Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser pop-up (new windows)


  • This topic is locked This topic is locked
6 replies to this topic

#1 AzKen

AzKen

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 26 January 2009 - 05:16 PM

I was hit with Virtumonde/Vundo a week or so ago. I finally got rid of that, but I still have some sort of malware in my browsers. New windows open with no pattern I can see. Sometimes I work for hours with no problem, sometimes I get 3 or 4 pops in a few minutes. Some of the new windows are dead links, usually with a numeric IP address. Sometimes they're home pages for legitimate (looking) products like Tax Cut or Stopzilla. They often open when I right click a link in my browser, but sometimes open on their own. Just recently one opened when I clicked on the browser button on my taskbar. they happen in both Firefox and IE.

I've run Spybot, Ad-Aware, and Norton 2009, and none of them find this beast. Any clues would be great.


Here's the DDS.TXT


DDS (Ver_09-01-19.01) - NTFSx86
Run by Ken at 15:07:33.12 on Mon 01/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2070 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\Reclusa\razerhid.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Razer\Reclusa\razertra.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Norton Save and Restore\Agent\VProTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Documents and Settings\Ken\Application Data\U3\0000188E567222C0\LaunchPad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ken\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\program files\common files\microsoft shared\stationery\Blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {bbc8f309-0f90-6bb8-5184-18cfabe97244}: {44279eba-fc81-4815-8bb6-09f0903f8cbb} - c:\windows\system32\nmylrz.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.2.0.7\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [Reclusa] c:\program files\razer\reclusa\razerhid.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Norton Save and Restore 2.0] "c:\program files\norton save and restore\agent\VProTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [zzzHPSETUP] d:\setup.exe \RESET
StartupFolder: c:\docume~1\ken\startm~1\programs\startup\calend~1.lnk - c:\program files\calendar creator 4.0\CCSCHED.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: nmylrz.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\gpg4u1u1.default\
FF - prefs.js: browser.startup.homepage - hxxp://excite.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\ken\application data\mozilla\firefox\profiles\gpg4u1u1.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32neur.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2009-1-4 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2009-1-4 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090115.001\IDSxpx86.sys [2009-1-18 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-4 99376]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090126.004\NAVENG.SYS [2009-1-26 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090126.004\NAVEX15.SYS [2009-1-26 876112]
R3 RecFltr;Reclusa Keyboard;c:\windows\system32\drivers\RecFltr.sys [2009-1-4 41984]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2009-1-4 115560]
R4 Norton Save and Restore;Norton Save and Restore;c:\program files\norton save and restore\agent\VProSvc.exe [2007-2-13 2655848]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10741.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10741.sys [?]

=============== Created Last 30 ================

2009-01-26 07:53 0 a------- C:\LOG3.tmp
2009-01-22 05:46 0 a------- C:\LOG5ED.tmp
2009-01-21 17:41 0 a------- C:\LOG59F.tmp
2009-01-21 14:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-01-21 13:58 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-01-20 17:14 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-01-20 15:13 713 -------- c:\windows\hpgmdl06.dat
2009-01-20 15:01 76,037 -------- c:\windows\hpgins06.dat.temp
2009-01-20 15:01 713 -------- c:\windows\hpgmdl06.dat.temp
2009-01-20 10:48 1,306,624 -c------ c:\windows\system32\dllcache\msxml6.dll
2009-01-20 10:48 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll
2009-01-20 10:43 19,569 a------- c:\windows\005867_.tmp
2009-01-20 10:27 221,184 a------- c:\windows\system32\wmpns.dll
2009-01-20 10:16 380,416 -------- c:\windows\system32\irprops.cpl
2009-01-20 10:16 162,304 -------- c:\windows\system32\wuaucpl.cpl
2009-01-20 10:16 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-20 10:15 19,528 a------- c:\windows\002670_.tmp
2009-01-20 10:15 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-01-20 10:06 0 a------- C:\LOG7.tmp
2009-01-20 09:54 78,848 ac------ c:\windows\system32\dllcache\dayi.ime
2009-01-20 09:48 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-20 09:47 343,040 a------- c:\windows\system32\mspaint.exe
2009-01-20 09:46 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-01-20 09:46 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-01-20 09:44 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-01-20 09:39 40,840 a------- c:\windows\system32\drivers\termdd.sys
2009-01-20 08:49 <DIR> --d----- c:\program files\InterActual
2009-01-19 21:58 19,274 a------- c:\windows\001289_.tmp
2009-01-19 18:32 0 a------- C:\LOG3E5.tmp
2009-01-19 18:23 <DIR> -cd-h--- c:\windows\$MSI30UninstallMSI30-KB884016$
2009-01-19 18:07 92,920 a------- c:\windows\DLA.EXE
2009-01-19 18:07 56,056 a------- c:\windows\system32\DLAAPI_W.DLL
2009-01-19 18:07 51,800 a------- c:\windows\system32\drivers\DRVNDDM.SYS
2009-01-19 18:07 28,216 a------- c:\windows\system32\drivers\DLARTL_M.SYS
2009-01-19 18:07 12,952 a------- c:\windows\system32\drivers\DLACDBHM.SYS
2009-01-19 18:07 <DIR> --d----- c:\windows\system32\DLA
2009-01-19 18:06 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-01-19 18:06 <DIR> --d----- C:\6630adfec4342
2009-01-19 18:06 <DIR> --d----- C:\2
2009-01-19 18:06 <DIR> --d----- C:\f83da11039bc6cf77b54913bc23d9429
2009-01-19 18:06 24,576 a------- c:\windows\system32\xpsp1hfm.exe
2009-01-19 18:06 <DIR> -cd-h--- c:\windows\$xpsp1hfm$
2009-01-19 18:06 <DIR> --d----- C:\6d35c
2009-01-19 18:05 <DIR> --d----- c:\program files\Xingtone
2009-01-19 18:04 <DIR> --d----- c:\program files\SightSpeed
2009-01-19 18:03 44,032 ac------ c:\windows\system32\dllcache\msxml3r.dll
2009-01-19 18:03 1,104,896 a------- c:\windows\system32\msxml3.dll
2009-01-19 18:03 44,032 a------- c:\windows\system32\msxml3r.dll
2009-01-19 18:01 <DIR> --d----- c:\program files\common files\SightSpeed
2009-01-19 18:00 <DIR> --d----- c:\program files\DivX
2009-01-19 17:31 <DIR> --d----- c:\windows\system32\NtmsData
2009-01-19 14:16 347,136 a------- c:\windows\system32\hypertrm.dll
2009-01-19 13:59 52,864 a------- c:\windows\system32\drivers\dmusic.sys
2009-01-19 13:50 11,264 a------- c:\windows\system32\drivers\irenum.sys
2009-01-19 13:50 13,608 a----r-- c:\windows\SET6F.tmp
2009-01-19 13:50 1,085,913 a----r-- c:\windows\SET63.tmp
2009-01-19 06:42 141,869,056 a------- c:\windows\MEMORY.DMP
2009-01-18 10:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-18 10:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-18 10:18 0 a------- C:\LOGC.tmp
2009-01-18 10:06 0 a------- C:\LOG17C.tmp
2009-01-18 09:50 0 a------- C:\LOG148.tmp
2009-01-18 09:50 103,936 a------- c:\windows\system32\nmylrz.dll
2009-01-18 09:50 103,936 a------- c:\windows\system32\regmyyxj.dll
2009-01-15 05:43 0 a------- C:\LOG12D.tmp
2009-01-14 18:46 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-01-14 18:44 <DIR> --d----- c:\windows\system32\URTTEMP
2009-01-14 18:41 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-01-14 18:38 76,407 a------- c:\windows\hpgins06.dat
2009-01-14 18:36 528,384 a----r-- c:\windows\system32\hpgt4850.dll
2009-01-14 18:36 364,544 a----r-- c:\windows\system32\hp4850co.dll
2009-01-14 18:36 516,096 a----r-- c:\windows\system32\hpxp4850.dll
2009-01-14 18:36 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-01-14 18:35 633,910 a------- c:\windows\setupapi.old
2009-01-14 16:42 <DIR> --d----- c:\windows\pss
2009-01-14 10:03 <DIR> --d----- C:\VundoFix Backups
2009-01-13 16:58 447 a------- c:\windows\wininit.ini
2009-01-13 11:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-13 11:09 <DIR> --d----- c:\program files\common files\Download Manager
2009-01-13 09:37 <DIR> --d----- c:\docume~1\ken\applic~1\Copy (2) of Mozilla
2009-01-13 09:37 <DIR> --d----- c:\docume~1\ken\applic~1\Copy of Mozilla
2009-01-11 18:23 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-01-11 18:22 <DIR> --d----- c:\windows\system32\LogFiles
2009-01-10 12:25 0 a------- C:\LOG15.tmp
2009-01-10 11:58 <DIR> --d----- c:\windows\system32\scripting
2009-01-10 11:58 <DIR> --d----- c:\windows\l2schemas
2009-01-10 11:58 <DIR> --d----- c:\windows\system32\en
2009-01-10 11:58 <DIR> --d----- c:\windows\system32\bits
2009-01-10 11:49 <DIR> --d----- c:\program files\LightScribe Template Labeler
2009-01-10 11:33 98,304 a------- c:\windows\DUMP759d.tmp
2009-01-10 11:33 98,304 a------- c:\windows\DUMP735b.tmp
2009-01-10 11:33 98,304 a------- c:\windows\DUMP72de.tmp
2009-01-10 11:33 98,304 a------- c:\windows\DUMP72ce.tmp
2009-01-10 10:38 <DIR> --d----- c:\windows\network diagnostic
2009-01-10 10:36 64 a------- c:\windows\system32\BurnData.bin
2009-01-10 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-01-07 06:12 0 a------- C:\LOG1F.tmp
2009-01-06 22:20 0 a------- C:\LOG329.tmp
2009-01-06 22:06 0 a------- C:\LOG31D.tmp
2009-01-06 16:53 86,106 a----r-- c:\windows\system32\SM1un.exe
2009-01-06 16:53 32,896 a----r-- c:\windows\system32\drivers\SM1fx_at.sys
2009-01-06 16:53 266,240 a----r-- c:\windows\SM1nint.exe
2009-01-06 16:53 94,208 a----r-- c:\windows\SM1bg.exe
2009-01-06 16:53 12,382 a----r-- c:\windows\system32\SM1ui32.dll
2009-01-06 16:53 <DIR> --d----- c:\windows\DRIVERS
2009-01-06 16:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Napster
2009-01-06 16:42 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-01-06 10:30 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-06 10:29 14,048 a------- c:\windows\system32\spmsg2.dll
2009-01-06 10:29 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-01-06 10:29 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-01-06 10:29 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-01-06 10:28 <DIR> --d----- c:\windows\system32\xlive
2009-01-05 14:08 69,120 a------- c:\windows\system32\wlanapi.dll
2009-01-05 14:08 28,672 a------- c:\windows\system32\verclsid.exe
2009-01-05 14:08 53,248 a------- c:\windows\system32\tsgqec.dll
2009-01-05 14:08 50,688 a------- c:\windows\system32\tspkg.dll
2009-01-05 13:54 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-01-05 12:48 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-05 12:48 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-05 12:20 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-01-05 11:54 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-05 09:53 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-01-05 09:53 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-01-05 09:53 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-01-05 09:53 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-01-05 09:53 <DIR> --d----- c:\windows\Logs
2009-01-04 22:08 4,096 a--sh--- C:\VSNAP.IDX
2009-01-04 18:48 326,656 a------- c:\windows\system\Msvcrt40.dll
2009-01-04 18:48 322,832 a------- c:\windows\system\Mfc30.dll
2009-01-04 18:48 253,952 a------- c:\windows\system\Msvcrt20.dll
2009-01-04 18:48 33,280 a------- c:\windows\system\Mfc30deu.dll
2009-01-04 18:48 32,256 a------- c:\windows\system\Mfc30fra.dll
2009-01-04 18:48 924,432 a------- c:\windows\system\Mfc40.dll
2009-01-04 18:48 133,904 a------- c:\windows\system\Mfcans32.dll
2009-01-04 18:48 133,392 a------- c:\windows\system\Mfco30.dll
2009-01-04 18:48 55,808 a------- c:\windows\system\Mfcd30.dll
2009-01-04 18:48 15,872 a------- c:\windows\system\Mfcn30.dll
2009-01-04 18:48 5,632 a------- c:\windows\system\Mfcuia32.dll
2009-01-04 18:48 4,096 a------- c:\windows\system\Mfcuiw32.dll
2009-01-04 18:36 79,643 a------- c:\windows\hpfins05.dat
2009-01-04 18:36 1,350 -------- c:\windows\hpfmdl05.dat
2009-01-04 18:30 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-01-04 18:30 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-01-04 18:30 <DIR> --d----- c:\windows\system32\Lang
2009-01-04 18:28 57,344 a------- c:\windows\Alcmtr.exe
2009-01-04 18:28 319,488 a------- c:\windows\HideWin.exe
2009-01-04 18:14 16,271 a------- c:\windows\Ascd_log.ini
2009-01-04 18:09 17,802 a------- c:\windows\Ascd_tmp.ini
2009-01-04 17:55 376 a------- c:\windows\ODBC.INI
2009-01-04 17:54 <DIR> --d-h--- c:\windows\ShellNew
2009-01-04 17:54 <DIR> --d----- C:\SWSetup
2009-01-04 16:54 524,288 a------- c:\windows\RtlExUpd.dll
2009-01-04 14:52 <DIR> --d--r-- c:\program files\Norton Support
2009-01-04 14:42 <DIR> --d----- c:\program files\Norton Save and Restore
2009-01-04 14:35 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-01-04 14:35 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-04 14:35 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-04 14:35 <DIR> --d----- c:\program files\Symantec
2009-01-04 14:35 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-01-04 14:35 <DIR> --d----- c:\program files\Norton Internet Security
2009-01-04 14:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-01-04 14:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-04 14:35 <DIR> --d----- c:\program files\NortonInstaller
2009-01-04 14:24 2,422 a------- c:\windows\system32\wpa.bak
2009-01-04 14:11 0 a------- c:\windows\ativpsrm.bin
2009-01-04 14:06 593,920 a------- c:\windows\system32\ati2sgag.exe
2009-01-04 14:03 <DIR> --d----- C:\ATI
2009-01-04 13:59 <DIR> --d----- c:\program files\common files\HP
2009-01-04 13:55 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2009-01-04 13:55 51,120 a----r-- c:\windows\system32\drivers\HPZid412.sys
2009-01-04 13:55 24,576 a----r-- c:\windows\system32\AsIO.dll
2009-01-04 13:55 5,685 a----r-- c:\windows\system32\drivers\AsIO.sys
2009-01-04 13:55 5,120 a------- c:\windows\system32\drivers\AsInsHelp64.sys
2009-01-04 13:55 3,328 a------- c:\windows\system32\drivers\AsInsHelp32.sys
2009-01-04 13:55 <DIR> --d----- c:\program files\ASUS
2009-01-04 13:55 37,376 a------- c:\windows\system32\hpz3l3xu.dll
2009-01-04 13:54 278,584 a------- c:\windows\system32\HPZidr12.dll
2009-01-04 13:54 204,800 a------- c:\windows\system32\HPZipr12.dll
2009-01-04 13:54 94,208 a------- c:\windows\system32\HPZipt12.dll
2009-01-04 13:54 69,632 a------- c:\windows\system32\HPZipm12.exe
2009-01-04 13:54 61,440 a------- c:\windows\system32\HPZinw12.exe
2009-01-04 13:54 57,344 a------- c:\windows\system32\HPZisn12.dll
2009-01-04 13:54 306,688 a------- c:\windows\IsUninst.exe
2009-01-04 13:53 81,280 a----r-- c:\windows\system32\drivers\Rtnicxp.sys
2009-01-04 13:53 <DIR> --d----- c:\windows\OPTIONS
2009-01-04 13:53 <DIR> --d----- c:\program files\Realtek
2009-01-04 13:29 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-04 13:29 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-04 13:29 0 a------- C:\LOGD5.tmp
2009-01-04 13:27 1,933,312 a------- c:\windows\system32\cdintf250.dll
2009-01-04 13:26 <DIR> --d----- c:\program files\common files\Palo Alto Software
2009-01-04 13:26 <DIR> --d----- c:\program files\common files\Intuit
2009-01-04 13:26 <DIR> --d----- c:\program files\Quicken
2009-01-04 13:26 209 a------- c:\windows\QUICKEN.INI
2009-01-04 13:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2009-01-04 13:02 <DIR> --d-h--- c:\windows\PIF
2009-01-04 12:58 <DIR> --d----- c:\program files\Microsoft Picture It! 9
2009-01-04 12:58 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-01-04 12:57 <DIR> a-d----- c:\program files\Microsoft IntelliType Pro
2009-01-04 12:57 <DIR> a-d----- c:\program files\Microsoft Hardware
2009-01-04 12:56 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-01-04 12:34 <DIR> a-d----- c:\program files\WinPcap
2009-01-04 12:34 <DIR> a-d----- c:\program files\WinDVD
2009-01-04 12:34 <DIR> a-d----- c:\program files\Windows Installer Clean Up
2009-01-04 12:34 <DIR> a-d----- c:\program files\WebSudokuDeluxe
2009-01-04 12:34 <DIR> --d----- c:\program files\Western Digital Technologies
2009-01-04 12:34 <DIR> --d----- c:\program files\Western Digital
2009-01-04 12:34 <DIR> --d----- c:\program files\VIA
2009-01-04 12:33 <DIR> a-d----- c:\program files\TurboTax
2009-01-04 12:33 <DIR> --d----- c:\program files\TomTom HOME 2
2009-01-04 12:33 <DIR> --d----- c:\program files\TomTom DesktopSuite
2009-01-04 12:33 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-04 12:33 <DIR> a-d----- c:\program files\Systweak Book Organizer
2009-01-04 12:25 <DIR> --d----- c:\program files\MSN Messenger
2009-01-04 12:07 <DIR> a-d----- c:\program files\Zone Labs
2009-01-04 12:07 <DIR> a-d----- c:\program files\WinRAR 3.0
2009-01-04 12:03 <DIR> --d----- c:\program files\SupportSoft
2009-01-04 12:03 <DIR> --d--r-- c:\program files\Support.com
2009-01-04 12:03 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-04 12:03 <DIR> a-d----- c:\program files\SpyHunter
2009-01-04 12:03 <DIR> a-d----- c:\program files\Spybot - Search & Destroy
2009-01-04 12:00 <DIR> --d----- c:\program files\SPORE
2009-01-04 12:00 <DIR> --d----- c:\program files\SlySoft
2009-01-04 12:00 <DIR> a-d----- c:\program files\Sidekick95
2009-01-04 12:00 <DIR> a-d----- c:\program files\Sibelius Software
2009-01-04 12:00 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-04 12:00 <DIR> a-d----- c:\program files\ScanSoft
2009-01-04 12:00 <DIR> a-d----- c:\program files\Saitek
2009-01-04 12:00 <DIR> --d----- c:\program files\Roxio
2009-01-04 12:00 <DIR> --d----- c:\program files\Rosetta Stone
2009-01-04 12:00 <DIR> a-d----- c:\program files\Registry First Aid
2009-01-04 12:00 <DIR> a-d----- c:\program files\Registry Compressor
2009-01-04 11:59 <DIR> --d----- c:\program files\RealFlightG3
2009-01-04 11:59 <DIR> --d----- c:\program files\Qwest QuickConnect
2009-01-04 11:59 <DIR> a-d----- c:\program files\Punch! Pro
2009-01-04 11:58 <DIR> a-d----- c:\program files\PopCap Games
2009-01-04 11:58 <DIR> --d----- c:\program files\Picasa2
2009-01-04 11:58 <DIR> --d----- c:\program files\PerformanceTest
2009-01-04 11:58 <DIR> a-d----- c:\program files\Palm
2009-01-04 11:56 <DIR> a-d----- c:\program files\NETGEAR
2009-01-04 11:56 <DIR> a-d----- c:\program files\MsnMusic
2009-01-04 11:52 <DIR> a-d----- c:\program files\Maxtor
2009-01-04 11:52 <DIR> a-d----- c:\program files\LimeWire
2009-01-04 11:52 <DIR> a-d----- c:\program files\Lead Pursuit
2009-01-04 11:52 <DIR> a-d----- c:\program files\Lavasoft
2009-01-04 11:52 <DIR> a-d----- c:\program files\Kazaa Lite
2009-01-04 11:52 <DIR> a-d----- c:\program files\iTunes
2009-01-04 11:52 <DIR> a-d----- c:\program files\ItsDeductibleEX
2009-01-04 11:52 <DIR> --d----- c:\program files\ItsDeductible2006
2009-01-04 11:52 <DIR> a-d----- c:\program files\ItsDeductible2005
2009-01-04 11:52 <DIR> a-d----- c:\program files\ItsDeductible2004
2009-01-04 11:52 <DIR> a-d----- c:\program files\iRiver
2009-01-04 11:52 <DIR> a-d----- c:\program files\Intuit
2009-01-04 11:52 <DIR> --d----- c:\program files\iPod
2009-01-04 11:52 <DIR> a-d----- c:\program files\eMule
2009-01-04 11:52 <DIR> --d----- c:\program files\HP
2009-01-04 11:52 <DIR> --d----- c:\program files\graphiquEcalendar Lighthouses
2009-01-04 11:48 41,984 a------- c:\windows\system32\drivers\RecFltr.sys
2009-01-04 11:48 <DIR> --d----- C:\Razer - mark for delete
2009-01-04 11:48 77,824 a------- c:\windows\system32\ReclusaR.cpl
2009-01-04 11:48 14,592 a------- c:\windows\system32\drivers\Usbicp.sys
2009-01-04 11:47 <DIR> --d----- c:\program files\Elaborate Bytes
2009-01-04 11:47 <DIR> --d----- c:\program files\Eidos Interactive
2009-01-04 11:47 <DIR> a-d----- c:\program files\eDonkey2000
2009-01-04 11:47 <DIR> a-d----- c:\program files\DVDFab Decrypter
2009-01-04 11:47 <DIR> a-d----- c:\program files\DVD Shrink
2009-01-04 11:47 <DIR> --d----- c:\program files\DVDFab Decrypter 3
2009-01-04 11:47 <DIR> a-d----- c:\program files\Doom 3
2009-01-04 11:47 <DIR> a-d----- c:\program files\directx
2009-01-04 11:47 <DIR> a-d----- c:\program files\Digital Ear
2009-01-04 11:47 <DIR> a-d----- c:\program files\Dantz
2009-01-04 11:45 36,963 a------- c:\program files\common files\SM1updtr.dll
2009-01-04 11:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-04 11:45 <DIR> a-d----- c:\program files\Collectorz.com
2009-01-04 11:45 <DIR> --d----- c:\program files\CloneDVD
2009-01-04 11:45 <DIR> a-d----- c:\program files\CheckIt
2009-01-04 11:45 <DIR> --d----- c:\program files\CCleaner
2009-01-04 11:45 <DIR> a-d----- c:\program files\Canon
2009-01-04 11:45 <DIR> a-d----- c:\program files\Calendar Creator 4.0
2009-01-04 11:45 <DIR> --d----- c:\program files\BurnInTest
2009-01-04 11:45 <DIR> --d----- c:\program files\Avast4
2009-01-04 11:45 <DIR> --d----- c:\program files\ATI Technologies
2009-01-04 11:45 <DIR> --d----- c:\program files\Atari
2009-01-04 11:45 <DIR> --d----- c:\program files\Analog Devices
2009-01-04 11:45 <DIR> --d----- c:\program files\Advanced WindowsCare V2
2009-01-04 11:44 <DIR> --d----- c:\program files\321Studios
2009-01-04 11:39 <DIR> --ds---- c:\documents and settings\ken\UserData
2009-01-04 11:39 <DIR> --d----- c:\documents and settings\ken\WINDOWS
2009-01-04 11:38 <DIR> --d----- c:\documents and settings\ken\PostX
2009-01-04 10:45 <DIR> --d----- c:\documents and settings\ken\Logs
2009-01-04 10:45 <DIR> --d----- c:\documents and settings\ken\logitech
2009-01-04 10:40 <DIR> --d----- c:\documents and settings\ken\browser - logitech
2009-01-04 10:40 <DIR> --d----- c:\docume~1\ken\applic~1\Uniblue
2009-01-04 10:40 <DIR> --d----- c:\docume~1\ken\applic~1\TomTom
2009-01-04 10:32 <DIR> --d----- c:\docume~1\ken\applic~1\Symantec
2009-01-04 10:32 <DIR> --d----- c:\docume~1\ken\applic~1\Spybot - Search & Destroy
2009-01-04 10:32 <DIR> --d----- c:\docume~1\ken\applic~1\SPORE
2009-01-04 10:30 <DIR> --d----- c:\docume~1\ken\applic~1\PC Tools
2009-01-04 10:30 <DIR> --d----- c:\docume~1\ken\applic~1\MSNInstaller
2009-01-04 10:29 <DIR> --d----- c:\docume~1\ken\applic~1\Intuit
2009-01-04 10:29 <DIR> --d----- c:\docume~1\ken\applic~1\Firefox
2009-01-04 10:17 128,104 a------- c:\windows\system32\drivers\WimFltr.sys
2009-01-04 10:17 109,360 a------- c:\windows\system32\GEARAspi.dll
2009-01-04 10:17 15,664 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-04 10:17 37,864 a------- c:\windows\system32\drivers\v2imount.sys
2009-01-04 10:17 14,072 a------- c:\windows\system32\drivers\vproeventmonitor.sys
2009-01-04 10:17 131,944 a------- c:\windows\system32\drivers\symsnap.sys
2009-01-04 10:17 1,060,864 a------- c:\windows\system32\MFC71.DLL
2009-01-04 10:17 499,712 a------- c:\windows\system32\MSVCP71.DLL
2009-01-04 10:17 348,160 a------- c:\windows\system32\MSVCR71.DLL
2009-01-04 10:17 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-01-04 10:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-01-04 10:16 5,810 a----r-- c:\windows\system32\drivers\ASACPI.sys
2009-01-04 10:16 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-01-04 09:55 <DIR> --ds---- c:\windows\system32\Microsoft
2009-01-04 09:52 316,640 a------- c:\windows\WMSysPr9.prx
2009-01-04 09:50 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-01-04 09:50 64,000 ac------ c:\windows\system32\dllcache\wmplayer.exe
2009-01-04 09:50 <DIR> --d----- c:\windows\EHome
2009-01-04 09:47 <DIR> --dsh--- c:\windows\Installer
2009-01-04 09:47 <DIR> --d----- c:\documents and settings\Ken
2009-01-04 09:46 8,192 a------- c:\windows\REGLOCS.OLD
2009-01-04 09:29 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-01-04 09:28 <DIR> --d----- c:\program files\common files\MSSoap
2009-01-04 09:27 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-01-04 09:27 <DIR> --d----- c:\program files\Online Services
2009-01-04 09:27 <DIR> --d----- c:\program files\Messenger
2009-01-04 09:27 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-01-04 09:27 <DIR> --d----- c:\program files\Windows NT
2009-01-04 02:21 <DIR> --d----- c:\program files\common files\ODBC
2009-01-04 02:21 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-01-04 02:20 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-01-20 10:17 76,825 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-20 09:48 23,388 a------- c:\windows\system32\emptyregdb.dat
2008-12-01 15:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 13:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 13:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 13:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 13:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 13:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 13:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 13:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 13:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 13:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 13:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 13:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 13:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 13:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 13:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 13:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 13:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 12:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 12:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 12:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 12:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 12:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 12:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 12:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-01 12:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 12:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 12:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-10-30 07:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-08-23 17:57 46,112 a------- c:\docume~1\ken\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 15:07:56.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:44 PM

Posted 27 January 2009 - 04:35 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 AzKen

AzKen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 27 January 2009 - 12:07 PM

OK, here's the ComboFix log:

ComboFix 09-01-21.04 - Ken 2009-01-27 9:54:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2441 [GMT -7:00]
Running from: c:\documents and settings\All Users\Start Menu\Programs\Internet & Security\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\nmylrz.dll
c:\windows\system32\regmyyxj.dll
H:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-26 07:53 . 2009-01-26 07:53 0 --a------ C:\LOG3.tmp
2009-01-22 05:46 . 2009-01-22 05:46 0 --a------ C:\LOG5ED.tmp
2009-01-21 17:41 . 2009-01-21 17:41 0 --a------ C:\LOG59F.tmp
2009-01-21 14:05 . 2009-01-21 14:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-01-21 13:58 . 2009-01-21 15:07 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-01-20 17:14 . 2009-01-20 17:15 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-01-20 15:13 . 2005-06-07 01:35 713 --------- c:\windows\hpgmdl06.dat
2009-01-20 15:01 . 2009-01-20 15:01 76,037 --------- c:\windows\hpgins06.dat.temp
2009-01-20 15:01 . 2005-06-07 01:35 713 --------- c:\windows\hpgmdl06.dat.temp
2009-01-20 11:25 . 2009-01-20 11:25 0 --a------ c:\windows\nsreg.dat
2009-01-20 10:48 . 2008-04-14 05:42 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll
2009-01-20 10:48 . 2008-04-13 22:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2009-01-20 10:43 . 2006-12-29 00:31 19,569 --a------ c:\windows\005867_.tmp
2009-01-20 10:27 . 2008-04-13 17:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-20 10:16 . 2009-01-20 10:48 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-20 10:16 . 2008-04-14 05:42 380,416 --------- c:\windows\system32\irprops.cpl
2009-01-20 10:16 . 2008-04-14 05:42 162,304 --------- c:\windows\system32\wuaucpl.cpl
2009-01-20 10:15 . 2004-07-17 11:40 19,528 --a------ c:\windows\002670_.tmp
2009-01-20 10:06 . 2009-01-20 10:06 0 --a------ C:\LOG7.tmp
2009-01-20 10:05 . 2009-01-20 10:05 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Roxio
2009-01-20 09:54 . 2001-08-17 22:36 2,134,528 --a--c--- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2009-01-20 09:48 . 2001-08-23 05:00 520,192 --a--c--- c:\windows\system32\dllcache\wmpvis.dll
2009-01-20 09:47 . 2008-04-14 05:41 2,061,824 --a------ c:\windows\system32\mstscax.dll
2009-01-20 09:46 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-20 09:46 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2009-01-20 09:44 . 2008-04-14 00:10 57,600 --a------ c:\windows\system32\drivers\redbook.sys
2009-01-20 09:39 . 2008-04-14 05:43 40,840 --a------ c:\windows\system32\drivers\termdd.sys
2009-01-20 08:49 . 2009-01-20 08:49 <DIR> d-------- c:\program files\InterActual
2009-01-19 21:58 . 2002-06-14 18:46 19,274 --a------ c:\windows\001289_.tmp
2009-01-19 18:32 . 2009-01-19 18:32 0 --a------ C:\LOG3E5.tmp
2009-01-19 18:23 . 2009-01-19 18:23 <DIR> d--h-c--- c:\windows\$MSI30UninstallMSI30-KB884016$
2009-01-19 18:07 . 2009-01-19 22:07 <DIR> d-------- c:\windows\system32\DLA
2009-01-19 18:07 . 2009-01-19 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-19 18:07 . 2006-08-08 09:18 92,920 --a------ c:\windows\DLA.EXE
2009-01-19 18:07 . 2006-08-08 09:18 56,056 --a------ c:\windows\system32\DLAAPI_W.DLL
2009-01-19 18:07 . 2006-08-01 19:46 51,800 --a------ c:\windows\system32\drivers\DRVNDDM.SYS
2009-01-19 18:07 . 2006-08-01 20:06 28,216 --a------ c:\windows\system32\drivers\DLARTL_M.SYS
2009-01-19 18:07 . 2006-08-01 20:06 12,952 --a------ c:\windows\system32\drivers\DLACDBHM.SYS
2009-01-19 18:06 . 2009-01-19 18:06 <DIR> d--h-c--- c:\windows\$xpsp1hfm$
2009-01-19 18:06 . 2009-01-19 18:06 <DIR> d-------- c:\program files\Common Files\SureThing Shared
2009-01-19 18:06 . 2009-01-19 18:06 <DIR> d-------- C:\f83da11039bc6cf77b54913bc23d9429
2009-01-19 18:06 . 2009-01-19 18:06 <DIR> d-------- C:\6d35c
2009-01-19 18:06 . 2009-01-19 18:06 <DIR> d-------- C:\6630adfec4342
2009-01-19 18:06 . 2009-01-19 18:06 <DIR> d-------- C:\2
2009-01-19 18:06 . 2002-09-21 12:44 24,576 --a------ c:\windows\system32\xpsp1hfm.exe
2009-01-19 18:05 . 2009-01-19 18:05 <DIR> d-------- c:\program files\Xingtone
2009-01-19 18:04 . 2009-01-19 18:05 <DIR> d-------- c:\program files\SightSpeed
2009-01-19 18:03 . 2008-04-14 05:42 1,104,896 --a------ c:\windows\system32\msxml3.dll
2009-01-19 18:03 . 2003-05-21 10:18 44,032 --a------ c:\windows\system32\msxml3r.dll
2009-01-19 18:03 . 2003-05-21 10:18 44,032 --a--c--- c:\windows\system32\dllcache\msxml3r.dll
2009-01-19 18:01 . 2009-01-19 18:02 <DIR> d-------- c:\program files\Common Files\SightSpeed
2009-01-19 18:01 . 2009-01-19 18:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2009-01-19 18:00 . 2009-01-19 18:00 <DIR> d-------- c:\program files\DivX
2009-01-19 17:31 . 2009-01-19 18:31 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-19 14:17 . 2008-04-14 05:41 274,432 --a------ c:\windows\system32\inetcfg.dll
2009-01-19 14:17 . 2008-04-14 05:41 81,920 --a------ c:\windows\system32\isign32.dll
2009-01-19 14:17 . 2008-04-14 05:41 73,728 --a------ c:\windows\system32\icwdial.dll
2009-01-19 14:17 . 2008-04-14 05:41 65,536 --a------ c:\windows\system32\icwphbk.dll
2009-01-19 14:17 . 2008-04-13 21:52 48,128 --a------ c:\windows\system32\inetres.dll
2009-01-19 14:17 . 2008-04-14 05:42 45,568 --a------ c:\windows\system32\safrslv.dll
2009-01-19 14:17 . 2008-04-14 05:42 43,520 --a------ c:\windows\system32\safrcdlg.dll
2009-01-19 14:17 . 2008-04-14 05:42 43,520 --a------ c:\windows\system32\racpldlg.dll
2009-01-19 14:17 . 2008-04-14 05:42 32,768 --a------ c:\windows\system32\mnmsrvc.exe
2009-01-19 14:17 . 2008-04-14 05:41 32,768 --a------ c:\windows\system32\isrdbg32.dll
2009-01-19 14:17 . 2008-04-14 05:42 29,696 --a------ c:\windows\system32\safrdm.dll
2009-01-19 13:59 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\dmusic.sys
2009-01-19 13:50 . 2001-08-23 05:00 1,085,913 -ra------ c:\windows\SET63.tmp
2009-01-19 13:50 . 2001-08-23 05:00 13,608 -ra------ c:\windows\SET6F.tmp
2009-01-19 13:50 . 2008-04-14 00:24 11,264 --a------ c:\windows\system32\drivers\irenum.sys
2009-01-19 06:42 . 2009-01-19 15:48 141,869,056 --a------ c:\windows\MEMORY.DMP
2009-01-18 11:27 . 2009-01-18 11:27 <DIR> d-------- c:\windows\Sun
2009-01-18 10:59 . 2009-01-18 10:59 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 10:59 . 2009-01-18 10:59 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-18 10:18 . 2009-01-18 10:18 0 --a------ C:\LOGC.tmp
2009-01-18 10:06 . 2009-01-18 10:06 0 --a------ C:\LOG17C.tmp
2009-01-18 09:50 . 2009-01-18 09:50 0 --a------ C:\LOG148.tmp
2009-01-15 05:43 . 2009-01-15 05:43 0 --a------ C:\LOG12D.tmp
2009-01-14 18:46 . 2009-01-20 15:37 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2009-01-14 18:46 . 2009-01-19 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2009-01-14 18:44 . 2009-01-14 18:44 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-14 18:41 . 2009-01-14 18:41 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-14 18:40 . 2009-01-14 18:40 <DIR> d-------- c:\documents and settings\Ken\Application Data\Image Zone Express
2009-01-14 18:38 . 2009-01-20 15:39 76,407 --a------ c:\windows\hpgins06.dat
2009-01-14 18:36 . 2005-06-02 01:16 528,384 -ra------ c:\windows\system32\hpgt4850.dll
2009-01-14 18:36 . 2005-05-01 11:01 516,096 -ra------ c:\windows\system32\hpxp4850.dll
2009-01-14 18:36 . 2005-05-01 10:58 364,544 -ra------ c:\windows\system32\hp4850co.dll
2009-01-14 18:36 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-14 18:35 . 2009-01-20 08:47 633,910 --a------ c:\windows\setupapi.old
2009-01-14 16:35 . 2009-01-14 16:35 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-14 16:34 . 2009-01-14 16:34 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-14 10:29 . 2009-01-14 10:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-14 10:03 . 2009-01-14 10:03 <DIR> d-------- C:\VundoFix Backups
2009-01-13 16:58 . 2009-01-26 09:53 447 --a------ c:\windows\wininit.ini
2009-01-13 11:13 . 2009-01-14 16:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-13 11:09 . 2009-01-13 11:09 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-13 11:09 . 2009-01-14 10:23 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-13 09:37 . 2009-01-13 09:37 <DIR> d-------- c:\documents and settings\Ken\Application Data\Copy of Mozilla
2009-01-13 09:37 . 2009-01-13 09:37 <DIR> d-------- c:\documents and settings\Ken\Application Data\Copy (2) of Mozilla
2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-11 18:22 . 2009-01-11 18:22 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-11 18:22 . 2009-01-11 18:23 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-10 12:25 . 2009-01-10 12:25 0 --a------ C:\LOG15.tmp
2009-01-10 11:58 . 2009-01-10 11:58 <DIR> d-------- c:\windows\system32\scripting
2009-01-10 11:58 . 2009-01-10 11:58 <DIR> d-------- c:\windows\system32\en
2009-01-10 11:58 . 2009-01-10 11:58 <DIR> d-------- c:\windows\system32\bits
2009-01-10 11:58 . 2009-01-10 11:58 <DIR> d-------- c:\windows\l2schemas
2009-01-10 11:49 . 2009-01-10 11:49 <DIR> d-------- c:\program files\LightScribe Template Labeler
2009-01-10 11:33 . 2009-01-14 18:07 98,304 --a------ c:\windows\DUMP759d.tmp
2009-01-10 11:33 . 2009-01-14 18:02 98,304 --a------ c:\windows\DUMP735b.tmp
2009-01-10 11:33 . 2009-01-14 18:05 98,304 --a------ c:\windows\DUMP72de.tmp
2009-01-10 11:33 . 2009-01-14 18:03 98,304 --a------ c:\windows\DUMP72ce.tmp
2009-01-10 10:36 . 2009-01-10 10:36 64 --a------ c:\windows\system32\BurnData.bin
2009-01-10 10:32 . 2009-01-10 10:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\LightScribe
2009-01-07 06:12 . 2009-01-07 06:12 0 --a------ C:\LOG1F.tmp
2009-01-06 22:20 . 2009-01-06 22:20 0 --a------ C:\LOG329.tmp
2009-01-06 22:06 . 2009-01-06 22:06 0 --a------ C:\LOG31D.tmp
2009-01-06 18:12 . 2009-01-06 18:12 <DIR> d-------- c:\program files\Common Files\LightScribe
2009-01-06 16:53 . 2009-01-06 16:53 <DIR> d-------- c:\windows\DRIVERS
2009-01-06 16:53 . 2009-01-06 16:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Napster
2009-01-06 16:53 . 2003-08-27 14:20 266,240 -ra------ c:\windows\SM1nint.exe
2009-01-06 16:53 . 2003-08-27 14:20 94,208 -ra------ c:\windows\SM1bg.exe
2009-01-06 16:53 . 2003-08-27 14:20 86,106 -ra------ c:\windows\system32\SM1un.exe
2009-01-06 16:53 . 2003-08-27 14:20 32,896 -ra------ c:\windows\system32\drivers\SM1fx_at.sys
2009-01-06 16:53 . 2003-08-27 14:20 12,382 -ra------ c:\windows\system32\SM1ui32.dll
2009-01-06 16:47 . 2009-01-19 18:03 <DIR> d-------- c:\program files\Common Files\Roxio Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 16:29 --------- d-----w c:\program files\microsoft frontpage
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-08-24 00:57 46,112 ----a-w c:\documents and settings\Ken\Application Data\GDIPFONTCACHEV1.DAT
2008-12-12 03:28 546,160 ----a-r c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-06 2387968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reclusa"="c:\program files\Razer\Reclusa\razerhid.exe" [2007-03-07 167936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2007-02-13 2020968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 c:\windows\RTHDCPL.exe]

c:\documents and settings\Ken\Start Menu\Programs\Startup\
Calendar Creator Scheduler.lnk - c:\program files\Calendar Creator 4.0\CCSCHED.EXE [2009-01-04 97280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2009-01-04 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
--a------ 2005-02-26 19:46 330240 c:\program files\Registry First Aid\rfagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 14:20 94208 c:\windows\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2009-01-04 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2009-01-04 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090115.001\IDSxpx86.sys [2009-01-18 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-04 99376]
R3 RecFltr;Reclusa Keyboard;c:\windows\system32\drivers\RecFltr.sys [2009-01-04 41984]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2009-01-04 115560]
R4 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2007-02-13 2655848]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-06-25 11:08]

2009-01-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-06-25 11:08]
.
- - - - ORPHANS REMOVED - - - -

BHO-{44279eba-fc81-4815-8bb6-09f0903f8cbb} - c:\windows\system32\nmylrz.dll
HKLM-Run-zzzHPSETUP - D:\Setup.exe


.
------- Supplementary Scan -------
.
uLocal Page = c:\program files\Common Files\Microsoft Shared\Stationery\Blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\gpg4u1u1.default\
FF - prefs.js: browser.startup.homepage - hxxp://excite.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\gpg4u1u1.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32neur.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 10:00:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-2025429265-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-854245398-2025429265-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:b6,bd,a8,be,35,1e,1f,37,3a,6e,22,4b,25,9d,ae,78,ae,7d,4a,c2,ec,
cc,c3,ae,43,2b,6f,18,e1,f9,88,d4,65,60,0e,4b,7e,db,ef,ed,f6,14,1c,46,f4,98,\
"rkeysecu"=hex:19,7e,9c,ca,59,54,9d,83,3d,bf,5b,8d,92,a5,33,a3
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Razer\Reclusa\razertra.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-01-27 10:03:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-27 17:03:46

Pre-Run: 404,353,593,344 bytes free
Post-Run: 404,286,566,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

285 --- E O F --- 2009-01-10 19:01:09

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:44 PM

Posted 27 January 2009 - 12:29 PM

Hi,

It's a bit strange that a lot of folders / files are created / modified within a short period of time (a matter of minutes / seconds).
Or you've performed a repair install previously, or you performed a major Windows update (the several tmp files in your Windows folder may be related with the update) - or you're dealing with a file infector as well. Anyway, an online scan should show afterwards.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AzKen

AzKen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 28 January 2009 - 05:58 PM

Yes, I should have mentioned I did a Windows repair & re-installed SP 2&3 while getting rid of my other infections. FWIW, I haven't had a pop up since running ComboFix - but here's my Kaspersky scan log anyway:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, January 28, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 28, 2009 14:59:53
Records in database: 1720752
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 291681
Threat name: 4
Infected objects: 5
Suspicious objects: 1
Duration of the scan: 03:32:08


File name / Threat name / Threats count
C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\4a6c19aa.Ken\Mail\pop3.earthlink.net\Inbox.sbd\Junk Mail Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\4a6c19aa.Ken\Mail\pop3.earthlink.net\Inbox.sbd\Junk Mail Infected: Email-Worm.Win32.Tanatos.a 1
C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\4a6c19aa.Ken\Mail\pop3.earthlink.net\Trash Infected: Email-Worm.Win32.Bagle.g 1
H:\File Backup Data\fbfFiles_2e1\1c96ed53522e1e4.fbf Infected: Trojan-Downloader.Win32.Delf.ca 1
H:\File Backup Data\fbfFiles_7bd\1c97c30ff67bdb7.fbf Infected: Trojan-Downloader.Win32.Delf.ca 1
H:\File Backup Data\fbfFiles_e57\1c8f69ad59e57ca.fbf Infected: Trojan-Downloader.Win32.Delf.ca 1

The selected area was scanned.




The Thunderbird profiles are old email files that I haven't used & can discard if necessary. The files on the H drive are backups created by Norton Save & Restore; I can delete those if needed & re-backup my newly cleaned system. Let me know and thanks for the help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:44 PM

Posted 29 January 2009 - 03:05 AM

Hi,

Yes, I should have mentioned I did a Windows repair & re-installed SP 2&3 while getting rid of my other infections

That makes sense and glad to hear it's because of that that so many folders / files were modified within a short period of time.

The Thunderbird profiles are old email files that I haven't used & can discard if necessary. The files on the H drive are backups created by Norton Save & Restore; I can delete those if needed & re-backup my newly cleaned system

I see you already figured out from the Kaspersky log what has to be deleted. So yes, go ahead and delete what it found.

The rest looks OK again.

FWIW, I haven't had a pop up since running ComboFix

Good to hear - your issue should be resolved now. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:44 PM

Posted 30 January 2009 - 05:16 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users