Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Tmp1F7.tmp' infected with 'Backdoor.Tidserv!inf'


  • This topic is locked This topic is locked
6 replies to this topic

#1 neveragainkeygen

neveragainkeygen

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 16 December 2008 - 10:12 AM

Hi guys thanks in advance for your help! much apprieciated.
I think I have been infected by a 'backdoor.tidserv!inf' from something I downloaded in a rushed panick to finish a project, like an idiot I tried to get a keygen to export something from a trial program. Never again.
Explorer is behaving quite strange, opening new windows when a link is clicked, often to an ad.
I also cannot get into my firewall settings, not sure if this is due to the infection, or an admin/security issue.

Norton finds the virus and states 'Tmp1F7.tmp' is infected with 'Backdoor.Tidserv!inf' but cannot fix, quarrentine or delete the infection. I believe 2 other associated infections were removed by norton antivirus.

Below are my 2 DDs logs, Kaspersky was not functioning today so no log there sorry.

LOG A

DDS (Version 1.1.0) - NTFSx86
Run by Lord Family at 14:46:46.04 on 16/12/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.288 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelp.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Lord Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bt.com/broadbandstart/bbs_landing_page.jsp
uSearch Page = hxxp://www.google.com
uWindow Title = Tiscali Internet Access
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {73364D99-1240-4dff-B11A-67E448373048} - c:\windows\system32\ipv6mons.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [Spyware Cleaner] "c:\program files\spyware cleaner\SpywareCleaner.Exe" /boot
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [EPSON Stylus DX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibie.exe /fu "c:\docume~1\lordfa~1\locals~1\temp\E_S59.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [CARPService] carpserv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "c:\program files\cyberlink\powerbackup\PBKScheduler.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [DSLSTATEXE] c:\program files\bt voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\bt voyager 105 adsl modem\dslagent.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~1\smartb~1\BTHelpNotifier.exe
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [YeppStudioAgent] c:\program files\samsung\samsungmediastudio4.1\SamsungMediaStudioAgent.exe
mRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe" -s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt broadband desktop help\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 85.255.116.72;85.255.112.140
TCP: {0B77F685-E330-43FD-9B7F-339A3E51E2DB} = 85.255.116.72;85.255.112.140
TCP: {64084B4F-610C-487D-B223-C950151A4F64} = 85.255.116.72;85.255.112.140
TCP: {CBFE0141-9857-4899-A3CF-C4E791E42FE7} = 85.255.116.72;85.255.112.140
Notify: p2k32reg - c:\documents and settings\all users\documents\settings\p2k32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-16 14:30 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-16 14:30 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-11 19:03 <DIR> --dshr-- C:\resycled
2008-12-11 19:03 255 ---shr-- C:\autorun.inf
2008-12-11 19:02 2 a------- C:\1007529111
2008-12-05 18:36 1,409 a------- c:\windows\QTFont.for
2008-12-05 18:36 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-05 18:07 <DIR> --d----- c:\program files\IVT Corporation
2008-12-05 18:07 32 a------- c:\windows\0
2008-12-05 18:07 0 a------- c:\windows\system32\0
2008-12-05 17:54 151,552 ac------ c:\windows\system32\dllcache\irftp.exe
2008-12-05 17:54 28,160 ac------ c:\windows\system32\dllcache\irmon.dll
2008-12-05 17:54 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2008-12-05 17:54 151,552 a------- c:\windows\system32\irftp.exe
2008-12-05 17:54 28,160 a------- c:\windows\system32\irmon.dll
2008-12-05 17:54 8,192 a------- c:\windows\system32\wshirda.dll
2008-12-01 21:13 <DIR> --d----- c:\program files\Acoustica Mixcraft 4
2008-12-01 20:01 <DIR> --d----- c:\docume~1\lordfa~1\applic~1\Acoustica
2008-12-01 20:00 57,344 a------- c:\windows\system32\Wnaspint.dll
2008-12-01 20:00 <DIR> --d----- c:\program files\VST
2008-12-01 20:00 <DIR> --d----- c:\program files\Acoustica Shared Effects
2008-12-01 20:00 <DIR> --d----- c:\program files\Acoustica Mixcraft 3
2008-12-01 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Acoustica

==================== Find3M ====================

2008-11-24 13:11 6,200 a------- c:\docume~1\lordfa~1\applic~1\wklnhst.dat
2008-10-24 11:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-03 20:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 14:47:26.39 ===============


LOG B


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 13/08/2005 17:27:12
System Uptime: 16/12/2008 08:14:59 (6 hours ago)

Motherboard: ASUSTek Computer INC. | | A8NE-FM
Processor: AMD Athlon™ 64 Processor 3000+ | Socket 939 | 1809/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 148 GiB total, 107.635 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3D189411D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\3D189411D800
Service: NIC1394

==== System Restore Points ===================

RP710: 13/09/2008 17:07:01 - System Checkpoint
RP711: 29/09/2008 15:33:27 - System Checkpoint
RP712: 30/09/2008 16:34:03 - System Checkpoint
RP713: 01/10/2008 18:35:54 - System Checkpoint
RP714: 06/10/2008 16:46:03 - System Checkpoint
RP715: 11/10/2008 16:28:22 - System Checkpoint
RP716: 12/10/2008 16:02:10 - Installed Microsoft Visual C++ 2005 Redistributable
RP717: 12/10/2008 16:12:39 - Installed QuickTime
RP718: 12/10/2008 16:18:37 - Installed Sony Ericsson Media Manager 1.1
RP719: 13/10/2008 16:22:25 - System Checkpoint
RP720: 14/10/2008 18:20:57 - System Checkpoint
RP721: 14/10/2008 20:01:50 - Software Distribution Service 3.0
RP722: 16/10/2008 18:37:15 - System Checkpoint
RP723: 16/10/2008 18:43:44 - Software Distribution Service 3.0
RP724: 20/10/2008 12:44:14 - System Checkpoint
RP725: 24/10/2008 10:14:49 - System Checkpoint
RP726: 24/10/2008 11:04:33 - Software Distribution Service 3.0
RP727: 28/10/2008 12:58:54 - System Checkpoint
RP728: 29/10/2008 14:10:18 - System Checkpoint
RP729: 30/10/2008 14:44:52 - System Checkpoint
RP730: 31/10/2008 17:25:02 - System Checkpoint
RP731: 02/11/2008 13:04:37 - System Checkpoint
RP732: 03/11/2008 20:41:35 - System Checkpoint
RP733: 04/11/2008 21:20:28 - System Checkpoint
RP734: 05/11/2008 22:27:03 - System Checkpoint
RP735: 07/11/2008 08:24:20 - System Checkpoint
RP736: 08/11/2008 11:09:28 - System Checkpoint
RP737: 09/11/2008 12:37:07 - System Checkpoint
RP738: 11/11/2008 12:47:39 - System Checkpoint
RP739: 12/11/2008 14:29:30 - System Checkpoint
RP740: 12/11/2008 20:48:49 - Software Distribution Service 3.0
RP741: 13/11/2008 21:45:13 - System Checkpoint
RP742: 17/11/2008 09:48:12 - System Checkpoint
RP743: 18/11/2008 13:52:53 - System Checkpoint
RP744: 19/11/2008 21:00:05 - System Checkpoint
RP745: 21/11/2008 12:34:47 - System Checkpoint
RP746: 22/11/2008 14:37:08 - System Checkpoint
RP747: 23/11/2008 19:28:25 - System Checkpoint
RP748: 25/11/2008 16:54:28 - System Checkpoint
RP749: 26/11/2008 20:41:48 - System Checkpoint
RP750: 27/11/2008 21:00:30 - System Checkpoint
RP751: 28/11/2008 21:22:31 - System Checkpoint
RP752: 01/12/2008 18:17:09 - System Checkpoint
RP753: 02/12/2008 18:42:43 - System Checkpoint
RP754: 03/12/2008 14:44:51 - Software Distribution Service 3.0
RP755: 03/12/2008 14:48:22 - Software Distribution Service 3.0
RP756: 04/12/2008 17:35:47 - System Checkpoint
RP757: 05/12/2008 18:07:25 - Installed Bluesoleil2.6.0.1 Release 070402
RP758: 08/12/2008 18:19:48 - System Checkpoint
RP759: 09/12/2008 18:35:27 - System Checkpoint
RP760: 10/12/2008 22:00:45 - System Checkpoint
RP761: 10/12/2008 23:52:33 - Software Distribution Service 3.0
RP762: 11/12/2008 07:58:32 - Software Distribution Service 3.0

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acoustica Effects Pack
Acoustica Mixcraft 3.1
Acoustica Mixcraft 4.2
Adobe Acrobat 4.0
Adobe ActiveShare 1.3.1
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe PhotoDeluxe Home Edition 4.0
Adobe Reader 7.1.0
AnyDVD
Apple Software Update
ArcSoft VideoImpression 1.6FP
Avanquest update
Bluesoleil2.6.0.1 Release 070402
BT Broadband Desktop Help
BT Voyager 105 ADSL Modem
Camera RAW Plug-In for EPSON Creativity Suite
CC_ccProxyExt
ccCommon
ccPxyCore
CloneDVD2
ContentSAFER for Wizmax
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Sleek
CutePDF Writer 2.7
DivX Web Player
ebook RafflesHotelSINrack2004
Engineering Examiner OOW
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON PhotoQuicker2.0
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX6000_CX5900 User's Guide
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
FUJIFILM USB Driver
Google Earth
Google Toolbar for Internet Explorer
Guitar Pro 5.2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iTunes
Java™ 6 Update 11
Kazoo Player
Lame ACM MP3 Codec
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 2004 Setup Launcher
ModelScan 2.8.0
Mozilla Firefox (2.0.0.1)
MSN
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
NVIDIA Drivers
PhotoNow! 1.0
Pirates of the Caribbean
Power Tab Editor 1.7
Power2Go 4.0
PowerBackup 1.0
PowerCinema 4.0
PowerDirector Express
PowerDVD
PowerDVD Copy 1.0
PowerProducer
PowerStarter
QuickTime
RealOne Player
Realtek AC'97 Audio
SamsungMediaStudio
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Softk56 Data Fax Voice Speakerphone CARP
Sony Ericsson Media Manager 1.1
Sony Ericsson PC Suite 3.205.00
SPBBC
Symantec Network Drivers Update
Symantec Script Blocking Installer
SymNet
Tiscali 10.0
Tiscali Internet Access
TomTom HOME
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XviD MPEG-4 Video Codec

==== Event Viewer Messages From Past Week ========

15/12/2008 20:54:17, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
15/12/2008 20:54:17, error: Service Control Manager [7000] - The ForceWare user log service service failed to start due to the following error: The system cannot find the file specified.
15/12/2008 20:54:17, error: Service Control Manager [7000] - The Forceware Web Interface service failed to start due to the following error: The system cannot find the file specified.
11/12/2008 12:50:27, error: Service Control Manager [7022] - The CyberLink Task Scheduler (CTS) service hung on starting.
16/12/2008 14:26:37, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 23 December 2008 - 09:05 PM

Hello.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Please also include a new HijackThis log.

With Regards,
The Panda

#3 neveragainkeygen

neveragainkeygen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 24 December 2008 - 08:38 AM

Hey Panda,

Thanks very much for the reply and on Christmas eve too!

I followed your instructions and ran combofix, tried to install the recovery console but it aborted for some reason, even with my internet connected and anti-virus disabled.
For this reason I saved the log and ran combofix again to see if the recovery console would work this time but with no joy.
I have included both logs below in order, followed by my hijackthis log.

Thanks again.

Combofix LOG 1

ComboFix 08-12-23.01 - Lord Family 2008-12-24 13:09:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.564 [GMT 0:00]
Running from: c:\documents and settings\Lord Family\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\desktop.ini
c:\documents and settings\All Users.\documents\settings\p2k32.dll
C:\resycled
c:\resycled\boot.com
c:\windows\hosts
c:\windows\system32\drivers\msqpdxpxweoitu.sys
c:\windows\system32\msqpdxmtpearxx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Legacy_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-16 14:30 . 2008-12-16 14:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 14:30 . 2008-12-16 14:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-11 19:02 . 2008-12-11 19:02 2 --a------ C:\1007529111
2008-12-05 18:10 . 2008-12-05 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-05 18:07 . 2008-12-05 18:07 <DIR> d-------- c:\program files\IVT Corporation
2008-12-05 18:07 . 2008-12-05 18:08 32 --a------ c:\windows\0
2008-12-05 18:07 . 2008-12-05 18:07 0 --a------ c:\windows\system32\0
2008-12-05 17:54 . 2008-04-14 01:12 151,552 --a------ c:\windows\system32\irftp.exe
2008-12-05 17:54 . 2008-04-14 01:12 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-12-05 17:54 . 2008-04-14 01:11 28,160 --a------ c:\windows\system32\irmon.dll
2008-12-05 17:54 . 2008-04-14 01:11 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-12-05 17:54 . 2008-04-14 01:12 8,192 --a------ c:\windows\system32\wshirda.dll
2008-12-05 17:54 . 2008-04-14 01:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-12-01 21:13 . 2008-12-01 21:28 <DIR> d-------- c:\program files\Acoustica Mixcraft 4
2008-12-01 20:01 . 2008-12-01 20:01 <DIR> d-------- c:\documents and settings\Lord Family\Application Data\Acoustica
2008-12-01 20:00 . 2008-12-01 20:00 <DIR> d-------- c:\program files\VST
2008-12-01 20:00 . 2008-12-01 21:26 <DIR> d-------- c:\program files\Acoustica Shared Effects
2008-12-01 20:00 . 2008-12-01 20:01 <DIR> d-------- c:\program files\Acoustica Mixcraft 3
2008-12-01 20:00 . 2008-12-01 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acoustica
2008-12-01 20:00 . 2007-08-07 11:32 57,344 --a------ c:\windows\system32\Wnaspint.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 13:08 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 19:22 --------- d-----w c:\program files\EPSON
2008-12-21 19:15 --------- d-----w c:\program files\FinePixViewer
2008-12-19 14:48 --------- d-----w c:\program files\Norton Internet Security
2008-12-16 14:30 --------- d-----w c:\program files\Java
2008-11-24 13:11 6,200 ----a-w c:\documents and settings\Lord Family\Application Data\wklnhst.dat
2008-11-03 21:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 21:17 --------- d-----w c:\program files\C4W
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2006-12-25 19:38 66,648 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-12-25 19:38 54,352 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-25 19:38 34,928 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-12-25 19:38 46,696 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-12-25 19:38 172,120 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-03 20:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 1630303]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 151597]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-05-25 100056]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Motive SmartBridge"="c:\progra~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2004-02-18 177152]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"CARPService"="carpserv.exe" [2003-01-08 c:\windows\system32\carpserv.exe]
"nwiz"="nwiz.exe" [2005-06-15 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-08 24652]
S3 cpuz;cpuz;\??\J:\cpuz.sys []
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2004-08-21 89749]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd89cf5a-a7ed-11dc-83e6-0011f5300101}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-12-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Lord Family.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
- - - - ORPHANS REMOVED - - - -

BHO-{73364D99-1240-4dff-B11A-67E448373048} - c:\windows\system32\ipv6mons.dll
HKCU-Run-Spyware Cleaner - c:\program files\Spyware Cleaner\SpywareCleaner.Exe
HKLM-Run-YeppStudioAgent - c:\program files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
Notify-p2k32reg - c:\documents and settings\All Users\Documents\Settings\p2k32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bt.com/broadbandstart/bbs_landing_page.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Hoops3dStream.dll - O16 -: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4}
hxxp://www.hoops3d.com/downloads/hoopsatlcontrol.cab
c:\windows\Downloaded Program Files\hview.inf
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 13:11:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxpxweoitu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\documents and settings\All Users\Documents\Settings\p2k32.dll
.
Completion time: 2008-12-24 13:12:57
ComboFix-quarantined-files.txt 2008-12-24 13:12:35

Pre-Run: 115,554,668,544 bytes free
Post-Run: 115,867,922,432 bytes free

178 --- E O F --- 2008-12-11 08:00:01



Combofix Log 2


ComboFix 08-12-23.01 - Lord Family 2008-12-24 13:16:55.2 - NTFSx86
Running from: c:\documents and settings\Lord Family\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-16 14:30 . 2008-12-16 14:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 14:30 . 2008-12-16 14:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-11 19:02 . 2008-12-11 19:02 2 --a------ C:\1007529111
2008-12-05 18:10 . 2008-12-05 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-05 18:07 . 2008-12-05 18:07 <DIR> d-------- c:\program files\IVT Corporation
2008-12-05 18:07 . 2008-12-05 18:08 32 --a------ c:\windows\0
2008-12-05 18:07 . 2008-12-05 18:07 0 --a------ c:\windows\system32\0
2008-12-05 17:54 . 2008-04-14 01:12 151,552 --a------ c:\windows\system32\irftp.exe
2008-12-05 17:54 . 2008-04-14 01:12 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-12-05 17:54 . 2008-04-14 01:11 28,160 --a------ c:\windows\system32\irmon.dll
2008-12-05 17:54 . 2008-04-14 01:11 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-12-05 17:54 . 2008-04-14 01:12 8,192 --a------ c:\windows\system32\wshirda.dll
2008-12-05 17:54 . 2008-04-14 01:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-12-01 21:13 . 2008-12-01 21:28 <DIR> d-------- c:\program files\Acoustica Mixcraft 4
2008-12-01 20:01 . 2008-12-01 20:01 <DIR> d-------- c:\documents and settings\Lord Family\Application Data\Acoustica
2008-12-01 20:00 . 2008-12-01 20:00 <DIR> d-------- c:\program files\VST
2008-12-01 20:00 . 2008-12-01 21:26 <DIR> d-------- c:\program files\Acoustica Shared Effects
2008-12-01 20:00 . 2008-12-01 20:01 <DIR> d-------- c:\program files\Acoustica Mixcraft 3
2008-12-01 20:00 . 2008-12-01 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acoustica
2008-12-01 20:00 . 2007-08-07 11:32 57,344 --a------ c:\windows\system32\Wnaspint.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 13:08 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 19:22 --------- d-----w c:\program files\EPSON
2008-12-21 19:15 --------- d-----w c:\program files\FinePixViewer
2008-12-19 14:48 --------- d-----w c:\program files\Norton Internet Security
2008-12-16 14:30 --------- d-----w c:\program files\Java
2008-11-24 13:11 6,200 ----a-w c:\documents and settings\Lord Family\Application Data\wklnhst.dat
2008-11-03 21:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 21:17 --------- d-----w c:\program files\C4W
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2006-12-25 19:38 66,648 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-12-25 19:38 54,352 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-25 19:38 34,928 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-12-25 19:38 46,696 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-12-25 19:38 172,120 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-03 20:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 1630303]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 151597]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-05-25 100056]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Motive SmartBridge"="c:\progra~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2004-02-18 177152]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"CARPService"="carpserv.exe" [2003-01-08 c:\windows\system32\carpserv.exe]
"nwiz"="nwiz.exe" [2005-06-15 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\p2k32reg]
c:\documents and settings\All Users\Documents\Settings\p2k32.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd89cf5a-a7ed-11dc-83e6-0011f5300101}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-12-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Lord Family.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bt.com/broadbandstart/bbs_landing_page.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {64084B4F-610C-487D-B223-C950151A4F64} = 194.74.65.69 194.72.9.34

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Hoops3dStream.dll - O16 -: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4}
hxxp://www.hoops3d.com/downloads/hoopsatlcontrol.cab
c:\windows\Downloaded Program Files\hview.inf
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 13:17:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\documents and settings\All Users\Documents\Settings\p2k32.dll
.
Completion time: 2008-12-24 13:19:20
ComboFix-quarantined-files.txt 2008-12-24 13:18:38
ComboFix2.txt 2008-12-24 13:12:58

Pre-Run: 115,879,591,936 bytes free
Post-Run: 115,862,921,216 bytes free

155 --- E O F --- 2008-12-11 08:00:01




Hijackthis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30:15, on 24/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.com/broadbandstart/bbs_landing_page.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4} (HOOPS 3D Stream Control Class) - http://www.hoops3d.com/downloads/hoopsatlcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64084B4F-610C-487D-B223-C950151A4F64}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.72;85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B77F685-E330-43FD-9B7F-339A3E51E2DB}: NameServer = 85.255.116.72;85.255.112.140
O20 - Winlogon Notify: p2k32reg - C:\Documents and Settings\All Users\Documents\Settings\p2k32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13891 bytes

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 December 2008 - 08:28 PM

Hello.

Seems like something came back the second time ComboFix ran :thumbsup: . Let's see what we can do.

Please make sure your protection is disabled before proceeding.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    
    Rootkit::
    c:\documents and settings\All Users\Documents\Settings\p2k32.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\p2k32reg]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Re-enable your protection at this time.

Please post back with:
-the ComboFix log
-the MalwareBytes log
-the GMER scan log

With Regards,
The Panda

#5 neveragainkeygen

neveragainkeygen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 26 December 2008 - 11:48 AM

Hey Panda,

please find below:

-the new ComboFix log
-the MalwareBytes log
-the GMER scan log

Happy Holidays!!!!!

Combofix Log:

ComboFix 08-12-25.04 - Lord Family 2008-12-26 15:49:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.698 [GMT 0:00]
Running from: c:\documents and settings\Lord Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lord Family\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Settings\p2k32.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2008-12-24 13:28 . 2008-12-24 13:30 <DIR> d-------- C:\hijackthis
2008-12-16 14:30 . 2008-12-16 14:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 14:30 . 2008-12-16 14:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-11 19:02 . 2008-12-11 19:02 2 --a------ C:\1007529111
2008-12-05 18:10 . 2008-12-05 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-05 18:07 . 2008-12-05 18:07 <DIR> d-------- c:\program files\IVT Corporation
2008-12-05 18:07 . 2008-12-05 18:08 32 --a------ c:\windows\0
2008-12-05 18:07 . 2008-12-05 18:07 0 --a------ c:\windows\system32\0
2008-12-05 17:54 . 2008-04-14 01:12 151,552 --a------ c:\windows\system32\irftp.exe
2008-12-05 17:54 . 2008-04-14 01:12 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-12-05 17:54 . 2008-04-14 01:11 28,160 --a------ c:\windows\system32\irmon.dll
2008-12-05 17:54 . 2008-04-14 01:11 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-12-05 17:54 . 2008-04-14 01:12 8,192 --a------ c:\windows\system32\wshirda.dll
2008-12-05 17:54 . 2008-04-14 01:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-12-01 21:13 . 2008-12-01 21:28 <DIR> d-------- c:\program files\Acoustica Mixcraft 4
2008-12-01 20:01 . 2008-12-01 20:01 <DIR> d-------- c:\documents and settings\Lord Family\Application Data\Acoustica
2008-12-01 20:00 . 2008-12-01 20:00 <DIR> d-------- c:\program files\VST
2008-12-01 20:00 . 2008-12-01 21:26 <DIR> d-------- c:\program files\Acoustica Shared Effects
2008-12-01 20:00 . 2008-12-01 20:01 <DIR> d-------- c:\program files\Acoustica Mixcraft 3
2008-12-01 20:00 . 2008-12-01 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acoustica
2008-12-01 20:00 . 2007-08-07 11:32 57,344 --a------ c:\windows\system32\Wnaspint.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 15:41 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 19:22 --------- d-----w c:\program files\EPSON
2008-12-21 19:15 --------- d-----w c:\program files\FinePixViewer
2008-12-19 14:48 --------- d-----w c:\program files\Norton Internet Security
2008-12-16 14:30 --------- d-----w c:\program files\Java
2008-11-24 13:11 6,200 ----a-w c:\documents and settings\Lord Family\Application Data\wklnhst.dat
2008-11-03 21:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 21:17 --------- d-----w c:\program files\C4W
2006-12-25 19:38 66,648 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-12-25 19:38 54,352 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-25 19:38 34,928 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-12-25 19:38 46,696 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-12-25 19:38 172,120 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-03 20:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_13.12.08.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 02:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 02:08:40 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-17 02:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-26 15:51:39 16,384 ----atw c:\windows\temp\Perflib_Perfdata_28c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 1630303]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 151597]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-05-25 100056]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Motive SmartBridge"="c:\progra~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2004-02-18 177152]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"CARPService"="carpserv.exe" [2003-01-08 c:\windows\system32\carpserv.exe]
"nwiz"="nwiz.exe" [2005-06-15 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
BT Broadband Desktop Help.lnk - c:\program files\BT Broadband Desktop Help\bin\matcli.exe [2006-10-11 217088]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2005-09-28 121856]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-11-27 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\system32\\sessmgr.exe"=

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-08 24652]
S3 cpuz;cpuz;\??\J:\cpuz.sys []
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2004-08-21 89749]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd89cf5a-a7ed-11dc-83e6-0011f5300101}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-12-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Lord Family.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bt.com/broadbandstart/bbs_landing_page.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {64084B4F-610C-487D-B223-C950151A4F64} = 194.74.65.69 194.72.9.34

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Hoops3dStream.dll - O16 -: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4}
hxxp://www.hoops3d.com/downloads/hoopsatlcontrol.cab
c:\windows\Downloaded Program Files\hview.inf
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 15:51:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\BT Broadband Desktop Help\bin\BTHelp.exe
c:\program files\BT Broadband Desktop Help\bin\mpbtn.exe
c:\progra~1\Motive\Common\MOTIVE~1.EXE
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-12-26 15:55:17 - machine was rebooted [Lord Family]
ComboFix-quarantined-files.txt 2008-12-26 15:55:14
ComboFix2.txt 2008-12-24 13:19:21
ComboFix3.txt 2008-12-24 13:12:58

Pre-Run: 115,741,806,592 bytes free
Post-Run: 115,699,621,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

201 --- E O F --- 2008-12-24 19:43:07



MalwareBytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

26/12/2008 16:10:38
mbam-log-2008-12-26 (16-10-38).txt

Scan type: Quick Scan
Objects scanned: 52521
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-26 16:34:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 86FFF288 ZwConnectPort
SSDT 86FFFD20 ZwOpenProcess
SSDT 86DCFD88 ZwOpenThread

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [10001CA0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [1002B410] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRect] [1002B480] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [10001CA0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [1002B4A0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [10001CA0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowLongA] [1002B4A0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [10001C80] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [10001CA0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [10001CA0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [10001CD0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [10001C60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3532] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Sony Ericsson Mobile Communications AB)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi \Device\Ide\IdePort0 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort1 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort2 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort3 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort4 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort5 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-1b AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat B79B6D20

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd648a00
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009dd648a00

---- EOF - GMER 1.0.14 ----


Thanks Panda! Happy Holidays!

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 27 December 2008 - 08:42 AM

Happy Holidays to you too :thumbsup: .

Looks like we took care of that infection.

View Point Program
Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article.

I suggest you remove the program(s) through Add and Remove Programs.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also include a new HijackThis log.

Any problems right now?

With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 02 January 2009 - 09:51 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users