Jump to content

Recommended Posts

Last week I was infected by the Zentom Virus. After running ATF_cleaner, tdsskiller, gooredfix, malwarebytes and finally combofix. I was pretty sure I had "fixed" it myself. Sorry to report I was wrong. Now I can't connect the server or any other computers in my office. I'm attaching the log from ComboFix.

Post fix I re-installed IE and then installed Norton 360 5.0. Also I uninstalled ComboFix after I thought I was clean.

_______________________________________________________________________________

ComboFix 11-10-20.05 - Dan Levison 10/20/2011 17:01:54.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1425 [GMT -4:00]

Running from: c:\documents and settings\Dan Levison\Desktop\ComboFix.exe

AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Dan Levison\Application Data\283ED61EC718C978AEC6D2C8D9027CD0

c:\documents and settings\Dan Levison\Application Data\283ED61EC718C978AEC6D2C8D9027CD0\enemies-names.txt

c:\documents and settings\Dan Levison\Application Data\283ED61EC718C978AEC6D2C8D9027CD0\hookdll.dll

c:\documents and settings\Dan Levison\Application Data\283ED61EC718C978AEC6D2C8D9027CD0\local.ini

c:\documents and settings\Dan Levison\Application Data\283ED61EC718C978AEC6D2C8D9027CD0\lsrslt.ini

c:\documents and settings\Dan Levison\Application Data\283ED61EC718C978AEC6D2C8D9027CD0\senrmodk70.exe

c:\documents and settings\Dan Levison\Application Data\Adobe\plugs

c:\documents and settings\Dan Levison\Application Data\Adobe\shed

c:\documents and settings\Dan Levison\Application Data\OONtxA0uc2b3n5Q

c:\documents and settings\Dan Levison\Application Data\OONtxA0uc2b3n5Q\AV Protection Online.ico

c:\documents and settings\Dan Levison\Application Data\PYCwkUVlNx0c2b3

c:\documents and settings\Dan Levison\Application Data\PYCwkUVlNx0c2b3\AV Protection Online.ico

c:\documents and settings\Dan Levison\Local Settings\8000.PDF

c:\documents and settings\Dan Levison\Local Settings\Application Data\wsr20zt32.dll

c:\documents and settings\Dan Levison\Start Menu\Zentom System Guard.lnk

c:\documents and settings\Dan Levison\WINDOWS

C:\LOG12E4.tmp

c:\windows\$NtUninstallKB54889$

c:\windows\$NtUninstallKB54889$\2805584698

c:\windows\$NtUninstallKB54889$\3914153764\@

c:\windows\$NtUninstallKB54889$\3914153764\bckfg.tmp

c:\windows\$NtUninstallKB54889$\3914153764\cfg.ini

c:\windows\$NtUninstallKB54889$\3914153764\Desktop.ini

c:\windows\$NtUninstallKB54889$\3914153764\keywords

c:\windows\$NtUninstallKB54889$\3914153764\kwrd.dll

c:\windows\$NtUninstallKB54889$\3914153764\L\odetmngk

c:\windows\$NtUninstallKB54889$\3914153764\lsflt7.ver

c:\windows\$NtUninstallKB54889$\3914153764\U\00000001.@

c:\windows\$NtUninstallKB54889$\3914153764\U\00000002.@

c:\windows\$NtUninstallKB54889$\3914153764\U\80000000.@

c:\windows\$NtUninstallKB54889$\3914153764\U\80000032.@

c:\windows\iun6002.exe

c:\windows\system32\0.6399361527601348.exe

c:\windows\system32\ctfmon .exe

c:\windows\system32\d3d9caps.dat

.

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

Infected copy of c:\windows\system32\clipsrv.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\clipsrv.exe

.

Infected copy of c:\windows\system32\accwiz.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\accwiz.exe

.

Infected copy of c:\windows\system32\alg.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\alg.exe

.

Infected copy of c:\windows\system32\calc.exe was found and disinfected

Restored copy from - c:\i386\calc.exe

.

Infected copy of c:\windows\system32\charmap.exe was found and disinfected

Restored copy from - c:\i386\charmap.exe

.

Infected copy of c:\windows\system32\cisvc.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\cisvc.exe

.

Infected copy of c:\windows\system32\cleanmgr.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\cleanmgr.exe

.

Infected copy of c:\windows\system32\cmd.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\cmd.exe

.

Infected copy of c:\windows\system32\dllhost.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\dllhost.exe

.

Infected copy of c:\windows\system32\dmadmin.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\dmadmin.exe

.

Infected copy of c:\windows\system32\freecell.exe was found and disinfected

Restored copy from - c:\i386\freecell.exe

.

Infected copy of c:\windows\system32\fxsclnt.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\fxsclnt.exe

.

Infected copy of c:\windows\system32\fxscover.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\fxscover.exe

.

Infected copy of c:\windows\system32\fxssend.exe was found and disinfected

Restored copy from - c:\i386\fxssend.exe

.

Infected copy of c:\windows\system32\imapi.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\imapi.exe

.

Infected copy of c:\windows\system32\locator.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\locator.exe

.

Infected copy of c:\windows\system32\magnify.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\magnify.exe

.

Infected copy of c:\windows\system32\mnmsrvc.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\mnmsrvc.exe

.

Infected copy of c:\windows\system32\mobsync.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\mobsync.exe

.

Infected copy of c:\windows\system32\msdtc.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\msdtc.exe

.

Infected copy of c:\windows\system32\mshearts.exe was found and disinfected

Restored copy from - c:\i386\mshearts.exe

.

Infected copy of c:\windows\system32\msiexec.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\msiexec.exe

.

Infected copy of c:\windows\system32\mspaint.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspaint.exe

.

Infected copy of c:\windows\system32\mstsc.exe was found and disinfected

Restored copy from - c:\windows\$NtUninstallKB2481109$\mstsc.exe

.

Infected copy of c:\windows\system32\narrator.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\narrator.exe

.

Infected copy of c:\windows\system32\netdde.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe

.

Infected copy of c:\windows\system32\notepad.exe was found and disinfected

Restored copy from - c:\windows\notepad.exe

.

Infected copy of c:\windows\system32\odbcad32.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\odbcad32.exe

.

Infected copy of c:\windows\system32\osk.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\osk.exe

.

Infected copy of c:\windows\system32\rcimlby.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\rcimlby.exe

.

Infected copy of c:\windows\system32\rsvp.exe was found and disinfected

Restored copy from - c:\i386\rsvp.exe

.

Infected copy of c:\windows\system32\scardsvr.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\scardsvr.exe

.

Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\sessmgr.exe

.

Infected copy of c:\windows\system32\smlogsvc.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\smlogsvc.exe

.

Infected copy of c:\windows\system32\sndrec32.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\sndrec32.exe

.

Infected copy of c:\windows\system32\sndvol32.exe was found and disinfected

Restored copy from - c:\i386\sndvol32.exe

.

Infected copy of c:\windows\system32\spider.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\spider.exe

.

Infected copy of c:\windows\system32\tcpsvcs.exe was found and disinfected

Restored copy from - c:\i386\tcpsvcs.exe

.

Infected copy of c:\windows\system32\tourstart.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\tourstart.exe

.

Infected copy of c:\windows\system32\vssvc.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\vssvc.exe

.

Infected copy of c:\windows\system32\wiaacmgr.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\wiaacmgr.exe

.

Infected copy of c:\windows\system32\wupdmgr.exe was found and disinfected

Restored copy from - c:\i386\wupdmgr.exe

.

Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\rstrui.exe

.

Infected copy of c:\windows\system32\usmt\migwiz.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\migwiz.exe

.

Infected copy of c:\windows\system32\wbem\wmiapsrv.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\wmiapsrv.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))

.

.

2011-10-20 20:03 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-20 19:54 . 2011-10-20 19:54 -------- d-----w- c:\documents and settings\Dan Levison\Application Data\hgTZqjYCe

2011-10-20 19:51 . 2011-10-20 19:51 -------- d-----w- c:\documents and settings\Dan Levison\Application Data\IvD2obF4pHsJdLR

2011-10-20 19:50 . 2011-10-20 19:50 -------- d-----w- c:\documents and settings\Dan Levison\Application Data\mmH6sWJ7fLgZjCk

2011-10-20 19:50 . 2011-10-20 19:50 -------- d-----w- c:\documents and settings\Dan Levison\Application Data\ucS1ivD3oGaHsKf

2011-10-20 19:47 . 2011-10-20 19:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Enfocus Prefs Folder

2011-10-20 19:47 . 2011-10-20 19:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-10-20 19:33 . 2011-10-20 19:33 209920 ----a-w- c:\documents and settings\LocalService\Application Data\amdobjstream.exe

2011-10-20 19:33 . 2011-10-20 19:33 209920 ----a-w- c:\windows\system32\queuemsgdiag.exe

2011-10-18 14:59 . 2011-10-18 14:59 1409 ----a-w- c:\windows\QTFont.for

2011-10-12 14:44 . 2008-10-15 01:33 95600 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-09-29 13:48 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-09-29 13:48 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-09-29 13:48 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys

2011-09-29 13:48 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-09-28 15:40 . 2011-09-28 15:40 -------- d-----w- c:\documents and settings\Dan Levison\Application Data\Garmin

2011-09-26 15:41 . 2011-09-26 15:41 220160 ------w- c:\windows\system32\dllcache\oleacc.dll

2011-09-26 15:41 . 2011-09-26 15:41 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-20 21:20 . 2004-08-10 17:50 180736 ----a-w- c:\windows\system32\clipsrv.exe

2011-10-20 21:20 . 2004-08-10 17:50 153088 ----a-w- c:\windows\system32\cisvc.exe

2011-10-20 21:19 . 2004-08-10 17:50 192000 ----a-w- c:\windows\system32\alg.exe

2011-10-20 20:09 . 2006-04-11 15:23 233472 ----a-w- c:\windows\unvise32qt.exe

2011-10-20 20:09 . 2007-01-09 23:55 237568 ----a-w- c:\windows\unvise32.exe

2011-10-20 20:07 . 2006-05-10 00:43 446976 ----a-w- c:\windows\uninst.exe

2011-10-20 20:07 . 2004-08-10 18:12 1228800 ----a-w- c:\windows\help\SBSI\Training\orun32.exe

2011-10-20 20:00 . 2006-04-11 15:02 186368 ----a-w- c:\windows\system32\wdfmgr.exe

2011-10-20 19:49 . 2006-05-10 00:44 162816 ----a-w- c:\windows\system32\ATMsrvc.exe

2011-10-20 19:49 . 2006-11-29 23:43 667648 ----a-w- c:\windows\system32\ati2sgag.exe

2011-09-28 13:45 . 2011-05-23 13:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2004-08-10 17:51 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2004-08-10 17:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2004-08-10 17:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2004-08-10 17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2004-08-10 17:50 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-10-12 16:20 . 2011-05-09 15:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\DLA\dlactrlw .exe
</pre>

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-03-08 20:02 . 84B647F9DF97B26A4412FE01CCEFE108 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

.

[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe

[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe

[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie8\iexplore.exe

[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe

[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe

[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe

[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe

[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe

[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe

[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe

[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe

[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe

[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe

[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe

[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe

[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe

[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe

[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe

[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe

[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe

[7] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe

[7] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe

[7] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe

[7] 2007-06-27 . 275CEE268B9E5D82474C43D5D249D111 . 625152 . . [7.00.6000.16512] . . c:\windows\ie7updates\KB939653-IE7\iexplore.exe

[7] 2007-04-24 . 10BDB55982586A432A3951EB19A26009 . 625152 . . [7.00.6000.16473] . . c:\windows\ie7updates\KB937143-IE7\iexplore.exe

[7] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe

[7] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe

[7] 2007-02-21 . 683DDE71BCF03B501B912D20CB93B549 . 623616 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\iexplore.exe

[7] 2007-01-08 . 93A6A4F5293AE19E3B37021AABCF0902 . 623616 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\iexplore.exe

[7] 2006-10-17 . 5334D4461AA92A7B008755FE6D13C5F2 . 622080 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\iexplore.exe

[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DexStarter_PP650V_1"="c:\documents and settings\Dan Levison\Application Data\Color_Server_Client_Tools\PrinterDriver\PP650V_1\DexRunner.bat" [2007-10-16 445]

"senrmodk70.exe"="c:\documents and settings\Dan Levison\Application Data\283ED61EC718C978AEC6D2C8D9027CD0\senrmodk70.exe" [N/A]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"dulizesot"="c:\windows\system32\gawojuso.dll" [N/A]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [N/A]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 261120]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-9-14 413696]

Command WorkStation 4.lnk - c:\program files\Fiery\Command WorkStation 4\cws 4.exe [2008-2-17 4476928]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-11 24576]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

Spyder3Utility.lnk - c:\program files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe [2008-3-19 6333954]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-5-10 270336]

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktopChanges"= 1 (0x1)

"NoSetActiveDesktop"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AntiVirus Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk

backup=c:\windows\pss\AntiVirus Plus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Dan Levison^Start Menu^Programs^Startup^AntiVirus Plus.lnk]

path=c:\documents and settings\Dan Levison\Start Menu\Programs\Startup\AntiVirus Plus.lnk

backup=c:\windows\pss\AntiVirus Plus.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Documents and Settings\\Dan Levison\\Application Data\\Color_Server_Client_Tools\\JRE\\JRE1.4.2\\bin\\DEX_PP650V_1.EXE"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\wkcalrem.exe"=

"c:\\Program Files\\Datacolor\\Spyder3Elite\\Utility\\Spyder3Utility.exe"=

"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"24654:UDP"= 24654:UDP:Enfocus Port

"20486:UDP"= 20486:UDP:Enfocus Port

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

.

R2 APC Data Service;APC Data Service;c:\program files\APC\APC PowerChute Personal Edition\dataserv.exe [9/14/2010 4:54 PM 21880]

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

S1 hurhutiw;hurhutiw;\??\c:\windows\system32\drivers\hurhutiw.sys --> c:\windows\system32\drivers\hurhutiw.sys [?]

S1 nullsdtw;nullsdtw;\??\c:\windows\system32\drivers\nullsdtw.sys --> c:\windows\system32\drivers\nullsdtw.sys [?]

S1 odttlpvh;odttlpvh;\??\c:\windows\system32\drivers\odttlpvh.sys --> c:\windows\system32\drivers\odttlpvh.sys [?]

S1 qaxzfjnx;qaxzfjnx;\??\c:\windows\system32\drivers\qaxzfjnx.sys --> c:\windows\system32\drivers\qaxzfjnx.sys [?]

S1 rklpgyyu;rklpgyyu;\??\c:\windows\system32\drivers\rklpgyyu.sys --> c:\windows\system32\drivers\rklpgyyu.sys [?]

S1 tcxsanos;tcxsanos;\??\c:\windows\system32\drivers\tcxsanos.sys --> c:\windows\system32\drivers\tcxsanos.sys [?]

S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\spyder3.sys [11/6/2007 1:08 PM 12288]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Dan Levison\Application Data\Mozilla\Firefox\Profiles\40pl3xn6.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxps://webmail.datarealm.com/src/login.php

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

.

SharedTaskScheduler-{4c4f9caa-d8c9-4a0f-bd6a-0996b3df72bc} - c:\windows\system32\lilofati.dll

SSODL-tokiguyaf-{4c4f9caa-d8c9-4a0f-bd6a-0996b3df72bc} - c:\windows\system32\lilofati.dll

Notify-NavLogon - (no file)

SafeBoot-28420350.sys

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-20 17:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3068)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\data\database\bin\x86\mysqld-nt.exe

c:\windows\System32\ATMsrvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Canon\DIAS\CnxDIAS.exe

c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

c:\documents and settings\Dan Levison\Application Data\Color_Server_Client_Tools\JRE\JRE1.4.2\bin\DEX_PP650V_1.EXE

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\windows\system32\hasplms.exe

c:\windows\system32\imapi.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\tcpsvcs.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\windows\system32\msiexec.exe

c:\program files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

c:\windows\system32\sessmgr.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Completion time: 2011-10-20 17:29:27 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-20 21:29

.

Pre-Run: 47,271,735,296 bytes free

Post-Run: 54,036,295,680 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 9C145ECC52BBF1EBCF2F870483E963F3

Thanks for any help.

I thought it might be more helpful to send a current DDS report.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

Run by XXXXXXXXXX at 19:46:39 on 2011-10-25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1349 [GMT -4:00]

.

AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Canon\DIAS\CnxDIAS.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\system32\hasplms.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe

C:\WINDOWS\System32\dmadmin.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

.

============== Pseudo HJT Report ===============

.

uWindow Title = Internet Explorer, optimized for Bing and MSN

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\5.1.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\5.1.0.29\ips\IPSBHO.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\5.1.0.29\coIEPlg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

mRun: [Adobe Version Cue CS2] c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spyder~1.lnk - c:\program files\datacolor\spyder3elite\utility\Spyder3Utility.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147205189328

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\dan levison\application data\mozilla\firefox\profiles\40pl3xn6.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxps://webmail.datarealm.com/src/login.php

FF - plugin: c:\documents and settings\dan levison\application data\mozilla\firefox\profiles\40pl3xn6.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-10-21 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-10-21 744568]

R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2011-10-25 911680]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111014.001\BHDrvx86.sys [2011-10-14 818808]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-10-21 136312]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-10-25 2480048]

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\5.1.0.29\ccSvcHst.exe [2011-10-21 130008]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-10-25 160288]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-10-21 105592]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20111022.030\IDSXpx86.sys [2011-10-25 356280]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20111025.002\NAVENG.SYS [2011-10-25 86136]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20111025.002\NAVEX15.SYS [2011-10-25 1576312]

S1 hurhutiw;hurhutiw;\??\c:\windows\system32\drivers\hurhutiw.sys --> c:\windows\system32\drivers\hurhutiw.sys [?]

S1 nullsdtw;nullsdtw;\??\c:\windows\system32\drivers\nullsdtw.sys --> c:\windows\system32\drivers\nullsdtw.sys [?]

S1 odttlpvh;odttlpvh;\??\c:\windows\system32\drivers\odttlpvh.sys --> c:\windows\system32\drivers\odttlpvh.sys [?]

S1 qaxzfjnx;qaxzfjnx;\??\c:\windows\system32\drivers\qaxzfjnx.sys --> c:\windows\system32\drivers\qaxzfjnx.sys [?]

S1 rklpgyyu;rklpgyyu;\??\c:\windows\system32\drivers\rklpgyyu.sys --> c:\windows\system32\drivers\rklpgyyu.sys [?]

S1 tcxsanos;tcxsanos;\??\c:\windows\system32\drivers\tcxsanos.sys --> c:\windows\system32\drivers\tcxsanos.sys [?]

S2 APC Data Service;APC Data Service;c:\program files\apc\apc powerchute personal edition\dataserv.exe [2010-9-14 21880]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\spyder3.sys [2007-11-6 12288]

.

=============== Created Last 30 ================

.

2011-10-25 22:41:40 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys

2011-10-25 22:41:34 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys

2011-10-25 22:41:28 581984 ----a-w- c:\windows\system32\drivers\timntr.sys

2011-10-25 22:41:22 158272 ----a-w- c:\windows\system32\drivers\snapman.sys

2011-10-25 13:03:44 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-25 13:00:33 -------- d-----w- c:\program files\CONEXANT

2011-10-24 18:11:01 44024 ----a-r- c:\windows\system32\drivers\SymIM.sys

2011-10-21 22:19:43 1202 ----a-w- c:\documents and settings\dan levison\local settings\application data\dfl20z32.dll

2011-10-21 22:11:45 -------- d--h--w- c:\windows\msdownld.tmp

2011-10-21 22:05:34 -------- dc-h--w- c:\windows\ie8

2011-10-21 19:33:41 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0401000.00F

2011-10-21 19:33:41 -------- d-----w- c:\windows\system32\drivers\NBRTWizard

2011-10-21 19:33:35 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard

2011-10-21 18:13:19 -------- d-----w- c:\documents and settings\dan levison\application data\Tific

2011-10-21 17:50:35 369784 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys

2011-10-21 17:50:35 331384 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys

2011-10-21 17:50:35 296568 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys

2011-10-21 17:50:34 744568 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys

2011-10-21 17:50:34 516216 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys

2011-10-21 17:50:34 50168 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys

2011-10-21 17:50:34 340088 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys

2011-10-21 17:50:34 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys

2011-10-21 17:50:11 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D

2011-10-21 17:36:44 27888 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2011-10-21 17:36:44 106928 ----a-w- c:\windows\system32\GEARAspi.dll

2011-10-21 17:36:34 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-10-21 17:36:34 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-10-21 17:35:06 -------- d-----w- c:\windows\system32\drivers\N360

2011-10-21 17:35:02 -------- d-----w- c:\program files\Norton 360 Premier Edition

2011-10-21 17:33:27 -------- d-----w- c:\documents and settings\all users\application data\Norton

2011-10-21 17:31:03 -------- d-----w- c:\program files\NortonInstaller

2011-10-21 17:31:03 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller

2011-10-20 21:29:46 398 ----a-w- c:\documents and settings\dan levison\local settings\application data\wsr20zt32.dll

2011-10-20 20:44:44 -------- d-sha-r- C:\cmdcons

2011-10-20 19:54:13 -------- d-----w- c:\documents and settings\dan levison\application data\hgTZqjYCe

2011-10-20 19:51:05 -------- d-----w- c:\documents and settings\dan levison\application data\IvD2obF4pHsJdLR

2011-10-20 19:50:40 -------- d-----w- c:\documents and settings\dan levison\application data\mmH6sWJ7fLgZjCk

2011-10-20 19:50:29 -------- d-----w- c:\documents and settings\dan levison\application data\ucS1ivD3oGaHsKf

2011-10-12 14:44:11 95600 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-09-29 13:48:45 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-09-29 13:48:44 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-09-29 13:48:44 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys

2011-09-29 13:48:37 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-09-28 15:40:05 -------- d-----w- c:\documents and settings\dan levison\application data\Garmin

2011-09-26 15:41:20 220160 ------w- c:\windows\system32\dllcache\oleacc.dll

2011-09-26 15:41:14 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll

.

==================== Find3M ====================

.

2011-10-25 22:27:09 307200 ----a-w- c:\windows\system32\igfxsrvc.exe

2011-10-25 18:16:28 193024 ----a-w- c:\windows\system32\mshta.exe

2011-10-21 16:05:59 192000 ----a-w- c:\windows\system32\tscupgrd.exe

2011-10-21 16:04:54 181248 ----a-w- c:\windows\system32\regini.exe

2011-10-21 16:03:59 244224 ----a-w- c:\windows\system32\logagent.exe

2011-10-21 16:00:11 164864 ----a-w- c:\windows\system32\compact.exe

2011-10-21 16:00:09 210944 ----a-w- c:\windows\system32\cmstp.exe

2011-10-21 16:00:09 187392 ----a-w- c:\windows\system32\cmmon32.exe

2011-10-21 16:00:08 173056 ----a-w- c:\windows\system32\cmdl32.exe

2011-10-21 16:00:07 250368 ----a-w- c:\windows\system32\clipbrd.exe

2011-10-21 16:00:07 167936 ----a-w- c:\windows\system32\cliconfg.exe

2011-10-21 16:00:06 155648 ----a-w- c:\windows\system32\cidaemon.exe

2011-10-21 16:00:06 155136 ----a-w- c:\windows\system32\ckcnv.exe

2011-10-21 16:00:02 167424 ----a-w- c:\windows\system32\cacls.exe

2011-10-21 16:00:01 219136 ----a-w- c:\windows\system32\blastcln.exe

2011-10-21 15:59:58 173568 ----a-w- c:\windows\system32\Ati2mdxx.exe

2011-10-21 15:59:57 166912 ----a-w- c:\windows\system32\arp.exe

2011-10-21 15:59:55 245760 ----a-w- c:\windows\system32\ahui.exe

2011-10-21 15:59:49 487424 ----a-w- c:\windows\stsystra.exe

2011-10-21 15:59:22 184320 ----a-w- c:\windows\slrundll.exe

2011-10-21 15:59:21 196608 ----a-w- c:\windows\setpwrcg.exe

2011-10-21 15:57:26 293888 ----a-w- c:\windows\regedit.exe

2011-10-21 15:57:22 297984 ----a-w- c:\windows\pchealth\uploadlb\binaries\uploadm.exe

2011-10-21 15:56:59 317440 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

2011-10-21 15:56:59 317440 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig .exe

2011-10-21 15:56:59 182784 ----a-w- c:\windows\pchealth\helpctr\binaries\notiflag.exe

2011-10-21 15:56:58 891904 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2011-10-21 15:56:58 247296 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe

2011-10-21 15:56:58 165888 ----a-w- c:\windows\pchealth\helpctr\binaries\hscupd.exe

2011-10-21 15:56:57 916480 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe

2011-10-21 15:55:58 454144 ----a-w- c:\windows\IsUninst.exe

2011-10-21 15:53:47 158208 ----a-w- c:\windows\hh.exe

2011-10-21 15:53:39 380928 ----a-w- c:\windows\help\sbsi\training\ounins32_s.exe

2011-10-21 15:53:39 196608 ----a-w- c:\windows\help\sbsi\training\usersid.exe

2011-10-21 15:53:28 245760 ----a-w- c:\windows\DLA.EXE

2011-10-21 15:01:52 216576 ----a-w- c:\windows\notepad.exe

2011-10-21 13:34:01 825344 ----a-w- c:\windows\system32\mstsc.exe

2011-10-20 21:59:02 273920 ----a-w- c:\windows\system32\wbem\wmiapsrv.exe

2011-10-20 21:58:43 166912 ----a-w- c:\windows\system32\tcpsvcs.exe

2011-10-20 21:58:24 372224 ----a-w- c:\windows\system32\dmadmin.exe

2011-10-20 21:54:08 216576 ----a-w- c:\windows\system32\notepad.exe

2011-10-20 21:46:09 297984 ----a-w- c:\windows\system32\imapi.exe

2011-10-20 21:46:09 288768 ----a-w- c:\windows\system32\sessmgr.exe

2011-10-20 21:43:08 262144 ----a-w- c:\windows\system32\calc.exe

2011-10-20 21:33:18 179712 ----a-w- c:\windows\system32\wupdmgr.exe

2011-10-20 21:33:12 226304 ----a-w- c:\windows\system32\msiexec.exe

2011-10-20 21:33:05 686080 ----a-w- c:\windows\system32\spider.exe

2011-10-20 21:33:04 274432 ----a-w- c:\windows\system32\mshearts.exe

2011-10-20 21:33:04 202752 ----a-w- c:\windows\system32\freecell.exe

2011-10-20 21:32:54 180224 ----a-w- c:\windows\system32\odbcad32.exe

2011-10-20 21:32:53 581120 ----a-w- c:\windows\system32\wiaacmgr.exe

2011-10-20 21:32:53 490496 ----a-w- c:\windows\system32\mspaint.exe

2011-10-20 21:32:53 227840 ----a-w- c:\windows\system32\charmap.exe

2011-10-20 21:32:53 211456 ----a-w- c:\windows\system32\cleanmgr.exe

2011-10-20 21:32:52 286208 ----a-w- c:\windows\system32\sndvol32.exe

2011-10-20 21:32:52 279040 ----a-w- c:\windows\system32\sndrec32.exe

2011-10-20 21:32:51 377344 ----a-w- c:\windows\system32\fxscover.exe

2011-10-20 21:32:51 331776 ----a-w- c:\windows\system32\accwiz.exe

2011-10-20 21:32:51 290304 ----a-w- c:\windows\system32\fxsclnt.exe

2011-10-20 21:32:51 158720 ----a-w- c:\windows\system32\fxssend.exe

2011-10-20 21:29:44 183296 ----a-w- c:\windows\system32\rcimlby.exe

2011-10-20 21:29:33 494592 ----a-w- c:\windows\system32\tourstart.exe

2011-10-20 21:29:33 290816 ----a-w- c:\windows\system32\mobsync.exe

2011-10-20 21:29:32 536576 ----a-w- c:\windows\system32\cmd.exe

2011-10-20 21:29:32 363008 ----a-w- c:\windows\system32\osk.exe

2011-10-20 21:29:32 220160 ----a-w- c:\windows\system32\magnify.exe

2011-10-20 21:29:32 201216 ----a-w- c:\windows\system32\narrator.exe

2011-10-20 21:29:02 437248 ----a-w- c:\windows\system32\vssvc.exe

2011-10-20 21:29:02 280064 ----a-w- c:\windows\system32\rsvp.exe

2011-10-20 21:29:02 243200 ----a-w- c:\windows\system32\scardsvr.exe

2011-10-20 21:29:02 237056 ----a-w- c:\windows\system32\smlogsvc.exe

2011-10-20 21:29:02 222720 ----a-w- c:\windows\system32\locator.exe

2011-10-20 21:28:57 258560 ----a-w- c:\windows\system32\netdde.exe

2011-10-20 21:28:56 180224 ----a-w- c:\windows\system32\mnmsrvc.exe

2011-10-20 21:28:56 153600 ----a-w- c:\windows\system32\msdtc.exe

2011-10-20 21:20:05 180736 ----a-w- c:\windows\system32\clipsrv.exe

2011-10-20 21:19:40 192000 ----a-w- c:\windows\system32\alg.exe

2011-10-20 20:09:46 233472 ----a-w- c:\windows\unvise32qt.exe

2011-10-20 20:09:06 237568 ----a-w- c:\windows\unvise32.exe

2011-10-20 20:07:40 446976 ----a-w- c:\windows\uninst.exe

2011-10-20 20:07:36 1228800 ----a-w- c:\windows\help\sbsi\training\orun32.exe

2011-10-20 20:00:11 186368 ----a-w- c:\windows\system32\wdfmgr.exe

2011-10-20 19:49:19 667648 ----a-w- c:\windows\system32\ati2sgag.exe

2011-10-14 19:24:12 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-10-14 19:24:11 104 --sh--r- c:\windows\system32\A8F96146B6.sys

2011-09-28 13:45:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 19:48:24.92 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix (delete your copy and grab a fresh one).

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.