Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Troj/Rustok-N


  • This topic is locked This topic is locked
44 replies to this topic

#1 latinabella429

latinabella429

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 11 February 2009 - 09:23 AM

I forgot to disable my Norton Antivirus before running these scans... Should I do so and re-scan? PLEASE PLEASE PLEASE HELP!!!

Referred here from: http://www.bleepingcomputer.com/forums/t/200071/trojrustok-n/ ~ OB


DDS (Ver_09-02-01.01) - NTFSx86
Run by JoAnna at 9:09:22.35 on Wed 02/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.396 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dell Wireless\PRISMCFG.EXE
C:\Documents and Settings\JoAnna\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-14 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090210.056\NAVENG.SYS [2009-2-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090210.056\NAVEX15.SYS [2009-2-11 876112]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-1-14 1251720]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2005-8-16 57344]

=============== Created Last 30 ================

2009-02-02 08:32 5,632 a------- c:\windows\system32\ptpusb.dll
2009-02-02 08:32 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-30 15:49 --d----- c:\program files\Trend Micro
2009-01-30 14:04 --d----- c:\docume~1\joanna\applic~1\Malwarebytes
2009-01-30 14:04 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-16 07:49 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-16 07:49 1,409 a------- c:\windows\QTFont.for
2009-01-14 10:06 --d----- c:\program files\Norton Internet Security
2009-01-14 10:05 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-14 10:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-14 10:05 --d----- c:\program files\Symantec
2009-01-14 10:01 --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-14 09:55 --d----- c:\windows\pss
2009-01-14 09:42 --d----- c:\program files\NortonInstaller

==================== Find3M ====================

2009-01-19 07:37 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-19 07:37 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe

============= FINISH: 9:09:53.95 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/26/2005 11:20:44 AM
System Uptime: 2/11/2009 7:39:28 AM (2 hours ago)

Motherboard: Dell Inc. | | 0X8582
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 58.629 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP753: 11/13/2008 10:21:39 AM - System Checkpoint
RP754: 11/14/2008 12:15:39 PM - System Checkpoint
RP755: 11/17/2008 12:26:26 PM - System Checkpoint
RP756: 11/19/2008 12:17:44 PM - System Checkpoint
RP757: 11/20/2008 1:39:48 PM - System Checkpoint
RP758: 11/21/2008 4:17:49 PM - System Checkpoint
RP759: 11/24/2008 12:19:39 PM - System Checkpoint
RP760: 11/25/2008 12:43:53 PM - System Checkpoint
RP761: 11/26/2008 2:34:52 PM - System Checkpoint
RP762: 12/1/2008 12:29:02 PM - System Checkpoint
RP763: 12/3/2008 12:18:41 PM - System Checkpoint
RP764: 12/4/2008 3:22:48 PM - System Checkpoint
RP765: 12/8/2008 10:03:47 AM - System Checkpoint
RP766: 12/9/2008 12:19:52 PM - System Checkpoint
RP767: 12/10/2008 12:48:11 PM - System Checkpoint
RP768: 12/12/2008 12:25:13 PM - System Checkpoint
RP769: 12/15/2008 12:48:48 PM - System Checkpoint
RP770: 12/17/2008 9:41:15 AM - System Checkpoint
RP771: 12/18/2008 12:16:43 PM - System Checkpoint
RP772: 12/19/2008 12:24:15 PM - System Checkpoint
RP773: 12/22/2008 7:55:38 AM - System Checkpoint
RP774: 12/23/2008 12:27:52 PM - System Checkpoint
RP775: 12/29/2008 12:27:24 PM - System Checkpoint
RP776: 12/30/2008 12:28:17 PM - System Checkpoint
RP777: 1/5/2009 12:31:53 PM - System Checkpoint
RP778: 1/6/2009 12:45:06 PM - System Checkpoint
RP779: 1/8/2009 12:16:30 PM - System Checkpoint
RP780: 1/9/2009 3:46:12 PM - System Checkpoint
RP781: 1/12/2009 12:22:57 PM - System Checkpoint
RP782: 1/13/2009 11:52:18 AM - Installed Symantec Technical Support Web Controls
RP783: 1/15/2009 12:19:03 PM - System Checkpoint
RP784: 1/16/2009 12:27:04 PM - System Checkpoint
RP785: 1/20/2009 10:17:31 AM - System Checkpoint
RP786: 1/22/2009 8:45:17 AM - System Checkpoint
RP787: 1/23/2009 2:07:16 PM - System Checkpoint
RP788: 1/26/2009 2:12:49 PM - System Checkpoint
RP789: 1/28/2009 9:50:51 AM - Restore Operation
RP790: 1/29/2009 10:18:06 AM - System Checkpoint
RP791: 1/30/2009 12:15:31 PM - System Checkpoint
RP792: 2/2/2009 7:56:47 AM - Restore Operation
RP793: 2/3/2009 8:13:10 AM - System Checkpoint
RP794: 2/6/2009 12:18:07 PM - System Checkpoint
RP795: 2/9/2009 12:22:58 PM - System Checkpoint
RP796: 2/10/2009 4:02:23 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
AppCore
ArcSoft PhotoStudio 5.5
ATI Control Panel
ATI Display Driver
Canon CanoScan 4400F User Registration
Canon CanoScan Toolbox 5.0
CanoScan 4400F
ccCommon
Component Framework
Comprehensive Review for NCLEX-RN, 2e
Conexant D850 56K V.9x DFVc Modem
Dell Driver Reset Tool
Dell Laser Printer 1100 Software Uninstall
Dell Picture Studio v3.0
Dell Support 3.2.1
Dell System Restore
Digital Line Detect
EarthLink setup files
FormDocs 6.0
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel Matrix Storage Manager
Intel® PRO Network Connections Software v9.2.4.11
Intel® PROSafe for Wired Connections
Internet Explorer Default Page
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
LiveUpdate (Symantec Corporation)
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Project 2000
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Helper
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
My Way Search Assistant
Netflix Movie Viewer
NetWaiting
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
OpenOffice.org Installer 1.0
Presto! PageManager 7.15.14
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
ScanSoft OmniPage SE 4.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC 32bit
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
USB 2.0 Wireless LAN Card Utility
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip

==== Event Viewer Messages From Past Week ========

2/4/2009 3:48:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
2/4/2009 3:46:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/4/2009 3:46:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/4/2009 3:45:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/4/2009 3:40:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Beep eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SYMTDI Tcpip
2/4/2009 3:40:34 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/4/2009 3:40:34 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/4/2009 3:40:34 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/4/2009 3:40:34 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/10/2009 2:48:44 PM, error: Dhcp [1002] - The IP address lease 0.0.0.0 for the Network Card with network address 0014A5303923 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/11/2009 7:40:12 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0014A5303923 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Edited by Orange Blossom, 11 February 2009 - 09:10 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:49 AM

Posted 23 February 2009 - 11:10 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.

Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to

every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below

so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may

have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean

and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet

and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 latinabella429

latinabella429
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 24 February 2009 - 01:16 PM

I'm embedding the DDS file that I was told to paste. The other file is supposed to be attached as a zip file. I'm not sure how to do this. I don't have Zip software. What should I do? I'm trying to get rid of a Torj/rustok-n and whatever else might be infecting my computer. Please advise as soon as possible.


DDS (Ver_09-02-01.01) - NTFSx86
Run by JoAnna at 12:59:47.01 on Tue 02/24/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.558 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JoAnna\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-14 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090223.048\NAVENG.SYS [2009-2-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090223.048\NAVEX15.SYS [2009-2-24 876144]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-1-14 1251720]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2005-8-16 57344]

=============== Created Last 30 ================

2009-02-02 08:32 5,632 a------- c:\windows\system32\ptpusb.dll
2009-02-02 08:32 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-30 15:49 <DIR> --d----- c:\program files\Trend Micro
2009-01-30 14:04 <DIR> --d----- c:\docume~1\joanna\applic~1\Malwarebytes
2009-01-30 14:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-01-19 07:37 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 07:37 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-19 07:37 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-19 07:37 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe

============= FINISH: 13:00:14.65 ===============

#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:49 AM

Posted 24 February 2009 - 09:37 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

You need to attach the file.

But to press on while you are doing that, Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Also whatever program is telling you that you have a problem, could you please post that log as well.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 latinabella429

latinabella429
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 25 February 2009 - 02:27 PM

Hi thanks for responding. You speak (write) very kindly and comfortingly. Anyway I don't remember in detail what I have done so far... I went through this long process with someone else on this site and in the end they could not help me. I downloaded some things and gave reports left and right. I'm not sure if you can see my previous thread or how that works. Well I wound up deleting whatever I had downloaded in order to fix my problems so that I can start off fresh. I just tried updating Malwarebytes and this is what came up:
Update failed. Make sure you are connected to the internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the internet. I'm not sure what to do now. Oh here is the attachment of the DDS file that I didn't attach previously:

Attached Files



#6 latinabella429

latinabella429
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 25 February 2009 - 02:39 PM

I noticed your posting gave an option to manually download the rules which I did and it said it was successful. Here is the report Malwarebytes gave me:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

2/25/2009 2:39:40 PM
mbam-log-2009-02-25 (14-39-40).txt

Scan type: Quick Scan
Objects scanned: 76580
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5bab5f1c-38f4-4653-a4dd-8979e18a6d9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5bab5f1c-38f4-4653-a4dd-8979e18a6d9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5bab5f1c-38f4-4653-a4dd-8979e18a6d9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:49 AM

Posted 25 February 2009 - 02:44 PM

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by Hoov, 25 February 2009 - 02:45 PM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 latinabella429

latinabella429
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 25 February 2009 - 03:23 PM

ComboFix 09-02-24.02 - JoAnna 2009-02-25 15:17:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.662 [GMT -5:00]
Running from: c:\documents and settings\JoAnna\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\bszip.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-25 14:15 . 2009-02-25 14:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 14:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-25 14:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-23 14:51 . 2009-02-23 14:51 <DIR> d-------- c:\documents and settings\Bay\Application Data\Malwarebytes
2009-02-23 14:51 . 2009-02-23 14:51 <DIR> d-------- c:\documents and settings\Bay\Application Data\Jasc Software Inc
2009-02-02 08:32 . 2004-08-04 00:56 159,232 --a------ c:\windows\SYSTEM32\ptpusd.dll
2009-02-02 08:32 . 2001-08-17 22:36 5,632 --a------ c:\windows\SYSTEM32\ptpusb.dll
2009-01-30 15:49 . 2009-01-30 15:49 <DIR> d-------- c:\program files\Trend Micro
2009-01-30 14:04 . 2009-01-30 14:04 <DIR> d-------- c:\documents and settings\JoAnna\Application Data\Malwarebytes
2009-01-30 14:04 . 2009-01-30 14:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-30 11:50 . 2009-01-30 11:50 <DIR> d-------- c:\documents and settings\Bay\Application Data\Viewpoint
2009-01-28 10:24 . 2009-01-28 10:24 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 20:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-25 17:08 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-23 19:52 --------- d-----w c:\program files\Google
2009-02-23 19:51 --------- d-----w c:\program files\Symantec
2009-02-23 19:51 --------- d-----w c:\program files\Norton Internet Security
2009-02-23 19:51 --------- d-----w c:\documents and settings\Bay\Application Data\Canon
2009-01-19 12:37 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-19 12:37 60,808 ----a-w c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-19 12:37 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 12:37 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-16 12:50 --------- d-----w c:\documents and settings\Bay\Application Data\ArcSoft
2009-01-16 12:46 --------- d-----w c:\documents and settings\Bay\Application Data\Symantec
2009-01-16 12:38 --------- d-----w c:\documents and settings\Guest.OFFICE-ERICA\Application Data\Symantec
2009-01-14 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-14 14:42 --------- d-----w c:\program files\NortonInstaller
2008-12-29 20:46 --------- d-----w c:\documents and settings\JoAnna\Application Data\LimeWire
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\SYSTEM32\NARRATOR.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB 2.0 WLAN Card Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk
backup=c:\windows\pss\Wireless USB 2.0 WLAN Card Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\SYSTEM32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 21:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-28 09:06 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"IAANTMon"=2 (0x2)
"gusvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [2007-05-29 23888]
S4 PRISMSVC;PRISMSVC;c:\windows\SYSTEM32\PRISMSVC.exe [2005-08-16 57344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - JoAnna.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 15:19:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-25 15:20:19
ComboFix-quarantined-files.txt 2009-02-25 20:20:17

Pre-Run: 62,433,521,664 bytes free
Post-Run: 62,629,707,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

151 --- E O F --- 2008-10-02 17:55:50

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:49 AM

Posted 25 February 2009 - 03:47 PM

OK, looks like we got a potfull with that one. Update your Norton Antivirus and do a full scan. Also see if Malwarebytes' Anti-Malware will update now by using the update button in Malwarebytes' Anti-Malware. Also check windows update to make sure it works. And there is one thing I would like you to check. In internet explorer go to Google and yahoo search and do a search in each one and then make sure the links go where they are suppose to.

Let me know about what Norton finds, and let me know how the other things go.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 latinabella429

latinabella429
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 26 February 2009 - 09:07 AM

Not so good: Malwarebytes still gave me the same error when trying to update... Norton's update went well, however the full system scan shut my system down... the following came up on my screen when this happened:

A PROBLEM HAS BEEN DETECTED AND WINDOWS HAS BEEN SHUT DOWN TO PREVENT DAMAGE TO YOUR COMPUTER.
KERNEL_STACK_INPAGE_ERROR
IF THIS PROBLEM IS THE 1ST TIME YOU'VE SEEN THIS STOP ERROR SCREN, RESTART YOUR COMPUTER. IF THIS SCREEN APPEARS AGAIN, FOLLOW THESE STEPS:
CHECK TO MAKE SURE ANY NEW HARDWARE OR SOFTWARE IS PROPERLY INSTALLED. IF THIS IS A NEW INSTALLATION, ASK YOUR HARDWARE OR SOFTWARE MANUFACTURER FOR ANY WINDOWS UPDATES YOU MIGHT NEED.
IF PROBLEM CONTINUES DISABLE OR REMOVE ANY NEWLY INSTALLED HARDWARE OR SOFTWARE. DISABLE BIOS MEMORY OPTIONS SUCH AS CACHING OR SHADOWING. IF YOU NEED TO USE SAFE MODE TO REMOVE OR DISABLE COMPONENTS, RESTART YOUR COMPUTER, PRESS F8 TO SELECT ADVANCE STARTUP OPTIONS AND THEN SELECT SAFE MODE.
TECHNICAL INFORMATION:
*** STOP: 0X00000077 (0XC00000B5, 0xC00000B5, 0X00000000, 0X09957000)
BEGINNING DUMP OF PHYSICAL MEMORY
PHYSICAL MEMORY DUMP COMPLETE
CONTACT YOUR SYSTEM ADMINISTRATOR OR TECHNICAL SUPPORT GROUP FOR FURTHER ASSISTANCE.

So I restarted my computer by holding the power button since the computer was stuck on this screen. When the computer restarted a screen popped up withthe following:

MICROSOFT WINDOWS: THE SYSTEM HAS RECOVERED FROM A SERIOUS ERROR... (SEND ERROR REPORT, DON'T SEND)

Besides that I tried the google search which directed me to the correct website. However yahoo redirected me to a site I did not type in.
Lastly, upon trying to update windows, although the address bar shows the windows update page, my main page is all that is displayed (Google)

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:49 AM

Posted 26 February 2009 - 12:18 PM

OK, looks like we start from scratch. Download the Malwarebytes' Anti-Malware updates here and update it again. Don't scan yet.

Redownload combofix (this is to make sure you have the newest version) but don't run it yet. Also update Norton, but don't run it yet.

Reboot to safe mode Run Malwarebytes' Anti-Malware then combofix and then Norton. If any of the three programs want to reboot, let them, but reboot back into safe mode. Once the scans are done, reboot and post the logs from all three.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 latinabella429

latinabella429
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 26 February 2009 - 02:35 PM

Good afternoon,

Ok before anything please be advised that when I after I saved the ComboFix log my computer showed a blank "safe mode" screen. No icons showed, only the safe mode symbols and the line of wording on top. I restarted my computer after that by control,alt,deleting and everything else ran smoothly after that. Here are the logs in this order (Malwarebytes, ComboFix & Norton):

Malwarebytes' Anti-Malware 1.34
Database version: 1793
Windows 5.1.2600 Service Pack 2

2/26/2009 1:37:57 PM
mbam-log-2009-02-26 (13-37-57).txt

Scan type: Quick Scan
Objects scanned: 75953
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5bab5f1c-38f4-4653-a4dd-8979e18a6d9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5bab5f1c-38f4-4653-a4dd-8979e18a6d9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5bab5f1c-38f4-4653-a4dd-8979e18a6d9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.2 85.255.112.209 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 09-02-25.02 - JoAnna 2009-02-26 13:41:07.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.821 [GMT -5:00]
Running from: c:\documents and settings\JoAnna\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-25 14:15 . 2009-02-25 15:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 14:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-25 14:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-23 14:51 . 2009-02-23 14:51 <DIR> d-------- c:\documents and settings\Bay\Application Data\Malwarebytes
2009-02-23 14:51 . 2009-02-23 14:51 <DIR> d-------- c:\documents and settings\Bay\Application Data\Jasc Software Inc
2009-02-19 12:03 . 2009-02-19 12:03 579,464 --a------ c:\windows\SYSTEM32\SymNeti.dll
2009-02-19 12:03 . 2009-02-19 12:03 207,240 --a------ c:\windows\SYSTEM32\SymRedir.dll
2009-02-19 11:31 . 2009-02-19 11:31 184,496 --a------ c:\windows\SYSTEM32\DRIVERS\symtdi.sys
2009-02-19 11:31 . 2009-02-19 11:31 96,560 --a------ c:\windows\SYSTEM32\DRIVERS\symfw.sys
2009-02-19 11:31 . 2009-02-19 11:31 41,008 --a------ c:\windows\SYSTEM32\DRIVERS\symndisv.sys
2009-02-19 11:31 . 2009-02-19 11:31 38,576 --a------ c:\windows\SYSTEM32\DRIVERS\symids.sys
2009-02-19 11:31 . 2009-02-19 11:31 37,424 --a------ c:\windows\SYSTEM32\DRIVERS\symndis.sys
2009-02-19 11:31 . 2009-02-19 11:31 31,280 --a------ c:\windows\SYSTEM32\DRIVERS\SymIM.sys
2009-02-19 11:31 . 2009-02-19 11:31 22,320 --a------ c:\windows\SYSTEM32\DRIVERS\symredrv.sys
2009-02-19 11:31 . 2009-02-19 11:31 13,616 --a------ c:\windows\SYSTEM32\DRIVERS\symdns.sys
2009-02-19 11:31 . 2009-02-19 11:31 9,844 --a------ c:\windows\SYSTEM32\DRIVERS\SymRedir.cat
2009-02-19 11:31 . 2009-02-19 11:31 1,611 --a------ c:\windows\SYSTEM32\DRIVERS\SymRedir.inf
2009-02-02 08:32 . 2004-08-04 00:56 159,232 --a------ c:\windows\SYSTEM32\ptpusd.dll
2009-02-02 08:32 . 2001-08-17 22:36 5,632 --a------ c:\windows\SYSTEM32\ptpusb.dll
2009-01-30 15:49 . 2009-01-30 15:49 <DIR> d-------- c:\program files\Trend Micro
2009-01-30 14:04 . 2009-01-30 14:04 <DIR> d-------- c:\documents and settings\JoAnna\Application Data\Malwarebytes
2009-01-30 14:04 . 2009-01-30 14:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-30 11:50 . 2009-01-30 11:50 <DIR> d-------- c:\documents and settings\Bay\Application Data\Viewpoint
2009-01-28 10:24 . 2009-01-28 10:24 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 18:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 12:45 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-23 19:52 --------- d-----w c:\program files\Google
2009-02-23 19:51 --------- d-----w c:\program files\Symantec
2009-02-23 19:51 --------- d-----w c:\program files\Norton Internet Security
2009-02-23 19:51 --------- d-----w c:\documents and settings\Bay\Application Data\Canon
2009-01-19 12:37 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-19 12:37 60,808 ----a-w c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-19 12:37 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 12:37 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-16 12:50 --------- d-----w c:\documents and settings\Bay\Application Data\ArcSoft
2009-01-16 12:46 --------- d-----w c:\documents and settings\Bay\Application Data\Symantec
2009-01-16 12:38 --------- d-----w c:\documents and settings\Guest.OFFICE-ERICA\Application Data\Symantec
2009-01-14 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-14 14:42 --------- d-----w c:\program files\NortonInstaller
2008-12-29 20:46 --------- d-----w c:\documents and settings\JoAnna\Application Data\LimeWire
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\SYSTEM32\NARRATOR.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB 2.0 WLAN Card Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk
backup=c:\windows\pss\Wireless USB 2.0 WLAN Card Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\SYSTEM32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 21:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-28 09:06 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"IAANTMon"=2 (0x2)
"gusvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [2007-05-29 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S4 PRISMSVC;PRISMSVC;c:\windows\SYSTEM32\PRISMSVC.exe [2005-08-16 57344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - JoAnna.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 13:43:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-26 13:44:56
ComboFix-quarantined-files.txt 2009-02-26 18:44:55
ComboFix2.txt 2009-02-25 20:20:20

Pre-Run: 63,591,309,312 bytes free
Post-Run: 63,789,826,048 bytes free

136 --- E O F --- 2008-10-02 17:55:50




Scan Stats:
Scan Time: 1997 seconds
Scan Options:
Scan Targets: C:
Counts:
Total items scanned: 158,978
- Files & Directories: 157,732
- Registry Entries: 275
- Processes & Start-up Items: 717
- Network & Browser Items: 248
- Other: 5

Total security risks detected: 1
Total items resolved: 1
Total items that require attention: 0

Resolved Threats:
Tracking Cookie
Virus ID: 4294909925
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Cookie
State: Fully Resolved
-----------
14 Tracking Cookies
Cookie:joanna@tacoda.net/ - Deleted
Cookie:joanna@at.atwola.com/ - Deleted
Cookie:joanna@fastclick.net/ - Deleted
Cookie:joanna@advertising.com/ - Deleted
Cookie:joanna@adopt.euroclick.com/ - Deleted
Cookie:joanna@doubleclick.net/ - Deleted
Cookie:joanna@atwola.com/ - Deleted
Cookie:joanna@atdmt.com/ - Deleted
Cookie:joanna@ad2.yieldmanager.com/ - Deleted
Cookie:joanna@realmedia.com/ - Deleted
Cookie:joanna@specificclick.net/ - Deleted
Cookie:joanna@trafficmp.com/ - Deleted
Cookie:joanna@revsci.net/ - Deleted
Cookie:Orphan Cleanup - Deleted




Unresolved Threats:

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:49 AM

Posted 26 February 2009 - 03:19 PM

That happens sometimes with combofix, that's why people are warned not to run it without guidance. But it looks like Malwarebytes' Anti-Malware did the heavy lifting. How do the searches go now? Windows Update?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 latinabella429

latinabella429
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 27 February 2009 - 07:34 AM

Windows update still stays on my Google homepage with no options to update anything. Google's searches are correct. Yahoo's searches still get re-directed to other sites. :thumbup2:

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:49 AM

Posted 27 February 2009 - 07:56 AM

Download and scan with Spybot S&D 1.6.0
http://www.safer-networking.org/en/download/index.html

1. Install Spybot. Be sure to UNCHECK TeaTimer when presented with the option to install.
2. Run Spybot, go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
3. Click the button "Search for Updates".
4. If any updates are found, install them by placing a checkmark next to each one and clicking "Download Updates".If you encounter any error messages while downloading the updates, manually download them from here.
5. Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
6. Click the button "Check for Problems".
7. When Spybot is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
8. Make certain there is a check mark beside all of the RED entries ONLY.
9. Choose "Fix Selected Problems" and allow Spybot to fix the RED entries.
10. REBOOT to complete the scan and clear memory.

Note: After Windows loads, Spybot may run again to clean some files that it could not clean during the prior session. Follow the same procedure.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users