, what virus/trojan/etc did I actually have? I'd like to research it and make sure that it wasn't key logging or anything like that. I want to ensure my passwords are all safe and no ports are left open on my system, etc.

Thanks again for all your help.

-Jim

Link to post
Share on other sites

Wow. Adobe. So a PDF I've previously opened is infected?

And am I correct in believing that there is no keylogger here? This trojan wasn't concerned with my passwords as other data? All it did was redirect my google search results?

I purchased my copy of MBAM: Your cleverbridge reference number:

Edited by shadowwar
removed cleverbridge partial #
Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=383e2b1fc5cb0d46ab048b1ca933fc6c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-08-05 01:05:48

# local_time=2011-08-04 09:05:48 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=3584 16777191 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=259468

# found=35

# cleaned=35

# scan_time=10518

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Jim Damato\Application Data\Mozilla\Firefox\Profiles\ctk4i731.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{2e5ecefb-dc82-4bac-833e-7ffb1b956bf0}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{30aeb37b-0bc9-45d3-a632-e95e339e2d7e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{3aa32472-b5b5-43b8-bd01-643bd4c6a21f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{58b8679b-2f96-410a-abb1-a12d0adb9008}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{61da3880-26c5-480b-8504-7eb435bf8749}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{66ab0158-4140-47a1-843e-5715d40bc82e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a222c640-702e-45e9-80bb-01f577f6d435}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\JimAdmin\Application Data\Mozilla\Firefox\Profiles\bs8rwtge.default\extensions\{a625bc76-7205-4bcb-b7c9-1ca5f579cfba}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP326\A0060915.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP326\A0060916.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP328\A0061196.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP331\A0062959.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076278.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076279.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076280.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076281.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076282.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076283.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076284.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076285.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076286.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076287.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076288.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076289.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP333\A0076383.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP334\A0076427.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP334\A0076428.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=383e2b1fc5cb0d46ab048b1ca933fc6c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-05 03:43:56

# local_time=2011-08-05 11:43:56 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=3584 16777175 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=140305

# found=0

# cleaned=0

# scan_time=5790

# version=7

# iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=383e2b1fc5cb0d46ab048b1ca933fc6c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-08-10 01:35:03

# local_time=2011-08-09 09:35:03 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=3584 16777175 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 352702 352702 0 0

# scanned=143728

# found=0

# cleaned=0

# scan_time=5498

==============================================================

==============================================================

==============================================================

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Norton AntiVirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

MVPS Hosts File

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 26

Adobe Flash Player 10.3.181.34

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbam.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Next, please visit Windows Update and download all critical updates, including Internet Explorer 8.

Let me know if the update was successful and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Great news!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.