Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Viruses


  • Please log in to reply
32 replies to this topic

#1 jasonpg

jasonpg

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 12 December 2008 - 03:05 PM

Hi,
Judging by the titles of the other posts I am in the right place (unfortunately).
As the post title suggests I have had a number of viruses / trojans recently with an array of different indications on their current status. Specific threats include
W32.SillyDC, Trojan.Flush, IEDefender, Trojan-Downloader.Zlob.G, Backdoor.tidserv!inf and Worm.Autorun.AJ
I have worked through a number of steps to defeat these as recorded in my previous posts in the 'Am I infected' forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/185529/multiple-trojans-viruses/ ~ OB I have followed the last guidance as previosuly given with the logs attached

Logfile of random's system information tool 1.04 (written by random/random)
Run by JasonPG at 2008-12-13 02:35:59
Microsoft Windows XP Home Edition Service Pack 3
System drive G: has 251 GB (82%) free of 305 GB
Total RAM: 2046 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:36:52, on 13/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
G:\windows\System32\smss.exe
G:\windows\system32\csrss.exe
G:\windows\system32\winlogon.exe
G:\windows\system32\services.exe
G:\windows\system32\lsass.exe
G:\windows\system32\svchost.exe
G:\windows\system32\svchost.exe
G:\windows\System32\svchost.exe
G:\windows\system32\svchost.exe
G:\windows\system32\svchost.exe
G:\windows\system32\spoolsv.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
G:\windows\system32\nvsvc32.exe
G:\Program Files\Spyware Doctor\pctsAuxs.exe
G:\Program Files\Spyware Doctor\pctsSvc.exe
G:\windows\System32\snmp.exe
G:\windows\System32\alg.exe
G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
G:\windows\Explorer.EXE
G:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
G:\windows\system32\rundll32.exe
G:\windows\system32\RUNDLL32.EXE
G:\Program Files\XtremeTuner\XtremeTuner.exe
G:\windows\RTHDCPL.EXE
G:\windows\system32\svchost.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Spyware Doctor\pctsTray.exe
G:\windows\system32\ctfmon.exe
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
G:\Program Files\Windows Desktop Search\WindowsSearch.exe
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Documents and Settings\JasonPG\Desktop\RSIT.exe
G:\WINDOWS\system32\wbem\wmiprvse.exe
G:\Program Files\trend micro\JasonPG.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Corel Photo Downloader] G:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XtremeTuner] G:\Program Files\XtremeTuner\XtremeTuner.exe Normal
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "G:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [StartCCC] G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "G:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = G:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {447F8438-8124-4369-905B-A249E13CBBFC} (LgbContent Control) - http://pickles.liveglobalbid.com/install/new/lgbkc.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\windows\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - G:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - G:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6177 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL [2008-12-08 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - G:\Program Files\Java\jre6\bin\ssv.dll [2008-12-08 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - g:\program files\google\googletoolbar1.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - G:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-08 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-08 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - g:\program files\google\googletoolbar1.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=G:\windows\system32\NvCpl.dll [2008-11-12 13672448]
"nwiz"=nwiz.exe /install []
"Corel Photo Downloader"=G:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [2006-10-31 478800]
"Adobe Reader Speed Launcher"=G:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"NvMediaCenter"=G:\windows\system32\NvMcTray.dll [2008-11-12 86016]
"XtremeTuner"=G:\Program Files\XtremeTuner\XtremeTuner.exe [2008-06-10 3833923]
"RTHDCPL"=G:\windows\RTHDCPL.EXE [2007-08-10 16384000]
"Alcmtr"=G:\windows\ALCMTR.EXE [2005-05-03 69632]
"SunJavaUpdateSched"=G:\Program Files\Java\jre6\bin\jusched.exe [2008-12-08 136600]
"ISTray"=G:\Program Files\Spyware Doctor\pctsTray.exe [2008-08-25 1168264]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"StartCCC"=G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"ctfmon.exe"=G:\windows\system32\ctfmon.exe [2008-04-14 15360]
"DAEMON Tools Lite"=G:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]
"MsnMsgr"=G:\Program Files\Windows Live\Messenger\MsnMsgr.Exe /background []

G:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office10\OSA.EXE
Windows Search.lnk - G:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
G:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
G:\windows\system32\Ati2evxx.dll [2007-02-03 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\windows\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - G:\windows\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=G:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=G:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"G:\Program Files\Internet Explorer\iexplore.exe"="G:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"G:\windows\system32\sessmgr.exe"="G:\windows\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"G:\WINDOWS\system32\usmt\migwiz.exe"="G:\WINDOWS\system32\usmt\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard"
"G:\Program Files\Codemasters\GRID Demo\GRID.exe"="G:\Program Files\Codemasters\GRID Demo\GRID.exe:*:Disabled:GRID Executable"
"G:\Documents and Settings\JasonPG\My Documents\Computer\Software\Norton Antivirus\Removal tool\SymNRT.exe"="G:\Documents and Settings\JasonPG\My Documents\Computer\Software\Norton Antivirus\Removal tool\SymNRT.exe:*:Enabled:Norton Removal Tool"
"G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
shell\AutoRun\command - J:\setup\rsrc\Autorun.exe
shell\dinstall\command - J:\Directx\dxsetup.exe


======List of files/folders created in the last 1 months======

2008-12-13 02:36:01 ----D---- G:\Program Files\trend micro
2008-12-13 02:35:59 ----D---- G:\rsit
2008-12-11 20:31:22 ----HDC---- G:\windows\$NtUninstallKB955839$
2008-12-11 20:30:24 ----HDC---- G:\windows\$NtUninstallKB952069_WM9$
2008-12-11 20:29:54 ----HDC---- G:\windows\$NtUninstallKB954600$
2008-12-11 20:29:42 ----HDC---- G:\windows\$NtUninstallKB956802$
2008-12-09 19:28:08 ----A---- G:\windows\system32\tmp.txt
2008-12-09 19:27:59 ----A---- G:\rapport.txt
2008-12-09 19:17:25 ----A---- G:\windows\ntbtlog.txt
2008-12-09 16:57:51 ----A---- G:\windows\system32\snmptrap.exe
2008-12-09 16:57:51 ----A---- G:\windows\system32\snmp.exe
2008-12-09 16:57:51 ----A---- G:\windows\system32\evntwin.exe
2008-12-09 16:57:50 ----A---- G:\windows\system32\snmpmib.dll
2008-12-09 16:57:50 ----A---- G:\windows\system32\hostmib.dll
2008-12-09 16:57:50 ----A---- G:\windows\system32\evntcmd.exe
2008-12-09 16:57:50 ----A---- G:\windows\system32\evntagnt.dll
2008-12-09 16:57:48 ----A---- G:\windows\system32\lmmib2.dll
2008-12-08 18:46:09 ----D---- G:\Program Files\Malwarebytes' Anti-Malware
2008-12-08 18:22:19 ----A---- G:\windows\zip.exe
2008-12-08 18:22:19 ----A---- G:\windows\VFIND.exe
2008-12-08 18:22:19 ----A---- G:\windows\SWSC.exe
2008-12-08 18:22:19 ----A---- G:\windows\SWREG.exe
2008-12-08 18:22:19 ----A---- G:\windows\sed.exe
2008-12-08 18:22:19 ----A---- G:\windows\grep.exe
2008-12-08 18:22:19 ----A---- G:\windows\fdsv.exe
2008-12-08 18:22:14 ----D---- G:\windows\ERDNT
2008-12-08 18:22:14 ----D---- G:\Qoobox
2008-12-08 18:10:23 ----RSHD---- G:\cmdcons
2008-12-08 17:58:14 ----A---- G:\windows\UPGRADE.TXT
2008-12-08 17:58:13 ----D---- G:\windows\setup.pss
2008-12-08 17:30:10 ----D---- G:\windows\Sun
2008-12-08 17:30:02 ----A---- G:\windows\system32\javaws.exe
2008-12-08 17:30:02 ----A---- G:\windows\system32\javaw.exe
2008-12-08 17:30:02 ----A---- G:\windows\system32\java.exe
2008-12-08 17:30:02 ----A---- G:\windows\system32\deploytk.dll
2008-12-08 17:29:52 ----D---- G:\Program Files\Java
2008-12-08 17:28:59 ----D---- G:\Documents and Settings\JasonPG\Application Data\Sun
2008-12-08 17:08:37 ----D---- G:\New Folder
2008-12-08 17:03:31 ----RD---- G:\Program Files\Norton Support
2008-12-08 16:23:22 ----D---- G:\Program Files\Symantec
2008-12-08 16:23:22 ----A---- G:\windows\system32\S32EVNT1.DLL
2008-12-08 16:23:05 ----D---- G:\Program Files\Windows Sidebar
2008-12-08 06:50:24 ----R---- G:\windows\Alcmtr.exe
2008-12-08 06:28:28 ----A---- G:\windows\Ascd_tmp.ini
2008-12-08 00:15:15 ----D---- G:\Program Files\ThreatExpert Memory Scanner
2008-12-07 23:00:24 ----D---- G:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-07 23:00:20 ----D---- G:\Program Files\SUPERAntiSpyware
2008-12-07 23:00:20 ----D---- G:\Documents and Settings\JasonPG\Application Data\SUPERAntiSpyware.com
2008-12-07 22:13:13 ----D---- G:\windows\pss
2008-12-07 20:20:06 ----D---- G:\Documents and Settings\JasonPG\Application Data\Malwarebytes
2008-12-07 20:19:58 ----D---- G:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-07 20:15:02 ----D---- G:\Documents and Settings\JasonPG\Application Data\TrojanHunter
2008-12-07 19:58:13 ----R---- G:\windows\system32\streamhlp.dll
2008-12-07 19:58:13 ----D---- G:\Program Files\TrojanHunter 5.0
2008-12-07 18:12:28 ----D---- G:\Documents and Settings\JasonPG\Application Data\AVSMedia
2008-12-07 18:12:21 ----D---- G:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-12-07 18:11:05 ----D---- G:\Program Files\Common Files\AVSMedia
2008-12-07 18:10:58 ----A---- G:\windows\system32\msvcp70.dll
2008-12-07 18:10:58 ----A---- G:\windows\system32\mfc70.dll
2008-12-07 18:10:57 ----A---- G:\windows\system32\xvidvfw.dll
2008-12-07 18:10:57 ----A---- G:\windows\system32\xvidcore.dll
2008-12-07 18:10:57 ----A---- G:\windows\system32\msxml3a.dll
2008-12-07 18:10:57 ----A---- G:\windows\system32\msvcr70.dll
2008-12-07 18:10:57 ----A---- G:\windows\system32\mpg4c32.dll
2008-12-07 18:10:57 ----A---- G:\windows\system32\mcdvd_32.dll
2008-12-07 18:10:57 ----A---- G:\windows\system32\GdiPlus.dll
2008-12-07 18:05:19 ----D---- G:\Program Files\Common Files\Download Manager
2008-12-07 17:38:22 ----D---- G:\Program Files\Nidesoft Studio
2008-12-07 17:27:46 ----A---- G:\windows\system32\wmv9vcm.dll
2008-12-07 17:27:45 ----A---- G:\windows\system32\wmv8dmod.dll
2008-11-27 18:42:53 ----D---- G:\windows\NV25842920.TMP
2008-11-27 18:28:28 ----D---- G:\Program Files\SystemRequirementsLab
2008-11-27 17:42:05 ----D---- G:\windows\NV10281348.TMP
2008-11-27 16:24:40 ----D---- G:\windows\NV10321444.TMP
2008-11-23 19:21:20 ----D---- G:\Program Files\Norton AntiVirus
2008-11-23 19:21:19 ----D---- G:\Documents and Settings\All Users\Application Data\Norton
2008-11-23 19:21:06 ----D---- G:\Program Files\NortonInstaller
2008-11-23 18:23:11 ----D---- G:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-11-23 17:55:10 ----D---- G:\Program Files\Common Files\PC Tools
2008-11-23 17:54:57 ----D---- G:\Program Files\Spyware Doctor
2008-11-23 17:54:57 ----D---- G:\Documents and Settings\JasonPG\Application Data\PC Tools
2008-11-23 11:43:25 ----D---- G:\Documents and Settings\JasonPG\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-23 10:13:39 ----D---- G:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-11-16 03:50:38 ----A---- G:\windows\system32\muweb.dll
2008-11-16 03:50:38 ----A---- G:\windows\system32\mucltui.dll.mui
2008-11-16 03:50:38 ----A---- G:\windows\system32\mucltui.dll
2008-11-15 11:30:19 ----D---- G:\windows\system32\bfreedos
2008-11-15 11:30:16 ----D---- G:\Program Files\USB Flash Disk Utility
2008-11-15 11:30:13 ----N---- G:\windows\system32\USBDiskUtility.exe
2008-11-15 11:30:13 ----N---- G:\windows\system32\diskicon.exe
2008-11-15 10:36:33 ----SHDC---- G:\Program Files\Common Files\WindowsLiveInstaller
2008-11-15 10:36:16 ----D---- G:\Documents and Settings\All Users\Application Data\WLInstaller
2008-11-14 23:42:26 ----A---- G:\windows\etel5.ini

======List of files/folders modified in the last 1 months======

2008-12-13 02:36:06 ----D---- G:\windows\Prefetch
2008-12-13 02:36:01 ----RD---- G:\Program Files
2008-12-13 02:31:38 ----D---- G:\windows\Temp
2008-12-12 21:26:53 ----AD---- G:\Documents and Settings\All Users\Application Data\TEMP
2008-12-12 21:00:06 ----D---- G:\windows\system32\drivers
2008-12-12 16:51:45 ----SD---- G:\windows\Downloaded Program Files
2008-12-12 16:41:22 ----D---- G:\windows\system32\CatRoot2
2008-12-12 00:10:42 ----A---- G:\windows\SchedLgU.Txt
2008-12-11 22:20:29 ----SHD---- G:\windows\Installer
2008-12-11 22:14:42 ----D---- G:\windows\system32
2008-12-11 20:42:14 ----D---- G:\Program Files\Common Files\Wise Installation Wizard
2008-12-11 20:34:20 ----D---- G:\WINDOWS
2008-12-11 20:31:25 ----HD---- G:\windows\inf
2008-12-11 20:31:15 ----A---- G:\windows\imsins.BAK
2008-12-11 20:31:08 ----RSHDC---- G:\windows\system32\dllcache
2008-12-11 20:31:05 ----D---- G:\Program Files\Internet Explorer
2008-12-11 20:30:47 ----HD---- G:\windows\$hf_mig$
2008-12-10 18:46:30 ----SHD---- G:\System Volume Information
2008-12-10 18:46:30 ----D---- G:\windows\system32\Restore
2008-12-10 09:24:37 ----A---- G:\windows\system32\MRT.exe
2008-12-09 19:28:09 ----D---- G:\Program Files\Google
2008-12-09 19:20:19 ----SHD---- G:\RECYCLER
2008-12-09 19:17:55 ----D---- G:\Documents and Settings
2008-12-09 16:57:58 ----A---- G:\windows\system32\PerfStringBackup.INI
2008-12-09 16:57:54 ----D---- G:\windows\system32\wbem
2008-12-09 16:57:49 ----D---- G:\windows\security
2008-12-08 19:00:22 ----SD---- G:\windows\Tasks
2008-12-08 18:54:20 ----D---- G:\Various
2008-12-08 18:06:24 ----D---- G:\windows\Network Diagnostic
2008-12-08 16:23:22 ----D---- G:\Program Files\Common Files\Symantec Shared
2008-12-08 06:51:10 ----D---- G:\windows\system32\RTCOM
2008-12-08 06:30:50 ----A---- G:\windows\Ascd_log.ini
2008-12-07 23:41:24 ----RSD---- G:\windows\Fonts
2008-12-07 23:40:29 ----D---- G:\Program Files\DNA
2008-12-07 22:55:35 ----A---- G:\windows\system32\ver.ini
2008-12-07 22:15:24 ----A---- G:\windows\win.ini
2008-12-07 22:15:24 ----A---- G:\windows\system.ini
2008-12-07 18:11:05 ----D---- G:\Program Files\Common Files
2008-12-07 13:52:12 ----D---- G:\Documents and Settings\JasonPG\Application Data\Corel
2008-11-27 18:46:47 ----D---- G:\windows\nview
2008-11-27 18:45:01 ----D---- G:\windows\system32\ReinstallBackups
2008-11-27 18:43:59 ----D---- G:\Program Files\AGEIA Technologies
2008-11-27 18:42:50 ----D---- G:\windows\Help
2008-11-23 19:53:00 ----D---- G:\Documents and Settings\All Users\Application Data\Symantec
2008-11-23 18:47:29 ----D---- G:\windows\system32\config
2008-11-23 14:08:11 ----SD---- G:\Documents and Settings\JasonPG\Application Data\Microsoft
2008-11-23 13:21:02 ----SD---- G:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-23 11:37:44 ----D---- G:\windows\system32\ias
2008-11-23 08:55:30 ----D---- G:\Program Files\Common Files\Microsoft Shared
2008-11-23 08:55:01 ----D---- G:\windows\WinSxS
2008-11-15 11:30:19 ----HD---- G:\Program Files\InstallShield Installation Information
2008-11-15 10:45:56 ----DC---- G:\windows\system32\DRVSTORE
2008-11-14 23:42:23 ----A---- G:\windows\etel9.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BHDrvx86;Symantec Heuristics Driver; \??\G:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys []
R1 ccHP;Symantec Hash Provider; \??\G:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys []
R1 eeCtrl;Symantec Eraser Control driver; \??\G:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 IDSxpx86;IDSxpx86; \??\G:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081210.002\IDSxpx86.sys []
R1 IKSysFlt;System Filter Driver; G:\windows\system32\drivers\iksysflt.sys [2008-08-25 66952]
R1 IKSysSec;System Security Driver; G:\windows\system32\drivers\iksyssec.sys [2008-08-25 81288]
R1 pctfw2;pctfw2; \??\G:\WINDOWS\system32\drivers\pctfw2.sys []
R1 SASDIFSV;SASDIFSV; \??\G:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\G:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SRTSP;Symantec Real Time Storage Protection; \??\G:\windows\system32\drivers\NAV\1001000.021\SRTSP.SYS []
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); \??\G:\windows\system32\drivers\NAV\1001000.021\SRTSPX.SYS []
R1 SYMTDI;SYMTDI; \??\G:\windows\system32\drivers\NAV\1001000.021\SYMTDI.SYS []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; G:\windows\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R3 Arp1394;1394 ARP Client Protocol; G:\windows\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\G:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; G:\windows\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); G:\windows\system32\drivers\RtkHDAud.sys [2007-08-10 4603904]
R3 MTsensor;ATK0110 ACPI UTILITY; G:\windows\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NAVENG;NAVENG; \??\G:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081211.057\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\G:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081211.057\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; G:\windows\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; G:\windows\system32\DRIVERS\nv4_mini.sys [2008-11-12 6188320]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; G:\windows\system32\DRIVERS\Rtenicxp.sys [2006-08-15 83200]
R3 SYMDNS;SYMDNS; \??\G:\windows\system32\drivers\NAV\1001000.021\SYMDNS.SYS []
R3 SymEvent;SymEvent; \??\G:\windows\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; \??\G:\windows\system32\drivers\NAV\1001000.021\SYMFW.SYS []
R3 SYMIDS;SYMIDS; \??\G:\windows\system32\drivers\NAV\1001000.021\SYMIDS.SYS []
R3 SymIMMP;SymIMMP; G:\windows\system32\DRIVERS\SymIM.sys [2008-12-08 35888]
R3 SYMNDIS;SYMNDIS; \??\G:\windows\system32\drivers\NAV\1001000.021\SYMNDIS.SYS []
R3 SYMREDRV;SYMREDRV; \??\G:\windows\system32\drivers\NAV\1001000.021\SYMREDRV.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; G:\windows\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; G:\windows\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; G:\windows\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbstor;USB Mass Storage Driver; G:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 WINIO;WINIO; \??\G:\Program Files\XtremeTuner\PMReader.sys []
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter; \??\G:\DOCUME~1\JasonPG\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 SASENUM;SASENUM; \??\G:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SymIM;Symantec Network Security Intermediate Filter Service; G:\windows\system32\DRIVERS\SymIM.sys [2008-12-08 35888]
S4 IntelIde;IntelIde; G:\windows\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; G:\Program Files\Java\jre6\bin\jqs.exe [2008-12-08 152984]
R2 Norton AntiVirus;Norton AntiVirus; G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe [2008-12-08 115560]
R2 NVSvc;NVIDIA Display Driver Service; G:\windows\system32\nvsvc32.exe [2008-11-12 163908]
R2 sdAuxService;PC Tools Auxiliary Service; G:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R2 sdCoreService;PC Tools Security Service; G:\Program Files\Spyware Doctor\pctsSvc.exe [2008-10-09 1079176]
R2 SNMP;SNMP Service; G:\windows\System32\snmp.exe [2008-04-14 33280]
S3 SNMPTRAP;SNMP Trap Service; G:\windows\System32\snmptrap.exe [2008-04-14 8704]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.04 2008-12-13 02:36:55

======Uninstall list======

-->MsiExec /X{AC54E544-3E42-443C-A91D-A00A6974C592}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 G:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->G:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->G:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->G:\windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player-->G:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE G:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ATI - Software Uninstall Utility-->G:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 G:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
Call of DutyŽ 4 - Modern Warfare™-->G:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Chinese Simplified Fonts Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-2447-0000-900000000003}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Corel Snapfire Plus-->MsiExec.exe /I{7ADE3A47-B425-45E9-8FF6-11BE2B775645}
DivX Codec-->G:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
FIFA 08-->MsiExec.exe /X{0A2A5039-B37F-489D-B1DC-A5258DF9E697}
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "g:\program files\google\googletoolbar1.dll"
GRID Demo-->"G:\Program Files\InstallShield Installation Information\{3C850287-4CD5-4FAD-BE39-A4AF7851A7C6}\setup.exe" -runfromtemp -l0x0009 -removeonly
Hamachi 1.0.1.5-->G:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2-->"G:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"G:\windows\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"G:\windows\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"G:\windows\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"G:\windows\$NtUninstallKB952287$\spuninst\spuninst.exe"
Imperial Glory-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{1FCC8C70-66B9-420D-942C-2C2A8441C744}\Setup.exe" -l0x9 -removeonly
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Live Bid Control Kit Setup-->"G:\windows\lsb_un20.exe" /C=UC /N=Live Bid Control Kit Setup
Malwarebytes' Anti-Malware-->"G:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"G:\windows\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"G:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"G:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"G:\windows\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MotoGP 2007-->"G:\Program Files\THQ\MotoGP 2007\unins000.exe"
MSN-->G:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Need for Speed Underground 2-->G:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Norton AntiVirus-->G:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\562C4DD5\16.1.0.33\InstStub.exe /X
NVIDIA Drivers-->G:\windows\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX v8.10.13-->MsiExec.exe /X{AC54E544-3E42-443C-A91D-A00A6974C592}
OpenAL-->"G:\Program Files\OpenAL\OalinstGridRelease.exe" /U
PowerISO-->"G:\Program Files\PowerISO\uninstall.exe"
Quicken 2008-->MsiExec.exe /X{B0ED60FF-00F3-4EC4-9210-0F1489556D1A}
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\Setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"G:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"G:\windows\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"G:\windows\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"G:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"G:\windows\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"G:\windows\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"G:\windows\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->G:\windows\system32\MacroMed\Flash\genuinst.exe G:\windows\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"G:\windows\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"G:\windows\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"G:\windows\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"G:\windows\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"G:\windows\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"G:\windows\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"G:\windows\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"G:\windows\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"G:\windows\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"G:\windows\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"G:\windows\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"G:\windows\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"G:\windows\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"G:\windows\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"G:\windows\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"G:\windows\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"G:\windows\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"G:\windows\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"G:\windows\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"G:\windows\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"G:\windows\$NtUninstallKB958644$\spuninst\spuninst.exe"
Spyware Doctor 6.0-->G:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab-->G:\Program Files\SystemRequirementsLab\Uninstall.exe
ThreatExpert Memory Scanner 1.0-->"G:\Program Files\ThreatExpert Memory Scanner\unins000.exe"
Unreal Tournament 3-->MsiExec.exe /X{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}
Update for Windows XP (KB898461)-->"G:\windows\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"G:\windows\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"G:\windows\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"G:\windows\$NtUninstallKB955839$\spuninst\spuninst.exe"
USB Flash Disk Utility-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{9B2ADD3A-AFAF-4622-AC6F-C86FF36CC245}\Setup.exe" -l0x9
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->G:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u G:\windows\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Internet Explorer 7-->"G:\windows\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"G:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"G:\windows\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"G:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"G:\windows\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"G:\windows\$NtUninstallKB940157$\spuninst\spuninst.exe"
WinRAR archiver-->G:\Program Files\WinRAR\uninstall.exe
XtremeTuner-->G:\PROGRA~1\XTREME~1\UNINST~1.EXE G:\PROGRA~1\XTREME~1\INSTALL.LOG

======Security center information======

AV: Spyware Doctor with AntiVirus
AV: Norton AntiVirus

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=6b02
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------


KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 12, 2008 14:32:44
Records in database: 1454842


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 59038
Threat name 1
Infected objects 0
Suspicious objects 1
Duration of the scan 00:59:23

File name Threat name Threats count
G:\Documents and Settings\JasonPG\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Suspicious: Password-protected-EXE 1

The selected area was scanned.

Edited by Orange Blossom, 12 December 2008 - 04:27 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:54 PM

Posted 20 December 2008 - 12:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 22 December 2008 - 12:30 AM

Hey OB,
I havent touched my PC (PC1) since the request was made - I appreciate the assistance though I have loaded many programs to date and Im not sure of whats running and whats not. Logs requested are attached below:


DDS (Version 1.1.0) - NTFSx86
Run by JasonPG at 15:13:47.32 on Mon 22/12/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1599 [GMT 10:00]

============== Running Processes ===============

G:\windows\system32\svchost -k DcomLaunch
G:\windows\system32\svchost -k rpcss
G:\windows\System32\svchost.exe -k netsvcs
G:\windows\system32\svchost.exe -k NetworkService
G:\windows\system32\svchost.exe -k LocalService
G:\windows\system32\spoolsv.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
G:\windows\system32\nvsvc32.exe
G:\windows\System32\snmp.exe
G:\windows\System32\alg.exe
G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
G:\windows\Explorer.EXE
G:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
G:\windows\system32\RUNDLL32.EXE
G:\windows\system32\rundll32.exe
G:\Program Files\XtremeTuner\XtremeTuner.exe
G:\windows\RTHDCPL.EXE
G:\Program Files\Java\jre6\bin\jusched.exe
G:\windows\system32\svchost.exe -k imgsvc
G:\windows\system32\ctfmon.exe
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
G:\Program Files\Windows Desktop Search\WindowsSearch.exe
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
G:\windows\system32\wscntfy.exe
G:\Documents and Settings\JasonPG\Desktop\dds.com
G:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - g:\program files\norton antivirus\norton antivirus\engine\16.1.0.33\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - g:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
uRun: [<NO NAME>]
uRun: [StartCCC] g:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [ctfmon.exe] g:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "g:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [MsnMsgr] "g:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE g:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Corel Photo Downloader] g:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE g:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [XtremeTuner] g:\program files\xtremetuner\XtremeTuner.exe Normal
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "g:\program files\java\jre6\bin\jusched.exe"
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - g:\program files\microsoft office\office10\OSA.EXE
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - g:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
LSP: g:\program files\common files\pc tools\lsp\PCTLsp.dll
Notify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56F9679E-7826-4C84-81F3-532071A8BCC5} - g:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - g:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;g:\windows\system32\drivers\nav\1001000.021\SYMEFA.SYS [2008-12-8 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\g:\windows\system32\drivers\nav\1001000.021\BHDrvx86.sys [2008-12-8 255536]
R1 ccHP;Symantec Hash Provider;\??\g:\windows\system32\drivers\nav\1001000.021\ccHPx86.sys [2008-12-8 362544]
R1 IDSxpx86;IDSxpx86;\??\g:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081210.002\IDSxpx86.sys [2008-12-11 274808]
R1 pctfw2;pctfw2;\??\g:\windows\system32\drivers\pctfw2.sys [2008-11-23 160792]
R1 SASDIFSV;SASDIFSV;\??\g:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\g:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 Norton AntiVirus;Norton AntiVirus;"g:\program files\norton antivirus\norton antivirus\engine\16.1.0.33\ccsvchst.exe" /s "norton antivirus" /m "g:\program files\norton antivirus\norton antivirus\engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\g:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-23 99376]
R3 IKFileSec;File Security Driver;g:\windows\system32\drivers\ikfilesec.sys [2008-11-23 40840]
R3 IKSysFlt;System Filter Driver;g:\windows\system32\drivers\iksysflt.sys [2008-11-23 66952]
R3 IKSysSec;System Security Driver;g:\windows\system32\drivers\iksyssec.sys [2008-11-23 81288]
R3 NAVENG;NAVENG;\??\g:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081212.004\NAVENG.SYS [2008-12-13 89104]
R3 NAVEX15;NAVEX15;\??\g:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081212.004\NAVEX15.SYS [2008-12-13 876112]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\g:\docume~1\jasonpg\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2008-12-12 70144]
S3 SASENUM;SASENUM;\??\g:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 sdAuxService;PC Tools Auxiliary Service;g:\program files\spyware doctor\pctsAuxs.exe [2008-11-23 356920]
S3 sdCoreService;PC Tools Security Service;g:\program files\spyware doctor\pctsSvc.exe [2008-11-23 1079176]

=============== Created Last 30 ================

2008-12-21 19:35 <DIR> --d-h--- g:\windows\PIF
2008-12-13 02:36 <DIR> --d----- g:\program files\trend micro
2008-12-09 19:28 2,296 a------- g:\windows\system32\tmp.reg
2008-12-08 18:46 15,504 a------- g:\windows\system32\drivers\mbam.sys
2008-12-08 18:46 38,496 a------- g:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 18:46 <DIR> --d----- g:\program files\Malwarebytes' Anti-Malware
2008-12-08 18:22 161,792 a------- g:\windows\SWREG.exe
2008-12-08 18:22 98,816 a------- g:\windows\sed.exe
2008-12-08 18:10 <DIR> --dshr-- G:\cmdcons
2008-12-08 17:58 <DIR> --d----- g:\windows\setup.pss
2008-12-08 17:30 410,984 a------- g:\windows\system32\deploytk.dll
2008-12-08 17:30 73,728 a------- g:\windows\system32\javacpl.cpl
2008-12-08 17:08 <DIR> --d----- G:\New Folder
2008-12-08 17:03 <DIR> --d--r-- g:\program files\Norton Support
2008-12-08 16:24 35,888 a----r-- g:\windows\system32\drivers\SymIM.sys
2008-12-08 16:23 124,464 a------- g:\windows\system32\drivers\SYMEVENT.SYS
2008-12-08 16:23 60,808 a------- g:\windows\system32\S32EVNT1.DLL
2008-12-08 16:23 10,635 a------- g:\windows\system32\drivers\SYMEVENT.CAT
2008-12-08 16:23 806 a------- g:\windows\system32\drivers\SYMEVENT.INF
2008-12-08 16:23 <DIR> --d----- g:\program files\Symantec
2008-12-08 06:50 69,632 -----r-- g:\windows\Alcmtr.exe
2008-12-08 06:28 13,249 a------- g:\windows\Ascd_tmp.ini
2008-12-08 00:15 <DIR> --d----- g:\program files\ThreatExpert Memory Scanner
2008-12-07 23:00 <DIR> --d----- g:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-07 23:00 <DIR> --d----- g:\program files\SUPERAntiSpyware
2008-12-07 23:00 <DIR> --d----- g:\docume~1\jasonpg\applic~1\SUPERAntiSpyware.com
2008-12-07 22:13 <DIR> --d----- g:\windows\pss
2008-12-07 20:20 <DIR> --d----- g:\docume~1\jasonpg\applic~1\Malwarebytes
2008-12-07 20:19 <DIR> --d----- g:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-07 20:15 <DIR> --d----- g:\docume~1\jasonpg\applic~1\TrojanHunter
2008-12-07 19:58 <DIR> --d----- g:\program files\TrojanHunter 5.0
2008-12-07 18:12 <DIR> --d----- g:\docume~1\jasonpg\applic~1\AVSMedia
2008-12-07 18:12 <DIR> --d----- g:\docume~1\alluse~1\applic~1\AVS4YOU
2008-12-07 18:11 <DIR> --d----- g:\program files\common files\AVSMedia
2008-12-07 18:05 <DIR> --d----- g:\program files\common files\Download Manager
2008-12-07 17:38 <DIR> --d----- g:\program files\Nidesoft Studio
2008-12-07 17:27 423,424 a------- g:\windows\system32\WMAVDS32.ax
2008-12-07 17:27 1,415,680 a------- g:\windows\system32\wmv9vcm.dll
2008-12-07 17:27 245,760 a------- g:\windows\system32\mp4sds32.ax
2008-12-07 17:27 309,616 a------- g:\windows\system32\wmv8dmod.dll
2008-11-27 18:42 <DIR> --d----- g:\windows\NV25842920.TMP
2008-11-27 18:28 552 a------- g:\windows\system32\d3d8caps.dat
2008-11-27 18:28 <DIR> --d----- g:\program files\SystemRequirementsLab
2008-11-27 17:42 <DIR> --d----- g:\windows\NV10281348.TMP
2008-11-27 16:24 <DIR> --d----- g:\windows\NV10321444.TMP
2008-11-23 19:21 <DIR> --d----- g:\windows\system32\drivers\NAV
2008-11-23 19:21 <DIR> --d----- g:\program files\Norton AntiVirus
2008-11-23 19:21 <DIR> --d----- g:\docume~1\alluse~1\applic~1\Norton
2008-11-23 19:21 <DIR> --d----- g:\program files\NortonInstaller
2008-11-23 18:23 <DIR> --d----- g:\docume~1\alluse~1\applic~1\NortonInstaller
2008-11-23 17:58 160,792 a------- g:\windows\system32\drivers\pctfw2.sys
2008-11-23 17:55 <DIR> --d----- g:\program files\common files\PC Tools
2008-11-23 17:55 81,288 a------- g:\windows\system32\drivers\iksyssec.sys
2008-11-23 17:55 66,952 a------- g:\windows\system32\drivers\iksysflt.sys
2008-11-23 17:55 40,840 a------- g:\windows\system32\drivers\ikfilesec.sys
2008-11-23 17:55 29,576 a------- g:\windows\system32\drivers\kcom.sys
2008-11-23 17:54 <DIR> --d----- g:\program files\Spyware Doctor
2008-11-23 17:54 <DIR> --d----- g:\docume~1\jasonpg\applic~1\PC Tools
2008-11-23 11:43 <DIR> --d----- g:\docume~1\jasonpg\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-23 08:59 1,324 a------- g:\windows\system32\d3d9caps.dat
2008-11-23 08:54 268 a---h--- G:\sqmdata07.sqm
2008-11-23 08:54 244 a---h--- G:\sqmnoopt07.sqm

==================== Find3M ====================

2008-11-19 02:04 19,263 a------- g:\program files\nv4_disp.cat
2008-11-13 16:20 43,816 a------- g:\program files\NvApps.xm_
2008-11-12 13:45 453,152 a------- g:\windows\system32\NVUNINST.EXE
2008-10-30 16:45 2,516 a--sh--- g:\windows\system32\KGyGaAvL.sys
2008-10-29 08:36 823,296 a------- g:\windows\system32\divx_xx0c.dll
2008-10-29 08:36 823,296 a------- g:\windows\system32\divx_xx07.dll
2008-10-29 08:35 815,104 a------- g:\windows\system32\divx_xx0a.dll
2008-10-29 08:35 802,816 a------- g:\windows\system32\divx_xx11.dll
2008-10-29 08:35 684,032 a------- g:\windows\system32\DivX.dll
2008-10-26 10:16 20,968 a------- g:\docume~1\jasonpg\applic~1\GDIPFONTCACHEV1.DAT
2008-10-24 21:21 455,296 a------- g:\windows\system32\drivers\mrxsmb.sys
2008-10-23 22:36 286,720 a------- g:\windows\system32\gdi32.dll
2008-10-20 18:37 76,487 a------- g:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-18 11:03 107,888 a------- g:\windows\system32\CmdLineExt.dll
2008-10-18 10:58 444,952 a------- g:\windows\system32\wrap_oal.dll
2008-10-18 10:58 109,080 a------- g:\windows\system32\OpenAL32.dll
2008-10-18 01:05 315,392 a------- g:\windows\HideWin.exe
2008-10-18 00:29 21,640 a------- g:\windows\system32\emptyregdb.dat
2008-10-17 06:38 826,368 a------- g:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- g:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- g:\windows\system32\muweb.dll
2008-10-13 10:36 35,950,872 a----r-- g:\program files\PhysX_8.10.13_SystemSoftware.exe
2008-10-13 09:56 70,936 a------- g:\windows\system32\PhysXLoader.dll
2008-10-03 20:02 247,326 a------- g:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- g:\windows\system32\msxml4.dll
2008-09-25 18:03 524,288 a------- g:\windows\system32\DivXsm.exe
2008-09-25 18:03 196,608 a------- g:\windows\system32\dtu100.dll
2008-09-25 18:03 81,920 a------- g:\windows\system32\dpl100.dll
2008-09-25 18:03 53,248 a------- g:\windows\system32\dpuGUI10.dll
2008-09-25 18:03 593,920 a------- g:\windows\system32\dpuGUI11.dll
2008-09-25 18:03 344,064 a------- g:\windows\system32\dpus11.dll
2008-09-25 18:03 57,344 a------- g:\windows\system32\dpv11.dll
2008-09-25 18:03 294,912 a------- g:\windows\system32\dpu11.dll
2008-09-25 18:03 294,912 a------- g:\windows\system32\dpu10.dll
2008-09-25 18:03 161,096 a------- g:\windows\system32\DivXCodecVersionChecker.exe

============= FINISH: 15:14:01.29 ===============


The only other events of late are my router died and was replaced and I am aware of a IE patch I havent updated yet.


Regards
JasonG

Attached Files



#4 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:07:54 AM

Posted 23 December 2008 - 09:28 AM

Hi JasonG,

Please download gmer.zip from Gmer and save it to your desktop.
  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.
  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
If you receive no notice, click on the Scan button.
  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
Note: Do not run any programs while Gmer is running.
Posted Image

Done your best? Really?


#5 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 23 December 2008 - 04:12 PM

Hi,
I did as you asked and was advised RK activity had been detected with a pop-up requesting a full scan which I acknowledged. At the end of the scan another popup advised there had been RK changes - log attached:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-24 07:04:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 89C4D248 ZwAlertResumeThread
SSDT 89C4E078 ZwAlertThread
SSDT 899AD598 ZwAllocateVirtualMemory
SSDT 89CCBA48 ZwAssignProcessToJobObject
SSDT 89AFADB0 ZwConnectPort
SSDT \??\G:\windows\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6748020]
SSDT 89D02418 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xB6AAF794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xB6AAFF1E]
SSDT 89D29868 ZwCreateSymbolicLinkObject
SSDT 89B44078 ZwCreateThread
SSDT 89C742C8 ZwDebugActiveProcess
SSDT \??\G:\windows\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB67482A0]
SSDT \??\G:\windows\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6748800]
SSDT 89C63AD8 ZwDuplicateObject
SSDT 89DD23F0 ZwFreeVirtualMemory
SSDT 89DD19F8 ZwImpersonateAnonymousToken
SSDT 89CBF050 ZwImpersonateThread
SSDT 8925B2A8 ZwLoadDriver
SSDT 89BBBED8 ZwMapViewOfSection
SSDT 89CE56C8 ZwOpenEvent
SSDT 89AFF468 ZwOpenProcess
SSDT 89D13CF8 ZwOpenProcessToken
SSDT 89CC2C68 ZwOpenSection
SSDT 899F9EA8 ZwOpenThread
SSDT 89AFC008 ZwProtectVirtualMemory
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xB6AB412A]
SSDT 89D6ACF8 ZwResumeThread
SSDT 89CCAE30 ZwSetContextThread
SSDT 89DE80E0 ZwSetInformationProcess
SSDT 89C4E890 ZwSetSystemInformation
SSDT \??\G:\windows\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6748A50]
SSDT 89CFCE08 ZwSuspendProcess
SSDT 89C572C8 ZwSuspendThread
SSDT 89D1F588 ZwTerminateProcess
SSDT 89C640E0 ZwTerminateThread
SSDT 89D29CF8 ZwUnmapViewOfSection
SSDT 89CC0008 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? SYMEFA.SYS The system cannot find the file specified. !
? G:\windows\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text G:\windows\System32\snmp.exe[228] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 31, 84 ]
.text G:\Documents and Settings\JasonPG\Desktop\gmer\gmer.exe[748] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\system32\csrss.exe[956] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, AB, 84 ]
.text G:\windows\system32\winlogon.exe[984] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, AE, 84 ]
.text G:\windows\system32\services.exe[1028] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 67, 84 ]
.text G:\windows\system32\lsass.exe[1040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3A, 84 ]
.text G:\windows\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 56, 84 ]
.text ...
.text G:\windows\System32\alg.exe[1328] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 25, 84 ]
.text G:\windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1D, 84 ]
.text G:\windows\system32\spoolsv.exe[1632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 60, 84 ]
.text G:\Program Files\Java\jre6\bin\jqs.exe[1756] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 84 ]
.text G:\windows\system32\nvsvc32.exe[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 0B, 84 ]
.text ...
.text G:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe[2440] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\system32\wscntfy.exe[2444] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe[2916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BD, 83 ]
.text G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe[2916] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe[2916] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text G:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe[2916] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text G:\windows\Explorer.EXE[3008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 54, 84 ]
.text G:\windows\Explorer.EXE[3008] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\system32\RUNDLL32.EXE[3476] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3B, 84 ]
.text G:\windows\system32\RUNDLL32.EXE[3476] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\system32\rundll32.exe[3484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3B, 84 ]
.text G:\windows\system32\rundll32.exe[3484] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\RTHDCPL.EXE[3508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1C, 85 ]
.text G:\windows\RTHDCPL.EXE[3508] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\Program Files\XtremeTuner\XtremeTuner.exe[3528] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 87, 84 ]
.text G:\Program Files\XtremeTuner\XtremeTuner.exe[3528] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\Program Files\Java\jre6\bin\jusched.exe[3712] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 4F, 84 ]
.text G:\Program Files\Java\jre6\bin\jusched.exe[3712] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\system32\ctfmon.exe[3740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2C, 84 ]
.text G:\windows\system32\ctfmon.exe[3740] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[3856] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2C, 84 ]
.text G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[3856] KERNEL32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\windows\system32\svchost.exe[3900] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 03, 84 ]
.text G:\windows\system32\svchost.exe[3900] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\Program Files\Windows Desktop Search\WindowsSearch.exe[3976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 83 ]
.text G:\Program Files\Windows Desktop Search\WindowsSearch.exe[3976] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[4064] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2C, 84 ]
.text G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[4064] KERNEL32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service system32\drivers\msqpdxmxfeoitu.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxmxfeoitu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxserv \systemroot\system32\drivers\msqpdxmxfeoitu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxl \systemroot\system32\msqpdxmtpekrxx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxdfswfh35g2 \systemroot\system32\msqpdxyaqunpur.dll
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxmxfeoitu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \systemroot\system32\drivers\msqpdxmxfeoitu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \systemroot\system32\msqpdxmtpekrxx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxdfswfh35g2 \systemroot\system32\msqpdxyaqunpur.dll

---- EOF - GMER 1.0.14 ----


Regards

#6 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:07:54 AM

Posted 24 December 2008 - 03:30 AM

Hi JasonG,

Step 1

Please disable Spyware Doctor temporarily as it may interfere with the fixes.
  • Right click on Spyware Doctor icon in the system tray (near the clock).
  • Select Disable OnGuard.
  • OnGuard will open a prompt. Select Permanently turn off OnGuard (not recommended) from the drop-down list and click OK.
  • Right click on the Spyware Doctor icon again and select ShutDown.
  • Restart the computer for OnGuard to be disabled.
Step 2

Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.
  • Double click on ComboFix.exe & follow the prompts.

  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Posted Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.
Posted Image

Done your best? Really?


#7 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 25 December 2008 - 08:26 PM

Hi & Merry Xmas,
I followed your instructions and when I dragged / dropped the Microsoft file onto Combofix icon I received a message to the effect that 'boot partition cannot be enumerated correctly'. I was then asked via a message box to connect to the internet and install the autorecovery console - I did this and another message about failing to download appeared and then Combofix began running. I disconnected the internet as I had no AV or firewall (disabled as per instruction) - I obviously did not touch the pc then - a log then appeared which posted below. This sequence of events seems different to what I was expecting after reading the manual??

ComboFix 08-12-23.01 - JasonPG 2008-12-26 11:00:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1572 [GMT 10:00]
Running from: g:\documents and settings\JasonPG\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\JasonPG\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2008-12-24 07:00 . 2008-12-24 07:00 250 --a------ g:\windows\gmer.ini
2008-12-21 19:35 . 2008-12-21 19:35 <DIR> d--h----- g:\windows\PIF
2008-12-13 02:36 . 2008-12-13 02:36 <DIR> d-------- g:\program files\trend micro
2008-12-13 02:35 . 2008-12-13 02:36 <DIR> d-------- G:\rsit
2008-12-11 21:08 . 2008-12-11 21:08 <DIR> d-------- g:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-09 19:17 . 2008-12-09 19:17 <DIR> d-------- g:\documents and settings\Administrator
2008-12-08 18:46 . 2008-12-08 18:46 <DIR> d-------- g:\program files\Malwarebytes' Anti-Malware
2008-12-08 18:46 . 2008-12-03 19:59 38,496 --a------ g:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 18:46 . 2008-12-03 19:59 15,504 --a------ g:\windows\system32\drivers\mbam.sys
2008-12-08 17:30 . 2008-12-08 17:30 <DIR> d-------- g:\windows\Sun
2008-12-08 17:30 . 2008-12-08 17:29 410,984 --a------ g:\windows\system32\deploytk.dll
2008-12-08 17:30 . 2008-12-08 17:29 73,728 --a------ g:\windows\system32\javacpl.cpl
2008-12-08 17:29 . 2008-12-08 17:29 <DIR> d-------- g:\program files\Java
2008-12-08 17:08 . 2008-12-13 06:03 <DIR> d-------- G:\New Folder
2008-12-08 17:03 . 2008-12-08 17:19 <DIR> dr------- g:\program files\Norton Support
2008-12-08 16:24 . 2008-12-08 16:23 35,888 -ra------ g:\windows\system32\drivers\SymIM.sys
2008-12-08 16:23 . 2008-12-08 16:23 <DIR> d-------- g:\program files\Windows Sidebar
2008-12-08 16:23 . 2008-12-08 16:23 <DIR> d-------- g:\program files\Symantec
2008-12-08 16:23 . 2008-12-08 16:23 124,464 --a------ g:\windows\system32\drivers\SYMEVENT.SYS
2008-12-08 16:23 . 2008-12-08 16:23 60,808 --a------ g:\windows\system32\S32EVNT1.DLL
2008-12-08 16:23 . 2008-12-08 16:23 10,635 --a------ g:\windows\system32\drivers\SYMEVENT.CAT
2008-12-08 16:23 . 2008-12-08 16:23 806 --a------ g:\windows\system32\drivers\SYMEVENT.INF
2008-12-08 06:50 . 2005-05-03 20:43 69,632 -r------- g:\windows\Alcmtr.exe
2008-12-08 06:28 . 2008-12-08 06:28 13,249 --a------ g:\windows\Ascd_tmp.ini
2008-12-08 00:15 . 2008-12-08 06:11 <DIR> d-------- g:\program files\ThreatExpert Memory Scanner
2008-12-07 23:00 . 2008-12-11 20:42 <DIR> d-------- g:\program files\SUPERAntiSpyware
2008-12-07 23:00 . 2008-12-11 20:42 <DIR> d-------- g:\documents and settings\JasonPG\Application Data\SUPERAntiSpyware.com
2008-12-07 23:00 . 2008-12-07 23:00 <DIR> d-------- g:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-07 20:20 . 2008-12-07 20:20 <DIR> d-------- g:\documents and settings\JasonPG\Application Data\Malwarebytes
2008-12-07 20:19 . 2008-12-07 20:19 <DIR> d-------- g:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 20:15 . 2008-12-07 20:15 <DIR> d-------- g:\documents and settings\JasonPG\Application Data\TrojanHunter
2008-12-07 19:58 . 2008-12-07 20:16 <DIR> d-------- g:\program files\TrojanHunter 5.0
2008-12-07 18:12 . 2008-12-07 18:12 <DIR> d-------- g:\documents and settings\JasonPG\Application Data\AVSMedia
2008-12-07 18:12 . 2008-12-07 18:12 <DIR> d-------- g:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-07 18:11 . 2008-12-07 23:41 <DIR> d-------- g:\program files\Common Files\AVSMedia
2008-12-07 18:05 . 2008-12-07 18:05 <DIR> d-------- g:\program files\Common Files\Download Manager
2008-12-07 17:38 . 2008-12-07 17:38 <DIR> d-------- g:\program files\Nidesoft Studio
2008-12-07 17:27 . 2003-06-23 01:44 1,415,680 --a------ g:\windows\system32\wmv9vcm.dll
2008-12-07 17:27 . 2003-08-29 00:55 423,424 --a------ g:\windows\system32\WMAVDS32.ax
2008-12-07 17:27 . 2001-05-16 16:54 309,616 --a------ g:\windows\system32\wmv8dmod.dll
2008-12-07 17:27 . 2001-03-26 03:41 245,760 --a------ g:\windows\system32\mp4sds32.ax
2008-11-27 18:42 . 2008-11-27 18:46 <DIR> d-------- g:\windows\NV25842920.TMP
2008-11-27 18:28 . 2008-11-27 18:28 <DIR> d-------- g:\program files\SystemRequirementsLab
2008-11-27 18:28 . 2008-11-27 18:28 552 --a------ g:\windows\system32\d3d8caps.dat
2008-11-27 17:42 . 2008-11-27 17:42 <DIR> d-------- g:\windows\NV10281348.TMP
2008-11-27 16:24 . 2008-11-27 16:24 <DIR> d-------- g:\windows\NV10321444.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 20:57 --------- d---a-w g:\documents and settings\All Users\Application Data\TEMP
2008-12-23 20:57 --------- d-----w g:\program files\Spyware Doctor
2008-12-11 10:42 --------- d-----w g:\program files\Common Files\Wise Installation Wizard
2008-12-09 09:28 --------- d-----w g:\program files\Google
2008-12-08 06:23 --------- d-----w g:\program files\Norton AntiVirus
2008-12-08 06:23 --------- d-----w g:\program files\Common Files\Symantec Shared
2008-12-07 13:40 --------- d-----w g:\program files\DNA
2008-12-07 03:52 --------- d-----w g:\documents and settings\JasonPG\Application Data\Corel
2008-11-27 08:43 --------- d-----w g:\program files\AGEIA Technologies
2008-11-23 09:53 --------- d-----w g:\documents and settings\All Users\Application Data\Symantec
2008-11-23 09:22 --------- d-----w g:\documents and settings\All Users\Application Data\Norton
2008-11-23 09:21 --------- d-----w g:\program files\NortonInstaller
2008-11-23 08:23 --------- d-----w g:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-23 07:58 --------- d-----w g:\program files\Common Files\PC Tools
2008-11-23 07:57 160,792 ----a-w g:\windows\system32\drivers\pctfw2.sys
2008-11-23 07:54 --------- d-----w g:\documents and settings\JasonPG\Application Data\PC Tools
2008-11-23 01:43 --------- d-----w g:\documents and settings\JasonPG\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-23 00:13 --------- d-----w g:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-18 16:04 19,263 ----a-w g:\program files\nv4_disp.cat
2008-11-15 01:30 --------- d--h--w g:\program files\InstallShield Installation Information
2008-11-15 01:30 --------- d-----w g:\program files\USB Flash Disk Utility
2008-11-15 00:45 --------- dcsh--w g:\program files\Common Files\WindowsLiveInstaller
2008-11-15 00:44 --------- d-----w g:\documents and settings\All Users\Application Data\WLInstaller
2008-11-13 06:20 43,816 ----a-w g:\program files\NvApps.xm_
2008-11-12 06:48 --------- d-----w g:\program files\THQ
2008-11-12 03:45 453,152 ----a-w g:\windows\system32\NVUNINST.EXE
2008-11-11 02:01 --------- d-----w g:\program files\Live Bid Control Kit Setup
2008-11-08 05:26 --------- d-----w g:\program files\DivX
2008-11-07 06:48 --------- d-----w g:\program files\EA Sports
2008-11-04 06:46 --------- d-----w g:\documents and settings\JasonPG\Application Data\DivX
2008-10-31 11:22 --------- d-----w g:\documents and settings\All Users\Application Data\PC Tools
2008-10-30 19:44 --------- d-----w g:\program files\NOS
2008-10-30 19:44 --------- d-----w g:\documents and settings\All Users\Application Data\NOS
2008-10-30 11:23 --------- d-----w g:\program files\Quicken
2008-10-30 11:03 --------- d-----w g:\program files\Common Files\Adobe AIR
2008-10-30 11:02 --------- d-----w g:\program files\Common Files\Adobe
2008-10-30 10:56 --------- d-----w g:\documents and settings\JasonPG\Application Data\AdobeUM
2008-10-30 06:45 2,516 --sha-w g:\windows\system32\KGyGaAvL.sys
2008-10-28 22:36 823,296 ----a-w g:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w g:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w g:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w g:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w g:\windows\system32\DivX.dll
2008-10-26 00:16 20,968 ----a-w g:\documents and settings\JasonPG\Application Data\GDIPFONTCACHEV1.DAT
2008-10-23 12:36 286,720 ----a-w g:\windows\system32\gdi32.dll
2008-10-18 01:03 107,888 ----a-w g:\windows\system32\CmdLineExt.dll
2008-10-18 00:58 444,952 ----a-w g:\windows\system32\wrap_oal.dll
2008-10-18 00:58 109,080 ----a-w g:\windows\system32\OpenAL32.dll
2008-10-17 15:05 315,392 ----a-w g:\windows\HideWin.exe
2008-10-16 20:38 826,368 ----a-w g:\windows\system32\wininet.dll
2008-10-16 04:13 202,776 ----a-w g:\windows\system32\wuweb.dll
2008-10-16 04:13 1,809,944 ----a-w g:\windows\system32\wuaueng.dll
2008-10-16 04:12 561,688 ----a-w g:\windows\system32\wuapi.dll
2008-10-16 04:12 323,608 ----a-w g:\windows\system32\wucltui.dll
2008-10-16 04:09 92,696 ----a-w g:\windows\system32\cdm.dll
2008-10-16 04:09 51,224 ----a-w g:\windows\system32\wuauclt.exe
2008-10-16 04:09 43,544 ----a-w g:\windows\system32\wups2.dll
2008-10-16 04:08 34,328 ----a-w g:\windows\system32\wups.dll
2008-10-16 04:06 268,648 ----a-w g:\windows\system32\mucltui.dll
2008-10-16 04:06 208,744 ----a-w g:\windows\system32\muweb.dll
2008-10-13 00:36 35,950,872 ----a-r g:\program files\PhysX_8.10.13_SystemSoftware.exe
2008-10-12 23:56 70,936 ----a-w g:\windows\system32\PhysXLoader.dll
2008-10-03 10:02 247,326 ----a-w g:\windows\system32\strmdll.dll
2008-09-30 06:43 1,286,152 ----a-w g:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="g:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="g:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"Corel Photo Downloader"="g:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-10-31 478800]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"XtremeTuner"="g:\program files\XtremeTuner\XtremeTuner.exe" [2008-06-10 3833923]
"SunJavaUpdateSched"="g:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"nwiz"="nwiz.exe" [2008-11-12 g:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 g:\windows\RTHDCPL.exe]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - g:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Windows Search.lnk - g:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "g:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "g:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 g:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\windows\\system32\\sessmgr.exe"=
"g:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"g:\\Program Files\\Codemasters\\GRID Demo\\GRID.exe"=
"g:\\Documents and Settings\\JasonPG\\My Documents\\Computer\\Software\\Norton Antivirus\\Removal tool\\SymNRT.exe"=
"g:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"g:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

R0 SymEFA;Symantec Extended File Attributes;g:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\g:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-08 255536]
R1 ccHP;Symantec Hash Provider;\??\g:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-08 362544]
R1 IDSxpx86;IDSxpx86;\??\g:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081210.002\IDSxpx86.sys [2008-12-11 274808]
R1 pctfw2;pctfw2;\??\g:\windows\system32\drivers\pctfw2.sys [2008-11-23 160792]
R1 SASDIFSV;SASDIFSV;\??\g:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\g:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 Norton AntiVirus;Norton AntiVirus;"g:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "g:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\g:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-23 99376]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\g:\docume~1\JasonPG\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 SASENUM;SASENUM;\??\g:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 sdAuxService;PC Tools Auxiliary Service;g:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-23 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - j:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - j:\directx\dxsetup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - HTTPFILTER
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
LSP: g:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

g:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
g:\windows\Downloaded Program Files\SysReqLab3.osd

g:\windows\system32\msvcrt.dll - g:\windows\system32\mfc42.dll
g:\windows\system32\olepro32.dll
g:\windows\system32\msvcp60.dll
g:\windows\Downloaded Program Files\ijl15.dll
g:\windows\Downloaded Program Files\sdl.dll
g:\windows\Downloaded Program Files\lgbskin.dll
g:\windows\Downloaded Program Files\QHTM.dll
g:\windows\Downloaded Program Files\lgbspeak.dll
g:\windows\Downloaded Program Files\xcon.dll
g:\windows\Downloaded Program Files\LgbMP.ocx
g:\windows\Downloaded Program Files\lgbBidder.ocx
g:\windows\system32\sdl.dll
g:\windows\system32\ijl15.dll
g:\windows\Downloaded Program Files\CONFLICT.1\lgbskin.dll
g:\windows\system32\QHTM.dll
g:\windows\Downloaded Program Files\CONFLICT.1\lgbspeak.dll
g:\windows\system32\xcon.dll
g:\windows\system32\LgbMP.ocx
g:\windows\system32\lgbBidder.ocx
g:\windows\Downloaded Program Files\CONFLICT.2\lgbskin.dll
g:\windows\Downloaded Program Files\CONFLICT.2\lgbspeak.dll
O16 -: {447F8438-8124-4369-905B-A249E13CBBFC}
hxxp://pickles.liveglobalbid.com/install/new/lgbkc.cab
g:\windows\Downloaded Program Files\CONFLICT.2\lgbck.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 11:01:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"g:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"g:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxmxfeoitu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
g:\program files\SUPERAntiSpyware\SASWINLO.dll
g:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1040)
g:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2008-12-26 11:01:34
ComboFix-quarantined-files.txt 2008-12-26 01:01:32
ComboFix2.txt 2008-12-26 00:27:05

Pre-Run: 263,855,304,704 bytes free
Post-Run: 263,842,754,560 bytes free

246 --- E O F --- 2008-12-12 06:39:04


I also note there is a 'Qoobox' folder created with a number of Combofix files contained within it.

Regards

#8 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:07:54 AM

Posted 26 December 2008 - 10:24 AM

Hi JasonG,

Merry Christmas. :thumbsup:

Show hidden files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
Double click on G drive. Is a file named boot.ini present ?
Posted Image

Done your best? Really?


#9 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 26 December 2008 - 04:05 PM

No boot file present on drive G: - just alot of SQM files amongst a couple of others.
When I initially start the PC I get a DOS type message advising 'invalid boot.ini file' and then 'booting from C:\windows\'.
It seems to start OK from there

I also noted Spyware doctor picked up a couple of threats (Application NirCmd) today - considering I only connected to the internet for a very brief period yesterday, I assume these are related to Combofix.

JasonG

Edited by jasonpg, 26 December 2008 - 04:06 PM.


#10 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:07:54 AM

Posted 27 December 2008 - 09:34 AM

Hi JasonG,

When I initially start the PC I get a DOS type message advising 'invalid boot.ini file' and then 'booting from C:\windows\'.


That is odd. As far as your logs show, Windows is installed on G:\ drive. Can you double check the drive letter?

Next, please open Notepad and copy and paste the following in the Code box into Notepad:

dir /a /s boot.ini > G:\bootfind.txt
start notepad G:\bootfind.txt

Click on File > Save As....

In the File Name box, copy and paste in find.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on find.bat to run it. Command Prompt will open, followed by Notepad shortly afterwards. Please post the contents of this Notepad file in your next reply.
Posted Image

Done your best? Really?


#11 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 28 December 2008 - 05:19 AM

Verfied message as booting from 'C' drive on multiple occassions. It is strange because I have not seen any reference to 'C' drive anywhere else. When I ran a scan disk in DOS early on, I recieved messages advising errors had been found on the hard drive though I could not take this any further.

The other info you asked for:

Bootfind.txt - Notepad
Volume in drive G has no label.
Volume Serial Number is E8D9-7E77

Regards

#12 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:07:54 AM

Posted 28 December 2008 - 09:31 AM

Hmm... let's see.

Please open Notepad and copy and paste the following in the Code box into Notepad:

[boot loader]
timeout=30
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=1 /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=2 /fastdetect
scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS=3 /fastdetect
scsi(0)disk(0)rdisk(0)partition(2)\WINDOWS=4 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=5 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=6 /fastdetect
C:\WINDOWS=7 /fastdetect

Click on File > Save As....

In the File Name field, copy and paste in boot.ini

In the Save As Type field, select All Files.

On the left hand side, click on My Computer. Double click on G:\ drive.

Click Save.

Next...

Download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply
Do not restart or shut down your computer until I give instructions to do so.
Posted Image

Done your best? Really?


#13 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 28 December 2008 - 12:36 PM

Bootcheck.txt notepad contents:

CMDCONS Folder exists!

Contents of G:\boot.ini:

[boot loader]
timeout=30
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=1 /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=2 /fastdetect
scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS=3 /fastdetect
scsi(0)disk(0)rdisk(0)partition(2)\WINDOWS=4 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=5 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=6 /fastdetect
C:\WINDOWS=7 /fastdetect


I wont touch the pc - I might also mention (just for your info) I had set up a Norton scheduled scan for 2am every morning from the 26 Dec - the log shows it picks and removes IE Defender every scan. I also note Norton advises of an unremoved threat of Backdoor.Tidserv!inf

#14 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:07:54 AM

Posted 28 December 2008 - 01:03 PM

the log shows it picks and removes IE Defender every scan. I also note Norton advises of an unremoved threat of Backdoor.Tidserv!inf


May I know the location of these files?

I also noted Spyware doctor picked up a couple of threats (Application NirCmd) today - considering I only connected to the internet for a very brief period yesterday, I assume these are related to Combofix.


Yes, they are.

Now please restart your computer.
  • On restarting your computer, you will be given a menu.
  • Select the first one, 1 /fastdetect and press Enter.
  • Wait for Windows to boot. If you receive an error message, press Enter again. You will be brought back to the menu.
  • Select the next one on the list, 2 /fastdetect and press Enter. Repeat for the rest of the options until Windows starts up fine.
Please let me know which one works for you.
Posted Image

Done your best? Really?


#15 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 28 December 2008 - 01:39 PM

When restarting the PC - option 1 booted windows ok

Location of Backdoor.Tidserv!inf is
G:\documents and settings\jasonpg\local settings\temp\tmp7c.tmp

Location of IEdefender was or is

54 Registry entries
(unable to copy details though most files are in a similar format to 'HKEY-USERS\s-1-5-19\software\malwarebell' {3 of these entries} and 'HKEY-USERS\s-1-5-19\software\spyburner' {3 of these entries also} and also Internet explorer file names)

4 files
G:\documents and settings\jasonpg\application data\microsoft\internet explorer\quick launch\spyburner.ink
G:\documents and settings\jasonpg\desktop\spyburner.ink
G:\documents and settings\jasonpg\malware bell 3.2. ink
G:\documents and settings\jasonpg\start menu\ programs\ malware bell 3.2. ink


I read up on spyburner and malware bell on this site which seem to indicate both of these programs are linked to IE defender. As they are repeatedly being found and removed is there another infection generating them (i.e backdoor.tidserv!inf). Also, the norton notification of an unremoved risk dates back to early December - i am not sure if Norton knows when it is removed. I have only used the pc (PC1) after instructions from you guys in order to keep the system in the same state to allow easier diagnosis. It has dawned on me the pc I use to access you guys (PC2) doesnt appear to be suffering the same issues (touch wood). The only real difference apart from age and hardware specs is the operating system - the PC (PC1) with all the issues runs XP HE (PC2 = XP Pro).

Regards

Edited by jasonpg, 29 December 2008 - 06:32 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users