Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast Keeps Identifying Win32Agent-BSU


  • Please log in to reply
20 replies to this topic

#1 MrsJazzbo

MrsJazzbo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 25 January 2009 - 12:47 PM

I originally found this forum on Friday when I realized that I had become infected with spools.exe and cftmon.exe. I followed advice that you had provided someone else, using SDFix and Avast.

That seemed to do the trick, but I am now getting regular warnings from Avast that I have temp files that are infected with Win32Agent-BSU. Another thing that I am noticing is that the "Show Pictures" setting under the MultiMedia Tab for Internet Options no longer stays "on" between times when I am using IE.

Help would be appreciated--I'm new at this.

Here's my Hijack This log:

Scan saved at 12:26:17 PM, on 25/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070208
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympaticomsn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070208
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: C:\WINDOWS\system32\hgdfeeeh4fdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKCU\..\Run: [System configuration backup] C:\RECYCLER\S-1-5-21-9325190582-3784924430-555281092-4063\sysdate.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_4.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.110.33.21 10.110.32.21 10.110.56.151 172.17.237.17
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.110.33.21 10.110.32.21 10.110.56.151 172.17.237.17
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.110.33.21 10.110.32.21 10.110.56.151 172.17.237.17
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jwbripy - jwbripy.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll (file missing)
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9416 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 31 January 2009 - 09:15 AM

Hello MrsJazzbo

Welcome to BleepingComputer :thumbup2:
========================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 MrsJazzbo

MrsJazzbo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 31 January 2009 - 08:48 PM

Kahdah,

Thanks for helping me with this.

The contents of DDS.txt:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Michelle Anne at 20:24:19.17 on 31/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1242 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090130-0] *On-access scanning enabled* (Updated)
AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\FirstClass\fcc32.exe
C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC12.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Michelle Anne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sympaticomsn.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070208
uWindow Title = Microsoft Internet Explorer provided by Sympatico
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\hgdfeeeh4fdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgdfeeeh4fdg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [rs32net] c:\windows\system32\rs32net.exe
uRun: [System configuration backup] c:\recycler\s-1-5-21-9325190582-3784924430-555281092-4063\sysdate.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [tezrtsjhfr84iusjfo84f] c:\docume~1\michel~1\locals~1\temp\csrssc.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netass~1.lnk - c:\program files\netassistant\bin\matcli.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 10.110.33.21 10.110.32.21 10.110.56.151 172.17.237.17
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Notify: jwbripy - jwbripy.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hgdfeeeh4fdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgdfeeeh4fdg.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-24 111184]
R1 ICsrvr;VPN Client Protocol;c:\windows\system32\drivers\ICSRVR.SYS [2007-3-2 166522]
R1 ICtdi;VPN Client TDI Driver;c:\windows\system32\drivers\ICTDI.SYS [2007-3-2 20856]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-24 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-24 352920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 ICvnic;VPN Client Virtual Adapter;c:\windows\system32\drivers\icvnic.sys [2007-3-2 6682]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090131.003\NAVENG.SYS [2009-1-31 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090131.003\NAVEX15.SYS [2009-1-31 876112]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-24 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-24 155160]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ICService;Shiva VPN Client;c:\program files\shiva\shiva vpn client\ICSRV.EXE [2007-3-2 15360]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-8 1245064]
S0 ati0akxx;ati0akxx;c:\windows\system32\drivers\ati0akxx.sys --> c:\windows\system32\drivers\ati0akxx.sys [?]
S0 ati0utxx;ati0utxx;c:\windows\system32\drivers\ati0utxx.sys --> c:\windows\system32\drivers\ati0utxx.sys [?]
S0 ati1gjxx;ati1gjxx;c:\windows\system32\drivers\ati1gjxx.sys --> c:\windows\system32\drivers\ati1gjxx.sys [?]
S0 ati2knxx;ati2knxx;c:\windows\system32\drivers\ati2knxx.sys --> c:\windows\system32\drivers\ati2knxx.sys [?]
S0 ati2nxxx;ati2nxxx;c:\windows\system32\drivers\ati2nxxx.sys --> c:\windows\system32\drivers\ati2nxxx.sys [?]
S0 ati2yjxx;ati2yjxx;c:\windows\system32\drivers\ati2yjxx.sys --> c:\windows\system32\drivers\ati2yjxx.sys [?]
S0 ati4ihxx;ati4ihxx;c:\windows\system32\drivers\ati4ihxx.sys --> c:\windows\system32\drivers\ati4ihxx.sys [?]
S0 ati5qpxx;ati5qpxx;c:\windows\system32\drivers\ati5qpxx.sys --> c:\windows\system32\drivers\ati5qpxx.sys [?]
S0 ati5rcxx;ati5rcxx;c:\windows\system32\drivers\ati5rcxx.sys --> c:\windows\system32\drivers\ati5rcxx.sys [?]
S0 ati5yqxx;ati5yqxx;c:\windows\system32\drivers\ati5yqxx.sys --> c:\windows\system32\drivers\ati5yqxx.sys [?]
S0 ati7hyxx;ati7hyxx;c:\windows\system32\drivers\ati7hyxx.sys --> c:\windows\system32\drivers\ati7hyxx.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-01-25 12:25 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 11:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 17:10 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-23 17:09 <DIR> --d----- c:\windows\ERUNT
2009-01-23 17:07 <DIR> --d----- C:\SDFix
2009-01-23 15:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-18 16:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 08:33 <DIR> --d----- c:\program files\QuickTax 2008

==================== Find3M ====================

2009-01-23 14:30 14,336 a------- c:\windows\system32\svchost.exe
2009-01-23 14:30 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-01-08 20:17 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 20:17 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 20:17 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 20:17 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-04 16:19 127,128 a------- c:\docume~1\michel~1\applic~1\GDIPFONTCACHEV1.DAT
2007-09-06 05:53 0 a------- c:\docume~1\michel~1\applic~1\wklnhst.dat
2008-08-30 14:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 20:24:47.70 ===============


The contents of Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-19.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 02/03/2007 9:10:27 PM
System Uptime: 30/01/2009 9:36:35 AM (35 hours ago)

Motherboard: Dell Inc. | | 0UY253
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 461 GiB total, 430.657 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP603: 02/11/2008 11:25:10 PM - System Checkpoint
RP604: 04/11/2008 12:25:12 AM - System Checkpoint
RP605: 05/11/2008 1:25:13 AM - System Checkpoint
RP606: 06/11/2008 1:25:16 AM - System Checkpoint
RP607: 07/11/2008 2:25:17 AM - System Checkpoint
RP608: 08/11/2008 3:25:19 AM - System Checkpoint
RP609: 09/11/2008 4:25:22 AM - System Checkpoint
RP610: 10/11/2008 5:25:22 AM - System Checkpoint
RP611: 11/11/2008 5:25:25 AM - System Checkpoint
RP612: 12/11/2008 6:25:26 AM - System Checkpoint
RP613: 13/11/2008 7:25:27 AM - System Checkpoint
RP614: 13/11/2008 5:00:14 PM - Software Distribution Service 3.0
RP615: 14/11/2008 5:26:23 PM - System Checkpoint
RP616: 15/11/2008 5:58:14 PM - System Checkpoint
RP617: 16/11/2008 6:14:15 PM - System Checkpoint
RP618: 17/11/2008 7:03:42 PM - System Checkpoint
RP619: 18/11/2008 8:03:44 PM - System Checkpoint
RP620: 19/11/2008 10:19:59 PM - System Checkpoint
RP621: 20/11/2008 11:22:32 PM - System Checkpoint
RP622: 21/11/2008 11:40:53 PM - System Checkpoint
RP623: 23/11/2008 12:41:12 AM - System Checkpoint
RP624: 24/11/2008 1:03:55 AM - System Checkpoint
RP625: 25/11/2008 2:03:56 AM - System Checkpoint
RP626: 26/11/2008 3:03:58 AM - System Checkpoint
RP627: 27/11/2008 3:04:01 AM - System Checkpoint
RP628: 28/11/2008 4:04:03 AM - System Checkpoint
RP629: 29/11/2008 4:04:06 AM - System Checkpoint
RP630: 30/11/2008 5:04:08 AM - System Checkpoint
RP631: 01/12/2008 5:10:01 AM - System Checkpoint
RP632: 02/12/2008 7:45:48 PM - System Checkpoint
RP633: 03/12/2008 8:48:46 PM - System Checkpoint
RP634: 04/12/2008 10:46:48 PM - System Checkpoint
RP635: 05/12/2008 11:29:22 PM - System Checkpoint
RP636: 07/12/2008 12:03:00 AM - System Checkpoint
RP637: 08/12/2008 10:19:48 PM - System Checkpoint
RP638: 09/12/2008 10:23:40 PM - System Checkpoint
RP639: 10/12/2008 5:00:14 PM - Software Distribution Service 3.0
RP640: 11/12/2008 5:11:02 PM - System Checkpoint
RP641: 12/12/2008 5:00:13 PM - Software Distribution Service 3.0
RP642: 13/12/2008 4:44:23 PM - Removed QuickTime
RP643: 13/12/2008 4:46:55 PM - Installed QuickTime
RP644: 14/12/2008 5:03:47 PM - System Checkpoint
RP645: 15/12/2008 7:37:19 PM - System Checkpoint
RP646: 16/12/2008 8:34:41 PM - System Checkpoint
RP647: 17/12/2008 9:57:51 PM - System Checkpoint
RP648: 18/12/2008 5:00:15 PM - Software Distribution Service 3.0
RP649: 19/12/2008 5:37:15 PM - System Checkpoint
RP650: 20/12/2008 6:10:40 PM - System Checkpoint
RP651: 21/12/2008 6:10:43 PM - System Checkpoint
RP652: 22/12/2008 6:26:19 PM - System Checkpoint
RP653: 23/12/2008 7:23:21 PM - System Checkpoint
RP654: 24/12/2008 8:03:41 PM - System Checkpoint
RP655: 25/12/2008 8:26:34 PM - System Checkpoint
RP656: 26/12/2008 8:56:20 PM - System Checkpoint
RP657: 27/12/2008 9:46:34 PM - System Checkpoint
RP658: 28/12/2008 10:26:32 PM - System Checkpoint
RP659: 29/12/2008 10:26:38 PM - System Checkpoint
RP660: 30/12/2008 11:50:00 PM - System Checkpoint
RP661: 01/01/2009 12:04:28 AM - System Checkpoint
RP662: 02/01/2009 12:26:44 AM - System Checkpoint
RP663: 03/01/2009 12:38:45 AM - System Checkpoint
RP664: 04/01/2009 1:26:49 AM - System Checkpoint
RP665: 05/01/2009 2:26:51 AM - System Checkpoint
RP666: 06/01/2009 3:26:53 AM - System Checkpoint
RP667: 07/01/2009 4:26:56 AM - System Checkpoint
RP668: 08/01/2009 5:26:58 AM - System Checkpoint
RP669: 09/01/2009 5:54:15 AM - System Checkpoint
RP670: 10/01/2009 6:54:15 AM - System Checkpoint
RP671: 11/01/2009 7:54:17 AM - System Checkpoint
RP672: 12/01/2009 8:55:24 AM - System Checkpoint
RP673: 13/01/2009 9:54:22 AM - System Checkpoint
RP674: 14/01/2009 10:54:24 AM - System Checkpoint
RP675: 14/01/2009 5:00:15 PM - Software Distribution Service 3.0
RP676: 15/01/2009 5:08:22 PM - System Checkpoint
RP677: 16/01/2009 8:33:17 AM - Installed QuickTax 2008.
RP678: 17/01/2009 8:53:20 AM - System Checkpoint
RP679: 18/01/2009 9:28:15 AM - System Checkpoint
RP680: 18/01/2009 4:52:11 PM - Installed Java™ 6 Update 11
RP681: 19/01/2009 5:25:40 PM - System Checkpoint
RP682: 20/01/2009 5:25:43 PM - System Checkpoint
RP683: 21/01/2009 7:48:57 PM - System Checkpoint
RP684: 23/01/2009 10:04:38 AM - System Checkpoint
RP685: 23/01/2009 2:43:37 PM - Restore Operation
RP686: 23/01/2009 6:02:16 PM - Software Distribution Service 3.0
RP687: 24/01/2009 6:48:17 PM - System Checkpoint
RP688: 25/01/2009 11:16:42 AM - Removed J2SE Runtime Environment 5.0 Update 11
RP689: 25/01/2009 11:17:09 AM - Removed J2SE Runtime Environment 5.0 Update 6
RP690: 25/01/2009 11:17:37 AM - Removed Java™ 6 Update 11
RP691: 25/01/2009 11:27:22 AM - Installed Java™ 6 Update 11
RP692: 28/01/2009 9:35:21 PM - System Checkpoint
RP693: 29/01/2009 9:45:59 PM - System Checkpoint
RP694: 30/01/2009 11:56:52 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
AiO_Scan
Amazon Unbox Video
AppCore
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
AudibleManager
avast! Antivirus
Backup
BitTorrent
Bonjour
Broadcom Management Programs
ccCommon
Dell CinePlayer
Dell System Restore
DesignPro 5.0 Media Edition
DNA
Enterprise
ESPNMotion
FirstClass® Client
GearDrvs
GemMaster Mystic
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Driver Diagnostics
HP PSC & Officejet 4.7 Corporate Edition
iTunes
Java™ 6 Update 11
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
neroxml
NetAssistant
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
NVIDIA Drivers
Otto
QFolder
QuickTax 2006
QuickTax 2007
QuickTax 2008
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Scan
SearchAssist
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Shiva VPN Client
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
SPBBC 32bit
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

24/01/2009 1:26:40 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvraid

==== End Of File ===========================

The contents of GMER.txt:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-31 20:39:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8A2B30B0 ZwAlertResumeThread
SSDT 8A2B4290 ZwAlertThread
SSDT 8A1B8E68 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6A66576]
SSDT 8A264090 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6A66432]
SSDT 8A41A280 ZwCreateMutant
SSDT 8A355C20 ZwCreateThread
SSDT 8A2A3410 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB6D822A0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6A66910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6A6600A]
SSDT 8A372630 ZwFreeVirtualMemory
SSDT 8A2B1308 ZwImpersonateAnonymousToken
SSDT 8A2B21F0 ZwImpersonateThread
SSDT 8A34FCE0 ZwMapViewOfSection
SSDT 8A2AF2C8 ZwOpenEvent
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6A6650C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6A65F4A]
SSDT 8A2C8680 ZwOpenProcessToken
SSDT 8A2AA7E8 ZwOpenSection
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6A65FAE]
SSDT 8A2B2158 ZwOpenThreadToken
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6A6662C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6A665EC]
SSDT 8A2CCF08 ZwResumeThread
SSDT 8A2C7E58 ZwSetContextThread
SSDT 8A1E40C0 ZwSetInformationProcess
SSDT 8A271AE8 ZwSetInformationThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6A6676C]
SSDT 8A2ACC78 ZwSuspendProcess
SSDT 8A2B7670 ZwSuspendThread
SSDT 8A2CA108 ZwTerminateProcess
SSDT 8A2C3E40 ZwTerminateThread
SSDT 8A2C7F30 ZwUnmapViewOfSection
SSDT 8A36D3C0 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 6CC1B328 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 6CC1B360 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 6CC1B2BC C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 6CC1B26B C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!AdjustWindowRectEx 7E42E7EA 5 Bytes JMP 6CC1B739 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 6CC1B30D C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 6CC1B286 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 6CC1B2D7 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 6CC1B2A1 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 6CC1B2F2 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!AdjustWindowRect 7E431140 5 Bytes JMP 6CC1B65E C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1256] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 6CC1B250 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] kernel32.dll!FindResourceW 7C80BC5E 5 Bytes JMP 004200A0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] kernel32.dll!FindResourceA 7C80BF19 5 Bytes JMP 00420060 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadStringW 7E419E36 5 Bytes JMP 004205A0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 00420150 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadBitmapW 7E420242 5 Bytes JMP 00420500 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadBitmapA 7E42473C 5 Bytes JMP 00420460 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadStringA 7E42C908 5 Bytes JMP 00420650 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadIconW 7E42E8BC 5 Bytes JMP 00420370 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadIconA 7E42E8F6 5 Bytes JMP 00420280 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadMenuW 7E42EB48 5 Bytes JMP 00420220 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!CreateDialogParamA 7E43C7DB 5 Bytes JMP 004200E0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[2096] USER32.dll!LoadMenuA 7E44FA83 5 Bytes JMP 004201C0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.14 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP684\A0041924.exe:ext.exe 32256 bytes executable
ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP684\A0041945.exe:ext.exe 32256 bytes executable
ADS C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP685\A0042034.exe:ext.exe 32256 bytes executable

---- EOF - GMER 1.0.14 ----

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 31 January 2009 - 09:35 PM

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avast or Norton 360.

This is a very important step please do this first before doing anything.
============
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 MrsJazzbo

MrsJazzbo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 01 February 2009 - 06:46 AM

Here's the combofix log. Can you tell me what I am (was) infected with?

ComboFix 09-01-31.02 - Michelle Anne 2009-02-01 6:32:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1522 [GMT -5:00]
Running from: c:\documents and settings\Michelle Anne\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 20:30 . 2009-01-31 20:30 250 --a------ c:\windows\gmer.ini
2009-01-25 12:25 . 2009-01-25 12:25 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 11:27 . 2009-01-25 11:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-24 00:30 . 2009-01-24 00:30 <DIR> d-------- c:\program files\Alwil Software
2009-01-23 17:10 . 2009-01-23 17:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-23 17:09 . 2009-01-23 17:09 <DIR> d-------- c:\windows\ERUNT
2009-01-23 17:07 . 2009-01-23 23:43 <DIR> d-------- C:\SDFix
2009-01-23 15:14 . 2009-01-23 15:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-18 16:52 . 2009-01-25 11:27 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-16 08:33 . 2009-01-16 08:39 <DIR> d-------- c:\program files\QuickTax 2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 11:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-25 16:27 --------- d-----w c:\program files\Java
2009-01-23 21:28 --------- d-----w c:\documents and settings\Jacob Thomas Peacock\Application Data\Symantec
2009-01-23 19:20 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\DNA
2009-01-23 19:10 --------- d-----w c:\program files\DNA
2009-01-16 13:33 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\Intuit Canada
2009-01-16 13:32 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-01-09 01:17 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 01:17 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 01:17 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 01:17 --------- d-----w c:\program files\Symantec
2008-12-18 01:58 --------- d-----w c:\program files\Google
2008-12-13 21:47 --------- d-----w c:\program files\QuickTime
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 03:45 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\BitTorrent
2008-12-06 17:44 --------- d-----w c:\program files\iTunes
2008-12-06 17:44 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 17:43 --------- d-----w c:\program files\iPod
2008-12-06 17:43 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 17:36 --------- d-----w c:\program files\Safari
2008-10-04 21:19 127,128 ----a-w c:\documents and settings\Michelle Anne\Application Data\GDIPFONTCACHEV1.DAT
2007-09-06 10:53 0 ----a-w c:\documents and settings\Michelle Anne\Application Data\wklnhst.dat
2008-08-30 19:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-08 7630848]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 97320]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-11-16 1697112]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NetAssistant.lnk - c:\program files\NetAssistant\bin\matcli.exe [2007-03-02 217088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0akxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0utxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1gjxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2knxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2nxxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2yjxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4ihxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5qpxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5rcxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5yqxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7hyxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shiva\\Shiva VPN Client\\ICDESK.EXE"=

R1 ICsrvr;VPN Client Protocol;c:\windows\system32\drivers\ICSRVR.SYS [2007-03-02 166522]
R1 ICtdi;VPN Client TDI Driver;c:\windows\system32\drivers\ICTDI.SYS [2007-03-02 20856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
R3 ICvnic;VPN Client Virtual Adapter;c:\windows\system32\drivers\icvnic.sys [2007-03-02 6682]
R4 ICService;Shiva VPN Client;c:\program files\Shiva\Shiva VPN Client\ICSRV.EXE [2007-03-02 15360]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
S0 ati0akxx;ati0akxx;c:\windows\system32\Drivers\ati0akxx.sys --> c:\windows\system32\Drivers\ati0akxx.sys [?]
S0 ati0utxx;ati0utxx;c:\windows\system32\Drivers\ati0utxx.sys --> c:\windows\system32\Drivers\ati0utxx.sys [?]
S0 ati1gjxx;ati1gjxx;c:\windows\system32\Drivers\ati1gjxx.sys --> c:\windows\system32\Drivers\ati1gjxx.sys [?]
S0 ati2knxx;ati2knxx;c:\windows\system32\Drivers\ati2knxx.sys --> c:\windows\system32\Drivers\ati2knxx.sys [?]
S0 ati2nxxx;ati2nxxx;c:\windows\system32\Drivers\ati2nxxx.sys --> c:\windows\system32\Drivers\ati2nxxx.sys [?]
S0 ati2yjxx;ati2yjxx;c:\windows\system32\Drivers\ati2yjxx.sys --> c:\windows\system32\Drivers\ati2yjxx.sys [?]
S0 ati4ihxx;ati4ihxx;c:\windows\system32\Drivers\ati4ihxx.sys --> c:\windows\system32\Drivers\ati4ihxx.sys [?]
S0 ati5qpxx;ati5qpxx;c:\windows\system32\Drivers\ati5qpxx.sys --> c:\windows\system32\Drivers\ati5qpxx.sys [?]
S0 ati5rcxx;ati5rcxx;c:\windows\system32\Drivers\ati5rcxx.sys --> c:\windows\system32\Drivers\ati5rcxx.sys [?]
S0 ati5yqxx;ati5yqxx;c:\windows\system32\Drivers\ati5yqxx.sys --> c:\windows\system32\Drivers\ati5yqxx.sys [?]
S0 ati7hyxx;ati7hyxx;c:\windows\system32\Drivers\ati7hyxx.sys --> c:\windows\system32\Drivers\ati7hyxx.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c036e64f-bf26-11dd-b143-0019b90fef76}]
\Shell\AutoRun\command - J:\PhotoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{65F8B0DF-C00E-2154-DDA7-056D97FA9F4B}]
c:\windows\system32:data.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
HKCU-Run-System configuration backup - c:\recycler\S-1-5-21-9325190582-3784924430-555281092-4063\sysdate.exe
Notify-jwbripy - jwbripy.dll
SafeBoot-ati7gjxx.sys
SafeBoot-ati7kuxx.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympaticomsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\QuickTax 2008\ic2008pp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 06:36:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\NetAssistant\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2009-02-01 6:38:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 11:38:53

Pre-Run: 465,607,827,456 bytes free
Post-Run: 465,949,618,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

210 --- E O F --- 2009-01-14 22:01:42

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 01 February 2009 - 09:09 AM

It appears that you have or had Vundo but there are other things at play here.
================================
1. Open notepad and copy/paste the text in the codebox below into it:



http://www.bleepingcomputer.com/forums/t/198040/avast-keeps-identifying-win32agent-bsu/?p=1116455

Collect::
c:\windows\system32\drivers\ati0akxx.sys 
c:\windows\system32\drivers\ati0utxx.sys
c:\windows\system32\drivers\ati1gjxx.sys
c:\windows\system32\drivers\ati2knxx.sys 
c:\windows\system32\drivers\ati2nxxx.sys
c:\windows\system32\drivers\ati2yjxx.sys
c:\windows\system32\drivers\ati4ihxx.sys
c:\windows\system32\drivers\ati5qpxx.sys
c:\windows\system32\drivers\ati5rcxx.sys
c:\windows\system32\drivers\ati5yqxx.sys
c:\windows\system32\drivers\ati7hyxx.sys
c:\windows\system32\hgdfeeeh4fdg.dll
c:\docume~1\michel~1\locals~1\temp\csrssc.exe

Driver::
ati0akxx
ati0utxx
ati1gjxx
ati2knxx
ati2nxxx
ati2yjxx
ati4ihxx
ati5qpxx
ati5rcxx
ati5yqxx
ati7hyxx

ADS::
c:\windows\system32:data.exe
Save this as CFScript.txt[/code]


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Submit.zip

Click Here to upload the submit.zip please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 MrsJazzbo

MrsJazzbo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 01 February 2009 - 10:59 AM

Here's the Combofix log after I added CFScript. I didn't get anything popping up after I ran it besides the log, nor did it shut down and reboot. When I try looking manually, I am not finding any C:\Qoobox\Submit.zip file.

ComboFix 09-01-31.02 - Michelle Anne 2009-02-01 6:32:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1522 [GMT -5:00]
Running from: c:\documents and settings\Michelle Anne\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 20:30 . 2009-01-31 20:30 250 --a------ c:\windows\gmer.ini
2009-01-25 12:25 . 2009-01-25 12:25 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 11:27 . 2009-01-25 11:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-24 00:30 . 2009-01-24 00:30 <DIR> d-------- c:\program files\Alwil Software
2009-01-23 17:10 . 2009-01-23 17:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-23 17:09 . 2009-01-23 17:09 <DIR> d-------- c:\windows\ERUNT
2009-01-23 17:07 . 2009-01-23 23:43 <DIR> d-------- C:\SDFix
2009-01-23 15:14 . 2009-01-23 15:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-18 16:52 . 2009-01-25 11:27 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-16 08:33 . 2009-01-16 08:39 <DIR> d-------- c:\program files\QuickTax 2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 11:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-25 16:27 --------- d-----w c:\program files\Java
2009-01-23 21:28 --------- d-----w c:\documents and settings\Jacob Thomas Peacock\Application Data\Symantec
2009-01-23 19:20 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\DNA
2009-01-23 19:10 --------- d-----w c:\program files\DNA
2009-01-16 13:33 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\Intuit Canada
2009-01-16 13:32 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-01-09 01:17 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 01:17 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 01:17 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 01:17 --------- d-----w c:\program files\Symantec
2008-12-18 01:58 --------- d-----w c:\program files\Google
2008-12-13 21:47 --------- d-----w c:\program files\QuickTime
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 03:45 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\BitTorrent
2008-12-06 17:44 --------- d-----w c:\program files\iTunes
2008-12-06 17:44 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 17:43 --------- d-----w c:\program files\iPod
2008-12-06 17:43 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 17:36 --------- d-----w c:\program files\Safari
2008-10-04 21:19 127,128 ----a-w c:\documents and settings\Michelle Anne\Application Data\GDIPFONTCACHEV1.DAT
2007-09-06 10:53 0 ----a-w c:\documents and settings\Michelle Anne\Application Data\wklnhst.dat
2008-08-30 19:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-08 7630848]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 97320]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-11-16 1697112]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NetAssistant.lnk - c:\program files\NetAssistant\bin\matcli.exe [2007-03-02 217088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0akxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0utxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1gjxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2knxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2nxxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2yjxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4ihxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5qpxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5rcxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5yqxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7hyxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shiva\\Shiva VPN Client\\ICDESK.EXE"=

R1 ICsrvr;VPN Client Protocol;c:\windows\system32\drivers\ICSRVR.SYS [2007-03-02 166522]
R1 ICtdi;VPN Client TDI Driver;c:\windows\system32\drivers\ICTDI.SYS [2007-03-02 20856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
R3 ICvnic;VPN Client Virtual Adapter;c:\windows\system32\drivers\icvnic.sys [2007-03-02 6682]
R4 ICService;Shiva VPN Client;c:\program files\Shiva\Shiva VPN Client\ICSRV.EXE [2007-03-02 15360]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
S0 ati0akxx;ati0akxx;c:\windows\system32\Drivers\ati0akxx.sys --> c:\windows\system32\Drivers\ati0akxx.sys [?]
S0 ati0utxx;ati0utxx;c:\windows\system32\Drivers\ati0utxx.sys --> c:\windows\system32\Drivers\ati0utxx.sys [?]
S0 ati1gjxx;ati1gjxx;c:\windows\system32\Drivers\ati1gjxx.sys --> c:\windows\system32\Drivers\ati1gjxx.sys [?]
S0 ati2knxx;ati2knxx;c:\windows\system32\Drivers\ati2knxx.sys --> c:\windows\system32\Drivers\ati2knxx.sys [?]
S0 ati2nxxx;ati2nxxx;c:\windows\system32\Drivers\ati2nxxx.sys --> c:\windows\system32\Drivers\ati2nxxx.sys [?]
S0 ati2yjxx;ati2yjxx;c:\windows\system32\Drivers\ati2yjxx.sys --> c:\windows\system32\Drivers\ati2yjxx.sys [?]
S0 ati4ihxx;ati4ihxx;c:\windows\system32\Drivers\ati4ihxx.sys --> c:\windows\system32\Drivers\ati4ihxx.sys [?]
S0 ati5qpxx;ati5qpxx;c:\windows\system32\Drivers\ati5qpxx.sys --> c:\windows\system32\Drivers\ati5qpxx.sys [?]
S0 ati5rcxx;ati5rcxx;c:\windows\system32\Drivers\ati5rcxx.sys --> c:\windows\system32\Drivers\ati5rcxx.sys [?]
S0 ati5yqxx;ati5yqxx;c:\windows\system32\Drivers\ati5yqxx.sys --> c:\windows\system32\Drivers\ati5yqxx.sys [?]
S0 ati7hyxx;ati7hyxx;c:\windows\system32\Drivers\ati7hyxx.sys --> c:\windows\system32\Drivers\ati7hyxx.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c036e64f-bf26-11dd-b143-0019b90fef76}]
\Shell\AutoRun\command - J:\PhotoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{65F8B0DF-C00E-2154-DDA7-056D97FA9F4B}]
c:\windows\system32:data.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
HKCU-Run-System configuration backup - c:\recycler\S-1-5-21-9325190582-3784924430-555281092-4063\sysdate.exe
Notify-jwbripy - jwbripy.dll
SafeBoot-ati7gjxx.sys
SafeBoot-ati7kuxx.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympaticomsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\QuickTax 2008\ic2008pp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 06:36:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\NetAssistant\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2009-02-01 6:38:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 11:38:53

Pre-Run: 465,607,827,456 bytes free
Post-Run: 465,949,618,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

210 --- E O F --- 2009-01-14 22:01:42

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 01 February 2009 - 01:37 PM

Hi that is the old compbofix log do you have the newest one?
Should be here C:\Combofix2.txt
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 MrsJazzbo

MrsJazzbo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 01 February 2009 - 01:59 PM

Sorry about that. Is this the correct one? I ran it a couple (few?) times because I wasn't getting the additional popups.

ComboFix 09-01-31.03 - Michelle Anne 2009-02-01 10:27:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1585 [GMT -5:00]
Running from: c:\documents and settings\Michelle Anne\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 20:30 . 2009-01-31 20:30 250 --a------ c:\windows\gmer.ini
2009-01-25 12:25 . 2009-01-25 12:25 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 11:27 . 2009-01-25 11:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-24 00:30 . 2009-01-24 00:30 <DIR> d-------- c:\program files\Alwil Software
2009-01-23 17:10 . 2009-01-23 17:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-23 17:09 . 2009-01-23 17:09 <DIR> d-------- c:\windows\ERUNT
2009-01-23 17:07 . 2009-01-23 23:43 <DIR> d-------- C:\SDFix
2009-01-23 15:14 . 2009-01-23 15:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-18 16:52 . 2009-01-25 11:27 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-16 08:33 . 2009-01-16 08:39 <DIR> d-------- c:\program files\QuickTax 2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 15:22 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-25 16:27 --------- d-----w c:\program files\Java
2009-01-23 21:28 --------- d-----w c:\documents and settings\Jacob Thomas Peacock\Application Data\Symantec
2009-01-23 19:30 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-23 19:30 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2009-01-23 19:20 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\DNA
2009-01-23 19:10 --------- d-----w c:\program files\DNA
2009-01-16 13:33 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\Intuit Canada
2009-01-16 13:32 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-01-09 01:17 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 01:17 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-09 01:17 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 01:17 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 01:17 --------- d-----w c:\program files\Symantec
2008-12-18 01:58 --------- d-----w c:\program files\Google
2008-12-13 21:47 --------- d-----w c:\program files\QuickTime
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-08 03:45 --------- d-----w c:\documents and settings\Michelle Anne\Application Data\BitTorrent
2008-12-06 17:44 --------- d-----w c:\program files\iTunes
2008-12-06 17:44 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 17:43 --------- d-----w c:\program files\iPod
2008-12-06 17:43 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 17:36 --------- d-----w c:\program files\Safari
2008-10-04 21:19 127,128 ----a-w c:\documents and settings\Michelle Anne\Application Data\GDIPFONTCACHEV1.DAT
2007-09-06 10:53 0 ----a-w c:\documents and settings\Michelle Anne\Application Data\wklnhst.dat
2008-08-30 19:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_ 6.38.15.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-01 15:22:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_108.dat
+ 2009-02-01 15:23:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b78.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-08 7630848]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 97320]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-11-16 1697112]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NetAssistant.lnk - c:\program files\NetAssistant\bin\matcli.exe [2007-03-02 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shiva\\Shiva VPN Client\\ICDESK.EXE"=

R1 ICsrvr;VPN Client Protocol;c:\windows\system32\drivers\ICSRVR.SYS [2007-03-02 166522]
R1 ICtdi;VPN Client TDI Driver;c:\windows\system32\drivers\ICTDI.SYS [2007-03-02 20856]
R2 ICService;Shiva VPN Client;c:\program files\Shiva\Shiva VPN Client\ICSRV.EXE [2007-03-02 15360]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
R3 ICvnic;VPN Client Virtual Adapter;c:\windows\system32\drivers\icvnic.sys [2007-03-02 6682]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c036e64f-bf26-11dd-b143-0019b90fef76}]
\Shell\AutoRun\command - J:\PhotoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{65F8B0DF-C00E-2154-DDA7-056D97FA9F4B}]
c:\windows\system32:data.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympaticomsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\QuickTax 2008\ic2008pp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 10:29:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-01 10:31:00
ComboFix-quarantined-files.txt 2009-02-01 15:30:57
ComboFix2.txt 2009-02-01 15:17:37
ComboFix3.txt 2009-02-01 11:38:57

Pre-Run: 465,945,042,944 bytes free
Post-Run: 465,930,657,792 bytes free

150 --- E O F --- 2009-01-14 22:01:42

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 01 February 2009 - 06:36 PM

Nope it was the resulting log from the CFscript.

Either way run dds again and post those logs please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 MrsJazzbo

MrsJazzbo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 01 February 2009 - 09:27 PM

Kahdah,

My apologies for botching the previous step. I appreciate the time you are taking. Here are the new DDS Logs:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Michelle Anne at 21:21:48.42 on 01/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1350 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\FirstClass\fcc32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michelle Anne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sympaticomsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netass~1.lnk - c:\program files\netassistant\bin\matcli.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 ICsrvr;VPN Client Protocol;c:\windows\system32\drivers\ICSRVR.SYS [2007-3-2 166522]
R1 ICtdi;VPN Client TDI Driver;c:\windows\system32\drivers\ICTDI.SYS [2007-3-2 20856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 ICvnic;VPN Client Virtual Adapter;c:\windows\system32\drivers\icvnic.sys [2007-3-2 6682]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVENG.SYS [2009-2-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVEX15.SYS [2009-2-1 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ICService;Shiva VPN Client;c:\program files\shiva\shiva vpn client\ICSRV.EXE [2007-3-2 15360]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-8 1245064]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

=============== Created Last 30 ================

2009-02-01 10:44 <DIR> --d----- C:\ComboFix
2009-02-01 06:32 <DIR> a-dshr-- C:\cmdcons
2009-02-01 06:30 286,720 a------- c:\windows\SWREG.exe
2009-02-01 06:30 98,816 a------- c:\windows\sed.exe
2009-01-31 20:30 250 a------- c:\windows\gmer.ini
2009-01-25 12:25 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 11:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 17:10 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-23 17:09 <DIR> --d----- c:\windows\ERUNT
2009-01-23 17:07 <DIR> --d----- C:\SDFix
2009-01-23 15:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-18 16:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 08:33 <DIR> --d----- c:\program files\QuickTax 2008

==================== Find3M ====================

2009-01-23 14:30 14,336 a------- c:\windows\system32\svchost.exe
2009-01-23 14:30 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-01-08 20:17 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 20:17 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 20:17 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 20:17 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-04 16:19 127,128 a------- c:\docume~1\michel~1\applic~1\GDIPFONTCACHEV1.DAT
2007-09-06 05:53 0 a------- c:\docume~1\michel~1\applic~1\wklnhst.dat
2008-08-30 14:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 21:22:01.02 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-19.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 02/03/2007 9:10:27 PM
System Uptime: 02/01/2009 10:22:31 AM (731 hours ago)

Motherboard: Dell Inc. | | 0UY253
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 461 GiB total, 433.887 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP604: 04/11/2008 12:25:12 AM - System Checkpoint
RP605: 05/11/2008 1:25:13 AM - System Checkpoint
RP606: 06/11/2008 1:25:16 AM - System Checkpoint
RP607: 07/11/2008 2:25:17 AM - System Checkpoint
RP608: 08/11/2008 3:25:19 AM - System Checkpoint
RP609: 09/11/2008 4:25:22 AM - System Checkpoint
RP610: 10/11/2008 5:25:22 AM - System Checkpoint
RP611: 11/11/2008 5:25:25 AM - System Checkpoint
RP612: 12/11/2008 6:25:26 AM - System Checkpoint
RP613: 13/11/2008 7:25:27 AM - System Checkpoint
RP614: 13/11/2008 5:00:14 PM - Software Distribution Service 3.0
RP615: 14/11/2008 5:26:23 PM - System Checkpoint
RP616: 15/11/2008 5:58:14 PM - System Checkpoint
RP617: 16/11/2008 6:14:15 PM - System Checkpoint
RP618: 17/11/2008 7:03:42 PM - System Checkpoint
RP619: 18/11/2008 8:03:44 PM - System Checkpoint
RP620: 19/11/2008 10:19:59 PM - System Checkpoint
RP621: 20/11/2008 11:22:32 PM - System Checkpoint
RP622: 21/11/2008 11:40:53 PM - System Checkpoint
RP623: 23/11/2008 12:41:12 AM - System Checkpoint
RP624: 24/11/2008 1:03:55 AM - System Checkpoint
RP625: 25/11/2008 2:03:56 AM - System Checkpoint
RP626: 26/11/2008 3:03:58 AM - System Checkpoint
RP627: 27/11/2008 3:04:01 AM - System Checkpoint
RP628: 28/11/2008 4:04:03 AM - System Checkpoint
RP629: 29/11/2008 4:04:06 AM - System Checkpoint
RP630: 30/11/2008 5:04:08 AM - System Checkpoint
RP631: 01/12/2008 5:10:01 AM - System Checkpoint
RP632: 02/12/2008 7:45:48 PM - System Checkpoint
RP633: 03/12/2008 8:48:46 PM - System Checkpoint
RP634: 04/12/2008 10:46:48 PM - System Checkpoint
RP635: 05/12/2008 11:29:22 PM - System Checkpoint
RP636: 07/12/2008 12:03:00 AM - System Checkpoint
RP637: 08/12/2008 10:19:48 PM - System Checkpoint
RP638: 09/12/2008 10:23:40 PM - System Checkpoint
RP639: 10/12/2008 5:00:14 PM - Software Distribution Service 3.0
RP640: 11/12/2008 5:11:02 PM - System Checkpoint
RP641: 12/12/2008 5:00:13 PM - Software Distribution Service 3.0
RP642: 13/12/2008 4:44:23 PM - Removed QuickTime
RP643: 13/12/2008 4:46:55 PM - Installed QuickTime
RP644: 14/12/2008 5:03:47 PM - System Checkpoint
RP645: 15/12/2008 7:37:19 PM - System Checkpoint
RP646: 16/12/2008 8:34:41 PM - System Checkpoint
RP647: 17/12/2008 9:57:51 PM - System Checkpoint
RP648: 18/12/2008 5:00:15 PM - Software Distribution Service 3.0
RP649: 19/12/2008 5:37:15 PM - System Checkpoint
RP650: 20/12/2008 6:10:40 PM - System Checkpoint
RP651: 21/12/2008 6:10:43 PM - System Checkpoint
RP652: 22/12/2008 6:26:19 PM - System Checkpoint
RP653: 23/12/2008 7:23:21 PM - System Checkpoint
RP654: 24/12/2008 8:03:41 PM - System Checkpoint
RP655: 25/12/2008 8:26:34 PM - System Checkpoint
RP656: 26/12/2008 8:56:20 PM - System Checkpoint
RP657: 27/12/2008 9:46:34 PM - System Checkpoint
RP658: 28/12/2008 10:26:32 PM - System Checkpoint
RP659: 29/12/2008 10:26:38 PM - System Checkpoint
RP660: 30/12/2008 11:50:00 PM - System Checkpoint
RP661: 01/01/2009 12:04:28 AM - System Checkpoint
RP662: 02/01/2009 12:26:44 AM - System Checkpoint
RP663: 03/01/2009 12:38:45 AM - System Checkpoint
RP664: 04/01/2009 1:26:49 AM - System Checkpoint
RP665: 05/01/2009 2:26:51 AM - System Checkpoint
RP666: 06/01/2009 3:26:53 AM - System Checkpoint
RP667: 07/01/2009 4:26:56 AM - System Checkpoint
RP668: 08/01/2009 5:26:58 AM - System Checkpoint
RP669: 09/01/2009 5:54:15 AM - System Checkpoint
RP670: 10/01/2009 6:54:15 AM - System Checkpoint
RP671: 11/01/2009 7:54:17 AM - System Checkpoint
RP672: 12/01/2009 8:55:24 AM - System Checkpoint
RP673: 13/01/2009 9:54:22 AM - System Checkpoint
RP674: 14/01/2009 10:54:24 AM - System Checkpoint
RP675: 14/01/2009 5:00:15 PM - Software Distribution Service 3.0
RP676: 15/01/2009 5:08:22 PM - System Checkpoint
RP677: 16/01/2009 8:33:17 AM - Installed QuickTax 2008.
RP678: 17/01/2009 8:53:20 AM - System Checkpoint
RP679: 18/01/2009 9:28:15 AM - System Checkpoint
RP680: 18/01/2009 4:52:11 PM - Installed Java™ 6 Update 11
RP681: 19/01/2009 5:25:40 PM - System Checkpoint
RP682: 20/01/2009 5:25:43 PM - System Checkpoint
RP683: 21/01/2009 7:48:57 PM - System Checkpoint
RP684: 23/01/2009 10:04:38 AM - System Checkpoint
RP685: 23/01/2009 2:43:37 PM - Restore Operation
RP686: 23/01/2009 6:02:16 PM - Software Distribution Service 3.0
RP687: 24/01/2009 6:48:17 PM - System Checkpoint
RP688: 25/01/2009 11:16:42 AM - Removed J2SE Runtime Environment 5.0 Update 11
RP689: 25/01/2009 11:17:09 AM - Removed J2SE Runtime Environment 5.0 Update 6
RP690: 25/01/2009 11:17:37 AM - Removed Java™ 6 Update 11
RP691: 25/01/2009 11:27:22 AM - Installed Java™ 6 Update 11
RP692: 28/01/2009 9:35:21 PM - System Checkpoint
RP693: 29/01/2009 9:45:59 PM - System Checkpoint
RP694: 30/01/2009 11:56:52 PM - System Checkpoint
RP695: 01/02/2009 12:40:57 AM - System Checkpoint
RP696: 01/02/2009 6:31:03 AM - ComboFix created restore point
RP697: 01/02/2009 10:10:46 AM - ComboFix created restore point
RP698: 01/02/2009 10:45:12 AM - ComboFix created restore point

==== Installed Programs ======================

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
AiO_Scan
Amazon Unbox Video
AppCore
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
AudibleManager
Backup
BitTorrent
Bonjour
Broadcom Management Programs
ccCommon
Dell CinePlayer
Dell System Restore
DesignPro 5.0 Media Edition
DNA
Enterprise
ESPNMotion
FirstClass® Client
GearDrvs
GemMaster Mystic
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Driver Diagnostics
HP PSC & Officejet 4.7 Corporate Edition
iTunes
Java™ 6 Update 11
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
neroxml
NetAssistant
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
NVIDIA Drivers
Otto
QFolder
QuickTax 2006
QuickTax 2007
QuickTax 2008
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Scan
SearchAssist
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Shiva VPN Client
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
SPBBC 32bit
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

26/01/2009 7:47:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvraid

==== End Of File ===========================

#12 MrsJazzbo

MrsJazzbo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 01 February 2009 - 10:14 PM

Just realized that I should have downloaded latest version of DDS first. Here are the updated logs:



DDS (Ver_09-02-01.01) - NTFSx86
Run by Michelle Anne at 22:10:01.05 on 01/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1375 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\FirstClass\fcc32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michelle Anne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sympaticomsn.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netass~1.lnk - c:\program files\netassistant\bin\matcli.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 ICsrvr;VPN Client Protocol;c:\windows\system32\drivers\ICSRVR.SYS [2007-3-2 166522]
R1 ICtdi;VPN Client TDI Driver;c:\windows\system32\drivers\ICTDI.SYS [2007-3-2 20856]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ICService;Shiva VPN Client;c:\program files\shiva\shiva vpn client\ICSRV.EXE [2007-3-2 15360]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-8 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 ICvnic;VPN Client Virtual Adapter;c:\windows\system32\drivers\icvnic.sys [2007-3-2 6682]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVENG.SYS [2009-2-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090201.003\NAVEX15.SYS [2009-2-1 876112]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

=============== Created Last 30 ================

2009-02-01 10:44 <DIR> --d----- C:\ComboFix
2009-02-01 06:32 <DIR> a-dshr-- C:\cmdcons
2009-02-01 06:30 286,720 a------- c:\windows\SWREG.exe
2009-02-01 06:30 98,816 a------- c:\windows\sed.exe
2009-01-31 20:30 250 a------- c:\windows\gmer.ini
2009-01-25 12:25 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 11:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 17:10 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-23 17:09 <DIR> --d----- c:\windows\ERUNT
2009-01-23 17:07 <DIR> --d----- C:\SDFix
2009-01-23 15:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-18 16:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 08:33 <DIR> --d----- c:\program files\QuickTax 2008

==================== Find3M ====================

2009-01-23 14:30 14,336 a------- c:\windows\system32\svchost.exe
2009-01-23 14:30 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-01-08 20:17 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 20:17 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 20:17 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 20:17 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-04 16:19 127,128 a------- c:\docume~1\michel~1\applic~1\GDIPFONTCACHEV1.DAT
2007-09-06 05:53 0 a------- c:\docume~1\michel~1\applic~1\wklnhst.dat
2008-08-30 14:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 22:10:13.06 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 02/03/2007 9:10:27 PM
System Uptime: 02/01/2009 10:22:31 AM (732 hours ago)

Motherboard: Dell Inc. | | 0UY253
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 461 GiB total, 433.886 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP604: 04/11/2008 12:25:12 AM - System Checkpoint
RP605: 05/11/2008 1:25:13 AM - System Checkpoint
RP606: 06/11/2008 1:25:16 AM - System Checkpoint
RP607: 07/11/2008 2:25:17 AM - System Checkpoint
RP608: 08/11/2008 3:25:19 AM - System Checkpoint
RP609: 09/11/2008 4:25:22 AM - System Checkpoint
RP610: 10/11/2008 5:25:22 AM - System Checkpoint
RP611: 11/11/2008 5:25:25 AM - System Checkpoint
RP612: 12/11/2008 6:25:26 AM - System Checkpoint
RP613: 13/11/2008 7:25:27 AM - System Checkpoint
RP614: 13/11/2008 5:00:14 PM - Software Distribution Service 3.0
RP615: 14/11/2008 5:26:23 PM - System Checkpoint
RP616: 15/11/2008 5:58:14 PM - System Checkpoint
RP617: 16/11/2008 6:14:15 PM - System Checkpoint
RP618: 17/11/2008 7:03:42 PM - System Checkpoint
RP619: 18/11/2008 8:03:44 PM - System Checkpoint
RP620: 19/11/2008 10:19:59 PM - System Checkpoint
RP621: 20/11/2008 11:22:32 PM - System Checkpoint
RP622: 21/11/2008 11:40:53 PM - System Checkpoint
RP623: 23/11/2008 12:41:12 AM - System Checkpoint
RP624: 24/11/2008 1:03:55 AM - System Checkpoint
RP625: 25/11/2008 2:03:56 AM - System Checkpoint
RP626: 26/11/2008 3:03:58 AM - System Checkpoint
RP627: 27/11/2008 3:04:01 AM - System Checkpoint
RP628: 28/11/2008 4:04:03 AM - System Checkpoint
RP629: 29/11/2008 4:04:06 AM - System Checkpoint
RP630: 30/11/2008 5:04:08 AM - System Checkpoint
RP631: 01/12/2008 5:10:01 AM - System Checkpoint
RP632: 02/12/2008 7:45:48 PM - System Checkpoint
RP633: 03/12/2008 8:48:46 PM - System Checkpoint
RP634: 04/12/2008 10:46:48 PM - System Checkpoint
RP635: 05/12/2008 11:29:22 PM - System Checkpoint
RP636: 07/12/2008 12:03:00 AM - System Checkpoint
RP637: 08/12/2008 10:19:48 PM - System Checkpoint
RP638: 09/12/2008 10:23:40 PM - System Checkpoint
RP639: 10/12/2008 5:00:14 PM - Software Distribution Service 3.0
RP640: 11/12/2008 5:11:02 PM - System Checkpoint
RP641: 12/12/2008 5:00:13 PM - Software Distribution Service 3.0
RP642: 13/12/2008 4:44:23 PM - Removed QuickTime
RP643: 13/12/2008 4:46:55 PM - Installed QuickTime
RP644: 14/12/2008 5:03:47 PM - System Checkpoint
RP645: 15/12/2008 7:37:19 PM - System Checkpoint
RP646: 16/12/2008 8:34:41 PM - System Checkpoint
RP647: 17/12/2008 9:57:51 PM - System Checkpoint
RP648: 18/12/2008 5:00:15 PM - Software Distribution Service 3.0
RP649: 19/12/2008 5:37:15 PM - System Checkpoint
RP650: 20/12/2008 6:10:40 PM - System Checkpoint
RP651: 21/12/2008 6:10:43 PM - System Checkpoint
RP652: 22/12/2008 6:26:19 PM - System Checkpoint
RP653: 23/12/2008 7:23:21 PM - System Checkpoint
RP654: 24/12/2008 8:03:41 PM - System Checkpoint
RP655: 25/12/2008 8:26:34 PM - System Checkpoint
RP656: 26/12/2008 8:56:20 PM - System Checkpoint
RP657: 27/12/2008 9:46:34 PM - System Checkpoint
RP658: 28/12/2008 10:26:32 PM - System Checkpoint
RP659: 29/12/2008 10:26:38 PM - System Checkpoint
RP660: 30/12/2008 11:50:00 PM - System Checkpoint
RP661: 01/01/2009 12:04:28 AM - System Checkpoint
RP662: 02/01/2009 12:26:44 AM - System Checkpoint
RP663: 03/01/2009 12:38:45 AM - System Checkpoint
RP664: 04/01/2009 1:26:49 AM - System Checkpoint
RP665: 05/01/2009 2:26:51 AM - System Checkpoint
RP666: 06/01/2009 3:26:53 AM - System Checkpoint
RP667: 07/01/2009 4:26:56 AM - System Checkpoint
RP668: 08/01/2009 5:26:58 AM - System Checkpoint
RP669: 09/01/2009 5:54:15 AM - System Checkpoint
RP670: 10/01/2009 6:54:15 AM - System Checkpoint
RP671: 11/01/2009 7:54:17 AM - System Checkpoint
RP672: 12/01/2009 8:55:24 AM - System Checkpoint
RP673: 13/01/2009 9:54:22 AM - System Checkpoint
RP674: 14/01/2009 10:54:24 AM - System Checkpoint
RP675: 14/01/2009 5:00:15 PM - Software Distribution Service 3.0
RP676: 15/01/2009 5:08:22 PM - System Checkpoint
RP677: 16/01/2009 8:33:17 AM - Installed QuickTax 2008.
RP678: 17/01/2009 8:53:20 AM - System Checkpoint
RP679: 18/01/2009 9:28:15 AM - System Checkpoint
RP680: 18/01/2009 4:52:11 PM - Installed Java™ 6 Update 11
RP681: 19/01/2009 5:25:40 PM - System Checkpoint
RP682: 20/01/2009 5:25:43 PM - System Checkpoint
RP683: 21/01/2009 7:48:57 PM - System Checkpoint
RP684: 23/01/2009 10:04:38 AM - System Checkpoint
RP685: 23/01/2009 2:43:37 PM - Restore Operation
RP686: 23/01/2009 6:02:16 PM - Software Distribution Service 3.0
RP687: 24/01/2009 6:48:17 PM - System Checkpoint
RP688: 25/01/2009 11:16:42 AM - Removed J2SE Runtime Environment 5.0 Update 11
RP689: 25/01/2009 11:17:09 AM - Removed J2SE Runtime Environment 5.0 Update 6
RP690: 25/01/2009 11:17:37 AM - Removed Java™ 6 Update 11
RP691: 25/01/2009 11:27:22 AM - Installed Java™ 6 Update 11
RP692: 28/01/2009 9:35:21 PM - System Checkpoint
RP693: 29/01/2009 9:45:59 PM - System Checkpoint
RP694: 30/01/2009 11:56:52 PM - System Checkpoint
RP695: 01/02/2009 12:40:57 AM - System Checkpoint
RP696: 01/02/2009 6:31:03 AM - ComboFix created restore point
RP697: 01/02/2009 10:10:46 AM - ComboFix created restore point
RP698: 01/02/2009 10:45:12 AM - ComboFix created restore point

==== Installed Programs ======================

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
AiO_Scan
Amazon Unbox Video
AppCore
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
AudibleManager
Backup
BitTorrent
Bonjour
Broadcom Management Programs
ccCommon
Dell CinePlayer
Dell System Restore
DesignPro 5.0 Media Edition
DNA
Enterprise
ESPNMotion
FirstClass® Client
GearDrvs
GemMaster Mystic
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Driver Diagnostics
HP PSC & Officejet 4.7 Corporate Edition
iTunes
Java™ 6 Update 11
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
neroxml
NetAssistant
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
NVIDIA Drivers
Otto
QFolder
QuickTax 2006
QuickTax 2007
QuickTax 2008
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Scan
SearchAssist
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Shiva VPN Client
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
SPBBC 32bit
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

26/01/2009 7:47:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvraid

==== End Of File ===========================

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 01 February 2009 - 10:55 PM

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)
If it says that the files have been scanned before then choose reanalyze now

c:\windows\system32\svchost.exe
c:\windows\system32\dllcache\svchost.exe
c:\windows\system32\dllcache\user32.dll

Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 MrsJazzbo

MrsJazzbo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 02 February 2009 - 08:40 PM

Kahdah,

Since running Combofix yesterday, the pictures on my Internet Explorer have been behaving normally--I don't have to keep resetting under Internet Options Advanced.

From Jotti for c:\windows\system32\svchost.exe:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: svchost.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18
Packers detected: -

Scanner results
Scan taken on 03 Feb 2009 00:58:37 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

For c:\windows\system32\dllcache\svchost.exe

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: svchost.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18
Packers detected: -

Scanner results
Scan taken on 03 Feb 2009 01:31:30 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

For c:\windows\system32\dllcache\user32.dll

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: user32.dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b26b135ff1b9f60c9388b4a7d16f600b
Packers detected: -

Scanner results
Scan taken on 03 Feb 2009 01:36:21 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 AM

Posted 02 February 2009 - 09:17 PM

Hi I need you to resend those files because they say they have been scanned before I will need you to choose the option to rescan the items and not go by the previous scan results.

Thank you.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users