Jump to content

unable to run MWB update-firewall/internet connection error??


Recommended Posts

I am unable to run Malwarebyte update-I receive an error that my firewall may be blocking or that I might not be connected to the internet. I've checked both and neither should be a problem. This started after Malwarebytes detected and removed the Vundo trojan 2 weeks ago. My Hijack this and most recent Malwarebytes logs follow....thank you in advance for any assistance!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:51:49 PM, on 1/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\InterVideo\WinDVR3\WinRemote.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl5.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://sierracazorla.axiscam.net:8081/activex/AMC.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalvisioncenter.com/activex...ol_2_20_0_4.cab

O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx

O20 - AppInit_DLLs: rnofma.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

When you run the update, do you get a drop down menu that you can select which server you want to use to download the update from? If not, see if you can download the updates form here and just double-click on mbam-rules.exe to install. Post back your results. Thanks!

Link to post
Share on other sites

When you run the update, do you get a drop down menu that you can select which server you want to use to download the update from? If not, see if you can download the updates form here and just double-click on mbam-rules.exe to install. Post back your results. Thanks!

No I don't get the drop down menu--the pop up box with the bogus error message immediately comes up. I was able to install mbam-rules.exe from your link, but still receive that pop-up error box. I haven't rebooted yet awaiting further info from you...thanks so much for your help.

Link to post
Share on other sites

Reboot and post the log. Thanks!

New MWB and HJT logs follow......don't know if this tells you anything but at the same time my MWB issue began, I was also no longer able to run Norton. I still have my desktop shortcut, but nothing happens when I try to open the program. I haven't even started to look into that.

Malwarebytes' Anti-Malware 1.33

Database version: 1654

Windows 5.1.2600 Service Pack 3

1/18/2009 9:40:48 AM

mbam-log-2009-01-18 (09-40-48).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 120939

Time elapsed: 47 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:46:08 AM, on 1/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\InterVideo\WinDVR3\WinRemote.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl5.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://sierracazorla.axiscam.net:8081/activex/AMC.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalvisioncenter.com/activex...ol_2_20_0_4.cab

O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx

O20 - AppInit_DLLs: rnofma.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

You have a trojan "Fake Alert" that is still active and mbam should most assuredly find and remove it...however, although you just updated, I need to ask you to update again since the data base version is still behind by about 12 updates. You're looking better than you did but it's still out of date. See if you can run the update, run another quick scan and post back THAT log. I expect to see some malware found and removed in that log.

Link to post
Share on other sites

You have a trojan "Fake Alert" that is still active and mbam should most assuredly find and remove it...however, although you just updated, I need to ask you to update again since the data base version is still behind by about 12 updates. You're looking better than you did but it's still out of date. See if you can run the update, run another quick scan and post back THAT log. I expect to see some malware found and removed in that log.

Still unable to run an update without receiving the "Update failed-make sure you are connected to the internet and your firewall is set to allow Malwarebyte's Anti Malware to access the internet" error. I am also still unable to launch Norton 360 or run my Windows Security Center service. I'm asuming this is all related....will stay tuned for your next instructions (thank you so much for trying to help me!)

Link to post
Share on other sites

Still unable to run an update without receiving the "Update failed-make sure you are connected to the internet and your firewall is set to allow Malwarebyte's Anti Malware to access the internet" error. I am also still unable to launch Norton 360 or run my Windows Security Center service. I'm asuming this is all related.. also a SpyBot S&D scan earlier today found something called "Microsoft.WindowsSecurityCenter_disabled". Not sure what this might mean.

Here's the results of my Quick Scan, again not able to run with the newest updates..will stay tuned for your next instructions (thank you so much for trying to help me!)

Malwarebytes' Anti-Malware 1.33

Database version: 1654

Windows 5.1.2600 Service Pack 3

1/18/2009 7:13:51 PM

mbam-log-2009-01-18 (19-13-51).txt

Scan type: Quick Scan

Objects scanned: 57838

Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

PHEW.......OK, I finally was able to run Combo Fix (had a hard time disabling Norton-had to uninstall ) and it sure looks like we might be on the right track. I can now update my MWB and was able to reinstall Norton and run a scan. It detected Vundo and removed it. Then I rebooted and ran both MWB and HJT. The logs follow....first will be the Combo Fix, folowed by the latest MWB and HJT logs. .............dang! Standing by for further instructions!

ComboFix 09-01-19.03 - k r 2009-01-19 15:24:29.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.221 [GMT -8:00]

Running from: c:\documents and settings\k r\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))

.

2009-01-19 04:03 . 2009-01-19 04:03 <DIR> d-------- C:\NSS

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-17 16:51 . 2009-01-17 16:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-04 12:23 . 2009-01-19 04:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-04 12:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 12:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-19 23:15 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-19 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-19 23:10 --------- d-----w c:\program files\Symantec

2009-01-19 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-19 11:47 --------- d-----w c:\documents and settings\k r\Application Data\Symantec

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-12-06 02:45 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-06 02:45 --------- d-----w c:\program files\Java

2008-11-30 03:46 --------- d-----w c:\documents and settings\k r\Application Data\Ludia

2008-11-30 03:44 --------- d-----w c:\program files\DNA

2008-11-26 20:58 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-11-19 02:10 --------- d-----w c:\documents and settings\k r\Application Data\Unreal Streaming

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-22 13:57 49,328 -c--a-w c:\documents and settings\k r\Application Data\GDIPFONTCACHEV1.DAT

2005-09-27 23:32 344,998,294 -c--a-w c:\program files\Photoshop_CS2_tryout.zip

2005-09-22 00:24 351,314 ----a-w c:\program files\LimeWireWin.exe

2005-07-18 01:57 150,192 ----a-w c:\program files\TweakUiPowertoySetup.exe

2005-07-18 01:55 638,544 ----a-w c:\program files\PowerCalcPowertoySetup.exe

2005-05-31 23:16 2,560,240 ----a-w c:\program files\spywareblastersetup34.exe

2008-08-06 18:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-19_14.42.45.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-18 23:38:21 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:10:25 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:15:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_504.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-02-07 606208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 106496]

"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 208896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-02 282624]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

c:\documents and settings\k r\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-28 24576]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-15 208896]

McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk - c:\program files\Cisco Systems\VPN Client\ipsecdialer.exe [2005-11-29 1285992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R4 CVPNDRV;McLeodUSA IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2005-11-29 267333]

S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-07 974464]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-12 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-12 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-12 23680]

S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2006-08-15 77824]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: www.google.com

Trusted Zone: www.malwarebytes.com

Trusted Zone: online.musicmatch.com

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://sierracazorla.axiscam.net:8081/activex/AMC.cab

DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab

.

.

------- File Associations -------

.

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-19 15:26:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1440)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-01-19 15:28:39

ComboFix-quarantined-files.txt 2009-01-19 23:27:54

ComboFix2.txt 2009-01-19 22:44:16

Pre-Run: 38,537,277,440 bytes free

Post-Run: 38,530,973,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

158 --- E O F --- 2009-01-18 23:54:19

Malwarebytes' Anti-Malware 1.33

Database version: 1668

Windows 5.1.2600 Service Pack 3

1/19/2009 5:10:02 PM

mbam-log-2009-01-19 (17-10-02).txt

Scan type: Quick Scan

Objects scanned: 54506

Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:11:59 PM, on 1/19/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\InterVideo\WinDVR3\WinRemote.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl5.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://sierracazorla.axiscam.net:8081/activex/AMC.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalvisioncenter.com/activex...ol_2_20_0_4.cab

O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx

O20 - AppInit_DLLs: rnofma.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Hmmm...I've not known Norton a/v ever to be able to remove a vundo infection, but combofix removes it every time without a hitch. Your combofix log doesn't appear to be complete. Can you check your log again and make sure you just right-click anywhere within that notepad document, and select "Select All", then copy that and post it back here...also, can you provide us with your Norton scan log? Thanks!

Link to post
Share on other sites

Hmmm...I've not known Norton a/v ever to be able to remove a vundo infection, but combofix removes it every time without a hitch. Your combofix log doesn't appear to be complete. Can you check your log again and make sure you just right-click anywhere within that notepad document, and select "Select All", then copy that and post it back here...also, can you provide us with your Norton scan log? Thanks!

Hi there, after dealing with Norton for about an hour, they informed me that Norton 360 doesn't give an option for viewing log files.

I'll repost the combofix log at the end of this.

When I first ran combofix, it wanted me to disable Norton. I couldn't do that. I couldn't do ANYTHING with Norton. Couldn't disable, uninstall, anything.

I ran the combofix anyway, nothing to lose, and it removed some files. I'm not sure just what. After that I was able to uninstall norton and rerun combofix. No problems running it this time. Unfortunatly, the original log from combofix was overwritten and the files it said it removed were no longer there.

Then I reinstalled Norton 360 and that's when it popped up with the Vundi trojan and a couple of other things. Here is the log I have,

ComboFix 09-01-19.03 - k r 2009-01-19 15:24:29.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.221 [GMT -8:00]

Running from: c:\documents and settings\k r\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))

.

2009-01-19 04:03 . 2009-01-19 04:03 <DIR> d-------- C:\NSS

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-17 16:51 . 2009-01-17 16:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-04 12:23 . 2009-01-19 04:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-04 12:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 12:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-19 23:15 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-19 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-19 23:10 --------- d-----w c:\program files\Symantec

2009-01-19 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-19 11:47 --------- d-----w c:\documents and settings\k r\Application Data\Symantec

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-12-06 02:45 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-06 02:45 --------- d-----w c:\program files\Java

2008-11-30 03:46 --------- d-----w c:\documents and settings\k r\Application Data\Ludia

2008-11-30 03:44 --------- d-----w c:\program files\DNA

2008-11-26 20:58 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-11-19 02:10 --------- d-----w c:\documents and settings\k r\Application Data\Unreal Streaming

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-22 13:57 49,328 -c--a-w c:\documents and settings\k r\Application Data\GDIPFONTCACHEV1.DAT

2005-09-27 23:32 344,998,294 -c--a-w c:\program files\Photoshop_CS2_tryout.zip

2005-09-22 00:24 351,314 ----a-w c:\program files\LimeWireWin.exe

2005-07-18 01:57 150,192 ----a-w c:\program files\TweakUiPowertoySetup.exe

2005-07-18 01:55 638,544 ----a-w c:\program files\PowerCalcPowertoySetup.exe

2005-05-31 23:16 2,560,240 ----a-w c:\program files\spywareblastersetup34.exe

2008-08-06 18:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-19_14.42.45.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-18 23:38:21 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:10:25 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:15:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_504.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-02-07 606208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 106496]

"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 208896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-02 282624]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

c:\documents and settings\k r\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-28 24576]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-15 208896]

McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk - c:\program files\Cisco Systems\VPN Client\ipsecdialer.exe [2005-11-29 1285992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R4 CVPNDRV;McLeodUSA IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2005-11-29 267333]

S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-07 974464]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-12 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-12 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-12 23680]

S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2006-08-15 77824]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: www.google.com

Trusted Zone: www.malwarebytes.com

Trusted Zone: online.musicmatch.com

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://sierracazorla.axiscam.net:8081/activex/AMC.cab

DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab

.

.

------- File Associations -------

.

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-19 15:26:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1440)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-01-19 15:28:39

ComboFix-quarantined-files.txt 2009-01-19 23:27:54

ComboFix2.txt 2009-01-19 22:44:16

Pre-Run: 38,537,277,440 bytes free

Post-Run: 38,530,973,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

158 --- E O F --- 2009-01-18 23:54:19

Link to post
Share on other sites

Unfortunatly, the original log from combofix was overwritten and the files it said it removed were no longer there.

Then I reinstalled Norton 360 and that's when it popped up with the Vundi trojan and a couple of other things. Here is the log I have...

The combofix logs are not overwritten, they are collected and stored in the Qoobox folder. Please navigate to:

C:\Qoobox and open each notepad file named similarly to "ComboFix.txt", ComboFix2.txt etc. Please post back all of them...as I suspect what happened is that after combofix removed the vundo infection and you were able to reinstall norton, all that norton may have found was what was stored in the archives. I need to see that original combofix log though. Thanks!

Link to post
Share on other sites

The combofix logs are not overwritten, they are collected and stored in the Qoobox folder. Please navigate to:

C:\Qoobox and open each notepad file named similarly to "ComboFix.txt", ComboFix2.txt etc. Please post back all of them...as I suspect what happened is that after combofix removed the vundo infection and you were able to reinstall norton, all that norton may have found was what was stored in the archives. I need to see that original combofix log though. Thanks!

This is the only txt file in that folder.

ComboFix 09-01-19.03 - k r 2009-01-19 14:31:40.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.180 [GMT -8:00]

Running from: c:\documents and settings\k r\Desktop\ComboFix.exe

AV: Norton 360 *On-access scanning enabled* (Updated)

FW: Norton 360 *enabled*

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\_000008_.tmp.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))

.

2009-01-19 04:03 . 2009-01-19 04:03 <DIR> d-------- C:\NSS

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-17 16:51 . 2009-01-17 16:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-04 12:23 . 2009-01-19 04:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-04 12:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 12:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-19 11:58 --------- d-----w c:\program files\Symantec

2009-01-19 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-19 11:47 --------- d-----w c:\documents and settings\k r\Application Data\Symantec

2009-01-19 00:14 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2009-01-19 00:14 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-19 00:14 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-15 15:07 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-06 02:45 --------- d-----w c:\program files\Java

2008-11-30 03:46 --------- d-----w c:\documents and settings\k r\Application Data\Ludia

2008-11-30 03:44 --------- d-----w c:\program files\DNA

2008-11-28 16:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-11-26 20:58 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-11-19 02:10 --------- d-----w c:\documents and settings\k r\Application Data\Unreal Streaming

2008-10-22 13:57 49,328 -c--a-w c:\documents and settings\k r\Application Data\GDIPFONTCACHEV1.DAT

2005-09-27 23:32 344,998,294 -c--a-w c:\program files\Photoshop_CS2_tryout.zip

2005-09-22 00:24 351,314 ----a-w c:\program files\LimeWireWin.exe

2005-07-18 01:57 150,192 ----a-w c:\program files\TweakUiPowertoySetup.exe

2005-07-18 01:55 638,544 ----a-w c:\program files\PowerCalcPowertoySetup.exe

2005-05-31 23:16 2,560,240 ----a-w c:\program files\spywareblastersetup34.exe

2008-08-06 18:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]

@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]

@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]

@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-02-07 606208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 106496]

"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 208896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-02 282624]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

c:\documents and settings\k r\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-28 24576]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-15 208896]

McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk - c:\program files\Cisco Systems\VPN Client\ipsecdialer.exe [2005-11-29 1285992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Norton 360\\MAINSTUB.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]

R4 CVPNDRV;McLeodUSA IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2005-11-29 267333]

R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]

S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-07 974464]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-12 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-12 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-12 23680]

S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2006-08-15 77824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe

HKU-Default-Run-msiexec.exe - msiconf.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: www.google.com

Trusted Zone: www.malwarebytes.com

Trusted Zone: online.musicmatch.com

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://sierracazorla.axiscam.net:8081/activex/AMC.cab

DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab

.

.

------- File Associations -------

.

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-19 14:40:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1896079472-661483372-1434834166-1006\Software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1964)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\HP\hpcoretech\comp\hptskmgr.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

.

**************************************************************************

.

Completion time: 2009-01-19 14:44:15 - machine was rebooted [k r]

ComboFix-quarantined-files.txt 2009-01-19 22:43:50

Pre-Run: 37,301,170,176 bytes free

Post-Run: 37,990,178,816 bytes free

205 --- E O F --- 2009-01-18 23:54:19

Link to post
Share on other sites

Uninstall the following software:

Bit DNA

LimeWire

Acrobat 7.0 Reader (Out of date and exploited...download the latest version Here

Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove. Reboot when finished uninstalling.

Copy the data in the code box below into notepad and save it as FixAppInit.reg

Set File type to "all files"

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows]"AppInit_DLLs"=-"AppInit_DLLs"=""

Double-click that file and confirm you want to merge it with the registry.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\program files\LimeWireWin.exe

Folder::

c:\program files\DNA

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\Program Files\LimeWire\LimeWire.exe"=-

Link to post
Share on other sites

Uninstall the following software:

Bit DNA

LimeWire

Acrobat 7.0 Reader (Out of date and exploited...download the latest version Here

Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove. Reboot when finished uninstalling.

Copy the data in the code box below into notepad and save it as FixAppInit.reg

Set File type to "all files"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows]

"AppInit_DLLs"=-

"AppInit_DLLs"=""

Double-click that file and confirm you want to merge it with the registry.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\program files\LimeWireWin.exe

Folder::

c:\program files\DNA

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\Program Files\LimeWire\LimeWire.exe"=-

alright, here we go again

ComboFix 09-01-21.02 - k r 2009-01-21 15:38:47.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.187 [GMT -8:00]

Running from: c:\documents and settings\k r\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\k r\Desktop\CFScript.txt

AV: Norton 360 *On-access scanning disabled* (Updated)

FW: Norton 360 *disabled*

* Created a new restore point

FILE ::

c:\program files\LimeWireWin.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\LimeWireWin.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))

.

2009-01-19 15:48 . 2009-01-19 15:48 <DIR> d-------- c:\program files\Windows Sidebar

2009-01-19 15:48 . 2009-01-21 06:43 <DIR> d-------- c:\program files\Norton 360

2009-01-19 15:45 . 2009-01-19 15:51 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-19 15:45 . 2009-01-19 15:51 60,800 --a------ c:\windows\system32\S32EVNT1.DLL

2009-01-19 15:45 . 2009-01-19 15:51 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-19 15:45 . 2009-01-19 15:51 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-17 16:51 . 2009-01-17 16:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-04 12:23 . 2009-01-19 04:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-04 12:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 12:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 23:37 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-21 23:12 --------- d-----w c:\program files\LimeWire

2009-01-20 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-19 23:54 --------- d-----w c:\documents and settings\k r\Application Data\Symantec

2009-01-19 23:51 --------- d-----w c:\program files\Symantec

2009-01-19 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-12-06 02:45 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-06 02:45 --------- d-----w c:\program files\Java

2008-11-30 03:46 --------- d-----w c:\documents and settings\k r\Application Data\Ludia

2008-11-26 20:58 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-22 13:57 49,328 -c--a-w c:\documents and settings\k r\Application Data\GDIPFONTCACHEV1.DAT

2005-09-27 23:32 344,998,294 -c--a-w c:\program files\Photoshop_CS2_tryout.zip

2005-07-18 01:57 150,192 ----a-w c:\program files\TweakUiPowertoySetup.exe

2005-07-18 01:55 638,544 ----a-w c:\program files\PowerCalcPowertoySetup.exe

2005-05-31 23:16 2,560,240 ----a-w c:\program files\spywareblastersetup34.exe

2008-08-06 18:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-19_14.42.45.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-18 23:38:21 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:10:25 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

- 2008-07-31 00:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

+ 2008-07-31 01:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

- 2008-06-13 21:13:38 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

+ 2008-02-05 19:34:43 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

- 2008-06-13 21:13:38 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

+ 2008-02-05 19:34:43 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

- 2008-06-13 21:13:38 38,576 ----a-w c:\windows\system32\drivers\symids.sys

+ 2008-02-05 19:34:43 38,576 ----a-w c:\windows\system32\drivers\symids.sys

- 2008-06-13 21:14:02 31,280 ----a-w c:\windows\system32\drivers\SymIM.sys

+ 2008-02-06 21:43:53 31,408 ----a-w c:\windows\system32\drivers\SymIM.sys

- 2008-06-13 21:13:38 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

+ 2008-02-05 19:34:43 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

- 2008-06-13 21:13:40 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

+ 2008-02-05 19:34:43 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

- 2008-06-13 21:13:38 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

+ 2008-02-05 19:34:43 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

- 2008-06-13 21:13:40 184,240 ----a-w c:\windows\system32\drivers\symtdi.sys

+ 2008-02-05 19:34:43 188,464 ----a-w c:\windows\system32\drivers\symtdi.sys

- 2008-04-17 20:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll

+ 2008-01-29 20:02:30 107,368 ----a-w c:\windows\system32\GEARAspi.dll

- 2008-06-13 21:45:48 579,464 ----a-w c:\windows\system32\SymNeti.dll

+ 2008-02-20 01:06:11 579,464 ----a-w c:\windows\system32\SymNeti.dll

- 2008-06-13 21:45:44 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2008-02-20 01:06:11 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2009-01-21 15:16:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5fc.dat

+ 2009-01-21 15:16:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_770.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]

@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]

@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]

@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-02-07 606208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 106496]

"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 208896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-02 282624]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

c:\documents and settings\k r\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-28 24576]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-15 208896]

McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk - c:\program files\Cisco Systems\VPN Client\ipsecdialer.exe [2005-11-29 1285992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-19 99376]

R4 CVPNDRV;McLeodUSA IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2005-11-29 267333]

R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]

S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-07 974464]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-12 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-12 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-12 23680]

S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2006-08-15 77824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://sierracazorla.axiscam.net:8081/activex/AMC.cab

DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-21 15:45:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1956)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-01-21 15:50:10

ComboFix-quarantined-files.txt 2009-01-21 23:49:34

ComboFix2.txt 2009-01-19 23:28:40

ComboFix3.txt 2009-01-19 22:44:16

Pre-Run: 38,348,406,784 bytes free

Post-Run: 38,385,676,288 bytes free

202 --- E O F --- 2009-01-18 23:54:19

Link to post
Share on other sites

Did you have some trouble using the .reg file from the previous instruction? Are you certain you followed the direction exactly as detailed for the .reg file portion of that instruction?

The reason I ask is because your combofix log shows that the AppInit entry is still corrupted...and that .reg file should have corrected this. Please go over the instruction once more for using the .reg file in the previous instruction.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

E80F62FF5D3C4A1984099721F2928206.TMP

Folder::

c:\program files\LimeWire

Link to post
Share on other sites

Did you have some trouble using the .reg file from the previous instruction? Are you certain you followed the direction exactly as detailed for the .reg file portion of that instruction?

The reason I ask is because your combofix log shows that the AppInit entry is still corrupted...and that .reg file should have corrected this. Please go over the instruction once more for using the .reg file in the previous instruction.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

E80F62FF5D3C4A1984099721F2928206.TMP

I ran this again. After displaying the log file, combofix has locked up the last two times. I just have my wallpaper. No icons or anything. Here is the latest log.

ComboFix 09-01-21.02 - k r 2009-01-21 23:26:47.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.199 [GMT -8:00]

Running from: c:\documents and settings\k r\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\k r\Desktop\CFScript.txt

AV: Norton 360 *On-access scanning disabled* (Updated)

FW: Norton 360 *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\LimeWire

c:\program files\LimeWire\hs_err_pid1040.log

c:\program files\LimeWire\hs_err_pid1952.log

c:\program files\LimeWire\hs_err_pid3320.log

c:\program files\LimeWire\hs_err_pid3624.log

c:\program files\LimeWire\hs_err_pid3860.log

c:\program files\LimeWire\hs_err_pid3908.log

c:\program files\LimeWire\hs_err_pid760.log

.

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-19 15:48 . 2009-01-19 15:48 <DIR> d-------- c:\program files\Windows Sidebar

2009-01-19 15:48 . 2009-01-21 06:43 <DIR> d-------- c:\program files\Norton 360

2009-01-19 15:45 . 2009-01-19 15:51 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-19 15:45 . 2009-01-19 15:51 60,800 --a------ c:\windows\system32\S32EVNT1.DLL

2009-01-19 15:45 . 2009-01-19 15:51 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-19 15:45 . 2009-01-19 15:51 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-17 16:51 . 2009-01-17 16:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-04 12:23 . 2009-01-19 04:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-04 12:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 12:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-22 07:23 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-20 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-19 23:54 --------- d-----w c:\documents and settings\k r\Application Data\Symantec

2009-01-19 23:51 --------- d-----w c:\program files\Symantec

2009-01-19 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-12-06 02:45 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-06 02:45 --------- d-----w c:\program files\Java

2008-11-30 03:46 --------- d-----w c:\documents and settings\k r\Application Data\Ludia

2008-11-26 20:58 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-22 13:57 49,328 -c--a-w c:\documents and settings\k r\Application Data\GDIPFONTCACHEV1.DAT

2005-09-27 23:32 344,998,294 -c--a-w c:\program files\Photoshop_CS2_tryout.zip

2005-07-18 01:57 150,192 ----a-w c:\program files\TweakUiPowertoySetup.exe

2005-07-18 01:55 638,544 ----a-w c:\program files\PowerCalcPowertoySetup.exe

2005-05-31 23:16 2,560,240 ----a-w c:\program files\spywareblastersetup34.exe

2008-08-06 18:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-19_14.42.45.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-18 23:38:21 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:10:25 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

- 2008-07-31 00:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

+ 2008-07-31 01:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

- 2008-06-13 21:13:38 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

+ 2008-02-05 19:34:43 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

- 2008-06-13 21:13:38 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

+ 2008-02-05 19:34:43 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

- 2008-06-13 21:13:38 38,576 ----a-w c:\windows\system32\drivers\symids.sys

+ 2008-02-05 19:34:43 38,576 ----a-w c:\windows\system32\drivers\symids.sys

- 2008-06-13 21:14:02 31,280 ----a-w c:\windows\system32\drivers\SymIM.sys

+ 2008-02-06 21:43:53 31,408 ----a-w c:\windows\system32\drivers\SymIM.sys

- 2008-06-13 21:13:38 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

+ 2008-02-05 19:34:43 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

- 2008-06-13 21:13:40 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

+ 2008-02-05 19:34:43 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

- 2008-06-13 21:13:38 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

+ 2008-02-05 19:34:43 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

- 2008-06-13 21:13:40 184,240 ----a-w c:\windows\system32\drivers\symtdi.sys

+ 2008-02-05 19:34:43 188,464 ----a-w c:\windows\system32\drivers\symtdi.sys

- 2008-04-17 20:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll

+ 2008-01-29 20:02:30 107,368 ----a-w c:\windows\system32\GEARAspi.dll

- 2008-06-13 21:45:48 579,464 ----a-w c:\windows\system32\SymNeti.dll

+ 2008-02-20 01:06:11 579,464 ----a-w c:\windows\system32\SymNeti.dll

- 2008-06-13 21:45:44 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2008-02-20 01:06:11 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2009-01-22 00:02:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3b8.dat

+ 2009-01-22 00:01:43 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_618.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]

@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]

@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]

@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-02-07 606208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 106496]

"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 208896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-02 282624]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

c:\documents and settings\k r\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-28 24576]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-15 208896]

McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk - c:\program files\Cisco Systems\VPN Client\ipsecdialer.exe [2005-11-29 1285992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-19 99376]

R4 CVPNDRV;McLeodUSA IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2005-11-29 267333]

R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]

S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-07 974464]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-12 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-12 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-12 23680]

S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2006-08-15 77824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://sierracazorla.axiscam.net:8081/activex/AMC.cab

DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-21 23:33:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1956)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-01-21 23:37:01

ComboFix-quarantined-files.txt 2009-01-22 07:36:24

ComboFix2.txt 2009-01-21 23:50:14

ComboFix3.txt 2009-01-19 23:28:40

ComboFix4.txt 2009-01-19 22:44:16

Pre-Run: 38,350,880,768 bytes free

Post-Run: 38,367,723,520 bytes free

207 --- E O F --- 2009-01-18 23:54:19

c:\program files\LimeWire

Link to post
Share on other sites

You didn't answer my question:

Did you have some trouble using the .reg file from the previous instruction?

Please open another blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\windows\system32\rnofma.dll

Link to post
Share on other sites

You didn't answer my question:

Please open another blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\windows\system32\rnofma.dll

Oh, sorry, I didn't have any problem running the reg file.

Link to post
Share on other sites

You didn't answer my question:

Please open another blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\windows\system32\rnofma.dll

You know, I'm not sure anymore. I ran it again. Here you go.

ComboFix 09-01-21.04 - k r 2009-01-22 16:00:34.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.178 [GMT -8:00]

Running from: c:\documents and settings\k r\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\k r\Desktop\CFScript.txt

AV: Norton 360 *On-access scanning disabled* (Updated)

FW: Norton 360 *disabled*

* Created a new restore point

FILE ::

c:\windows\system32\rnofma.dll

.

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-19 15:48 . 2009-01-19 15:48 <DIR> d-------- c:\program files\Windows Sidebar

2009-01-19 15:48 . 2009-01-21 06:43 <DIR> d-------- c:\program files\Norton 360

2009-01-19 15:45 . 2009-01-19 15:51 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-19 15:45 . 2009-01-19 15:51 60,800 --a------ c:\windows\system32\S32EVNT1.DLL

2009-01-19 15:45 . 2009-01-19 15:51 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-19 15:45 . 2009-01-19 15:51 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-17 16:51 . 2009-01-17 16:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-04 12:23 . 2009-01-19 04:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-04 12:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 12:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-22 23:58 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-20 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-19 23:54 --------- d-----w c:\documents and settings\k r\Application Data\Symantec

2009-01-19 23:51 --------- d-----w c:\program files\Symantec

2009-01-19 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-12-06 02:45 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-06 02:45 --------- d-----w c:\program files\Java

2008-11-30 03:46 --------- d-----w c:\documents and settings\k r\Application Data\Ludia

2008-11-26 20:58 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-22 13:57 49,328 -c--a-w c:\documents and settings\k r\Application Data\GDIPFONTCACHEV1.DAT

2005-09-27 23:32 344,998,294 -c--a-w c:\program files\Photoshop_CS2_tryout.zip

2005-07-18 01:57 150,192 ----a-w c:\program files\TweakUiPowertoySetup.exe

2005-07-18 01:55 638,544 ----a-w c:\program files\PowerCalcPowertoySetup.exe

2005-05-31 23:16 2,560,240 ----a-w c:\program files\spywareblastersetup34.exe

2008-08-06 18:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-19_14.42.45.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-18 23:38:21 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:10:25 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

- 2008-07-31 00:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

+ 2008-07-31 01:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

- 2008-06-13 21:13:38 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

+ 2008-06-13 22:13:38 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

- 2008-06-13 21:13:38 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

+ 2008-06-13 22:13:38 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

- 2008-06-13 21:13:38 38,576 ----a-w c:\windows\system32\drivers\symids.sys

+ 2008-06-13 22:13:38 38,576 ----a-w c:\windows\system32\drivers\symids.sys

- 2008-06-13 21:14:02 31,280 ----a-w c:\windows\system32\drivers\SymIM.sys

+ 2008-06-13 22:14:02 31,280 ----a-w c:\windows\system32\drivers\SymIM.sys

- 2008-06-13 21:13:38 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

+ 2008-06-13 22:13:38 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

- 2008-06-13 21:13:40 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

+ 2008-06-13 22:13:40 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

- 2008-06-13 21:13:38 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

+ 2008-06-13 22:13:38 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

- 2008-06-13 21:13:40 184,240 ----a-w c:\windows\system32\drivers\symtdi.sys

+ 2008-06-13 22:13:40 184,240 ----a-w c:\windows\system32\drivers\symtdi.sys

- 2008-04-17 20:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll

+ 2008-01-29 20:02:30 107,368 ----a-w c:\windows\system32\GEARAspi.dll

- 2008-06-13 21:45:48 579,464 ----a-w c:\windows\system32\SymNeti.dll

+ 2008-06-13 22:45:48 579,464 ----a-w c:\windows\system32\SymNeti.dll

- 2008-06-13 21:45:44 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2008-06-13 22:45:44 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2009-01-22 15:23:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_310.dat

+ 2009-01-22 15:22:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]

@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]

@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]

@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-02-07 606208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 106496]

"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 208896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-02 282624]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

c:\documents and settings\k r\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-28 24576]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-15 208896]

McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk - c:\program files\Cisco Systems\VPN Client\ipsecdialer.exe [2005-11-29 1285992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-19 99376]

R4 CVPNDRV;McLeodUSA IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2005-11-29 267333]

R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]

S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-07 974464]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-12 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-12 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-12 23680]

S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2006-08-15 77824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://sierracazorla.axiscam.net:8081/activex/AMC.cab

DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 16:06:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1956)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-01-22 16:09:53

ComboFix-quarantined-files.txt 2009-01-23 00:09:19

ComboFix2.txt 2009-01-22 07:37:03

ComboFix3.txt 2009-01-21 23:50:14

ComboFix4.txt 2009-01-19 23:28:40

ComboFix5.txt 2009-01-22 23:57:44

Pre-Run: 38,244,921,344 bytes free

Post-Run: 38,324,715,520 bytes free

199 --- E O F --- 2009-01-18 23:54:19

Link to post
Share on other sites

This one is stubborn and I'm not so sure it's unrelated to a formatting issue. The only remaining problem is the AppInit_DLLs corrupted entry for rnofma.dll. The .reg file we used should have corrected the issue, however, on further examination, the entry in your log shows a space between "windows" and "nt" here:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

...and there should be no space there. The .reg file we used does not contain a space. This mismatch may only be this forum software formatting but we'll see.

Let's be sure to perform the steps below exactly as detailed:

Copy the data in the code box below into notepad and save it as deletereg.reg

Set File type to "all files"

REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=-"AppInit_DLLs"=""

Double-click that file and confirm you want to merge it with the registry.

Next, please open another blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

Rootkit::

c:\windows\system32\rnofma.dll

Link to post
Share on other sites

This one is stubborn and I'm not so sure it's unrelated to a formatting issue. The only remaining problem is the AppInit_DLLs corrupted entry for rnofma.dll. The .reg file we used should have corrected the issue, however, on further examination, the entry in your log shows a space between "windows" and "nt" here:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=rnofma.dll

...and there should be no space there. The .reg file we used does not contain a space. This mismatch may only be this forum software formatting but we'll see.

Let's be sure to perform the steps below exactly as detailed:

Copy the data in the code box below into notepad and save it as deletereg.reg

Set File type to "all files"

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

"AppInit_DLLs"=""

Double-click that file and confirm you want to merge it with the registry.

Next, please open another blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

Rootkit::

c:\windows\system32\rnofma.dll

Hi there,

I really do appreciate your time!

Here we go again,

ComboFix 09-01-21.04 - k r 2009-01-22 19:57:50.6 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.197 [GMT -8:00]

Running from: c:\documents and settings\k r\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\k r\Desktop\CFScript.txt

AV: Norton 360 *On-access scanning disabled* (Updated)

FW: Norton 360 *disabled*

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))

.

2009-01-19 15:48 . 2009-01-19 15:48 <DIR> d-------- c:\program files\Windows Sidebar

2009-01-19 15:48 . 2009-01-21 06:43 <DIR> d-------- c:\program files\Norton 360

2009-01-19 15:45 . 2009-01-22 17:40 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-19 15:45 . 2009-01-22 17:40 60,808 --a------ c:\windows\system32\S32EVNT1.DLL

2009-01-19 15:45 . 2009-01-22 17:40 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-19 15:45 . 2009-01-22 17:40 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-01-19 04:02 . 2009-01-19 04:02 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-17 16:51 . 2009-01-17 16:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-04 12:23 . 2009-01-19 04:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-04 12:23 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 12:23 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-23 04:07 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-23 01:40 --------- d-----w c:\program files\Symantec

2009-01-20 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-19 23:54 --------- d-----w c:\documents and settings\k r\Application Data\Symantec

2009-01-19 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-06 02:45 --------- d-----w c:\program files\Java

2008-11-30 03:46 --------- d-----w c:\documents and settings\k r\Application Data\Ludia

2008-11-26 20:58 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-10-22 13:57 49,328 -c--a-w c:\documents and settings\k r\Application Data\GDIPFONTCACHEV1.DAT

2005-09-27 23:32 344,998,294 -c--a-w c:\program files\Photoshop_CS2_tryout.zip

2005-07-18 01:57 150,192 ----a-w c:\program files\TweakUiPowertoySetup.exe

2005-07-18 01:55 638,544 ----a-w c:\program files\PowerCalcPowertoySetup.exe

2005-05-31 23:16 2,560,240 ----a-w c:\program files\spywareblastersetup34.exe

2008-08-06 18:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080807\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-19_14.42.45.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-18 23:38:21 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

+ 2009-01-19 23:10:25 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

- 2008-07-31 00:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

+ 2008-07-31 01:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

- 2008-06-13 21:13:38 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

+ 2008-06-13 22:13:38 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

- 2008-06-13 21:13:38 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

+ 2008-06-13 22:13:38 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

- 2008-06-13 21:13:38 38,576 ----a-w c:\windows\system32\drivers\symids.sys

+ 2008-06-13 22:13:38 38,576 ----a-w c:\windows\system32\drivers\symids.sys

- 2008-06-13 21:14:02 31,280 ----a-w c:\windows\system32\drivers\SymIM.sys

+ 2008-06-13 22:14:02 31,280 ----a-w c:\windows\system32\drivers\SymIM.sys

- 2008-06-13 21:13:38 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

+ 2008-06-13 22:13:38 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

- 2008-06-13 21:13:40 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

+ 2008-06-13 22:13:40 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

- 2008-06-13 21:13:38 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

+ 2008-06-13 22:13:38 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

- 2008-06-13 21:13:40 184,240 ----a-w c:\windows\system32\drivers\symtdi.sys

+ 2008-06-13 22:13:40 184,240 ----a-w c:\windows\system32\drivers\symtdi.sys

- 2008-04-17 20:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll

+ 2008-01-29 20:02:30 107,368 ----a-w c:\windows\system32\GEARAspi.dll

- 2008-06-13 21:45:48 579,464 ----a-w c:\windows\system32\SymNeti.dll

+ 2008-06-13 22:45:48 579,464 ----a-w c:\windows\system32\SymNeti.dll

- 2008-06-13 21:45:44 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2008-06-13 22:45:44 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2009-01-23 04:07:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5f4.dat

+ 2009-01-23 04:06:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_638.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]

@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]

@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]

@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]

2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-02-07 606208]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 106496]

"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 208896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-02 282624]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

c:\documents and settings\k r\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-04-28 24576]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-15 208896]

McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk - c:\program files\Cisco Systems\VPN Client\ipsecdialer.exe [2005-11-29 1285992]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 13:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-06-14 15:24 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-19 99376]

R4 CVPNDRV;McLeodUSA IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2005-11-29 267333]

R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]

S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-07 974464]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-20 33752]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-12 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-12 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-12 23680]

S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [2006-08-15 77824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://sierracazorla.axiscam.net:8081/activex/AMC.cab

DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 20:07:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1960)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe

c:\program files\HP\hpcoretech\comp\hptskmgr.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

.

**************************************************************************

.

Completion time: 2009-01-22 20:13:45 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-23 04:13:26

ComboFix2.txt 2009-01-23 00:09:55

ComboFix3.txt 2009-01-22 07:37:03

ComboFix4.txt 2009-01-21 23:50:14

ComboFix5.txt 2009-01-23 03:56:01

Pre-Run: 38,286,934,016 bytes free

Post-Run: 38,299,873,280 bytes free

207 --- E O F --- 2009-01-18 23:54:19

Link to post
Share on other sites

Excellent! Looks like that did it in spite of the fact that I explained myself backwards:

..and there should be no space there

...and that should read:

."..and there should be a space there." The format issue was, I believe, my own text editor removing the space at the line break when "nt" appears on the next line below "windows". My problem, not the forum.

On to business. Let's see a fresh HijackThis log now and please advise us how the system is behaving for you. Thanks!

Link to post
Share on other sites

Excellent! Looks like that did it in spite of the fact that I explained myself backwards:

...and that should read:

."..and there should be a space there." The format issue was, I believe, my own text editor removing the space at the line break when "nt" appears on the next line below "windows". My problem, not the forum.

On to business. Let's see a fresh HijackThis log now and please advise us how the system is behaving for you. Thanks!

......System is running like it did before the issue-(I won't say the name of the trojan out loud in case that summons it back). Here's a new HJT log. Holding my breath!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:11:37 AM, on 1/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\InterVideo\WinDVR3\WinRemote.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Norton 360\ScanStub.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: McLeodUSA InteliGate IPSec Client 3.6.6 Rel K9.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl5.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://sierracazorla.axiscam.net:8081/activex/AMC.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalvisioncenter.com/activex...ol_2_20_0_4.cab

O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.