Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse: Dc3.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 andersonrua

andersonrua

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 20 February 2009 - 12:58 PM

My anti virus program has been blocking a trojan horse for about 2 days now and says it has cleaned and needs to reboot. Well about 10-15 mins after rebooting the same thing pops back up saying it has blocked the trojan horse. The .exe files that have been detected so far are:
A0067375.exe located in the C:\system volume...
Dc3.exe located in C:\Recylcler
tmp10.tmp.dll located in system 32 folder.

Here is the DDS and Attached logs:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Troy at 12:49:09.79 on Fri 02/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion:

1.6.0_11
Microsoft Windows XP Home Edition

5.1.2600.3.1252.1.1033.18.511.155 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access

scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft

Office\Office12\GrooveMonitor.exe
C:\Program

Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotif

ier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Troy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uCustomizeSearch =
uSearchURL,(Default) =

hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for

Internet Explorer:

{3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess:

{5ca3d70e-1895-11cf-8e15-001234567890} -

c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper:

{72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program

files\microsoft

office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class:

{761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre6\bin\ssv.dll
{76370a8f-0f3a-4387-b68f-0e11417e9cc9}
{9350b70c-c1ec-44db-a07c-20aca382168e}
BHO: Google Toolbar Helper:

{aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO:

{af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.0.926.3450\swg.d

ll
BHO: Google Dictionary Compression sdch:

{c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program

files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint:

{327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program

files\canon\easy-webprint\Toolband.dll
TB: &Google Toolbar:

{2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [Skype] "c:\program

files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Aim6]
uRun: [swg] c:\program

files\google\googletoolbarnotifier\GoogleToolbarNotif

ier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media

player\WMPNSCFG.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati

control panel\atiptaxx.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch

jukebox\mm_tray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [OpwareSE2] "c:\program

files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [ATICCC] "c:\program files\ati

technologies\ati.ace\CLIStart.exe"
mRun: [ccApp] "c:\program files\common files\symantec

shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program

files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common

files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft

office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program

files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program

files\java\jre6\bin\jusched.exe"
StartupFolder:

c:\docume~1\troy\startm~1\programs\startup\onenote

2007 screen clipper and launcher.lnk - c:\program

files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program

files\canon\easy-webprint\Resource.dll/RC_AddToList.h

tml
IE: Easy-WebPrint High Speed Print - c:\program

files\canon\easy-webprint\Resource.dll/RC_HSPrint.htm

l
IE: Easy-WebPrint Preview - c:\program

files\canon\easy-webprint\Resource.dll/RC_Preview.htm

l
IE: Easy-WebPrint Print - c:\program

files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} -

c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program

files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -

{48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-wi

ndows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-wi

ndows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-wi

ndows-i586.cab
Handler: grooveLocalGWS -

{88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program

files\microsoft

office\office12\GrooveSystemServices.dll
Handler: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

c:\progra~1\common~1\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook:

{b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program

files\microsoft

office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\troy\applic~1\mozilla\firefox\profiles\xs

axdktx.default\
FF - prefs.js: browser.search.defaulturl -

hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -

hxxp://www.google.com
FF - plugin: c:\program files\ign\download

manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla

firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec

antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec

antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program

files\common files\symantec shared\ccEvtMgr.exe

[2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program

files\common files\symantec shared\ccSetMgr.exe

[2006-11-21 169576]
R2 SavRoam;SAVRoam;c:\program files\symantec

antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program

files\symantec antivirus\Rtvscan.exe [2007-3-14

1816768]
R2 Symantec Core LC;Symantec Core LC;c:\program

files\common files\symantec

shared\ccpd-lc\symlcsvc.exe [2006-9-26 1174152]
R2 Viewpoint Manager Service;Viewpoint Manager

Service;c:\program

files\viewpoint\common\ViewpointService.exe

[2007-1-10 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program

files\common files\symantec

shared\eengine\EraserUtilRebootDrv.sys [2008-9-3

99376]
R3

NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\

20090219.003\naveng.sys [2009-2-19 89104]
R3

NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~

1\20090219.003\navex15.sys [2009-2-19 876112]

=============== Created Last 30 ================

2009-02-20 11:38 <DIR> --d-----

c:\docume~1\troy\applic~1\SolidWorks
2009-02-20 11:36 8,704 a-------

c:\windows\system32\ibfs32.dll
2009-02-20 03:01 <DIR> --d-----

c:\program files\MSXML 4.0
2009-02-20 02:36 <DIR> --d-----

c:\docume~1\troy\applic~1\Malwarebytes
2009-02-20 02:36 15,504 a-------

c:\windows\system32\drivers\mbam.sys
2009-02-20 02:36 38,496 a-------

c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 02:36 <DIR> --d-----

c:\program files\Malwarebytes' Anti-Malware
2009-02-20 02:36 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 21:56 <DIR> --d-----

c:\program files\common files\SolidWorks Shared
2009-02-19 21:55 <DIR> --d-----

c:\program files\common files\eDrawings2008
2009-02-19 21:55 <DIR> --d-----

C:\Solidworks Data
2009-02-19 21:55 <DIR> --d-----

c:\program files\SolidWorks
2009-02-17 21:43 23 a---h---

c:\windows\yacht.xws
2009-02-17 21:31 <DIR> --d-----

c:\windows\system32\GroupPolicy
2009-02-17 21:30 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\SolidWorks
2009-02-06 19:42 56 a---h---

c:\windows\system32\ezsidmv.dat
2009-02-06 19:41 <DIR> --d--r--

c:\program files\Skype
2009-02-01 23:12 4,958,588 a-------

c:\windows\{00000002-00000000-00000001-00001102-00000

004-10031102}.BAK

==================== Find3M ====================

2009-01-06 00:51 410,984 a-------

c:\windows\system32\deploytk.dll
2008-05-20 17:57 22,328 a-------

c:\docume~1\troy\applic~1\PnkBstrK.sys

============= FINISH: 12:49:54.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:49 PM

Posted 03 March 2009 - 05:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 andersonrua

andersonrua
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 04 March 2009 - 10:33 AM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Troy at 10:29:59.40 on Wed 03/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.63 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Troy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uCustomizeSearch =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
{76370a8f-0f3a-4387-b68f-0e11417e9cc9}
{9350b70c-c1ec-44db-a07c-20aca382168e}
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\troy\startm~1\programs\startup\onenote 2007 screen clipper and launcher.lnk - c:\program

files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program

files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft

office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\troy\applic~1\mozilla\firefox\profiles\xsaxdktx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-26 1174152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10

24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090303.003\naveng.sys [2009-3-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090303.003\navex15.sys [2009-3-4 876144]

=============== Created Last 30 ================

2009-02-23 20:56 172,032 a------- c:\windows\system32\PBMonNT.dll
2009-02-23 20:56 3,153,920 a------- c:\windows\system32\gsdll32.dll
2009-02-23 20:56 258,048 a------- c:\windows\system32\libpdfconv.dll
2009-02-23 20:56 864,256 a------- c:\windows\system32\DevIL.dll
2009-02-23 20:56 131,072 a------- c:\windows\system32\PPIconLoader.dll
2009-02-23 20:56 <DIR> --d----- c:\program files\ePapyrus
2009-02-23 20:56 1,273,856 a------- c:\windows\system32\PPTools.dll
2009-02-22 11:43 <DIR> --d----- c:\docume~1\troy\applic~1\SolidWorks 2008
2009-02-20 11:38 <DIR> --d----- c:\docume~1\troy\applic~1\SolidWorks
2009-02-20 11:36 8,704 a------- c:\windows\system32\ibfs32.dll
2009-02-20 03:01 <DIR> --d----- c:\program files\MSXML 4.0
2009-02-20 02:36 <DIR> --d----- c:\docume~1\troy\applic~1\Malwarebytes
2009-02-20 02:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 02:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 02:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 02:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 21:56 <DIR> --d----- c:\program files\common files\SolidWorks Shared
2009-02-19 21:55 <DIR> --d----- c:\program files\common files\eDrawings2008
2009-02-19 21:55 <DIR> --d----- C:\Solidworks Data
2009-02-19 21:55 <DIR> --d----- c:\program files\SolidWorks
2009-02-17 21:43 23 a---h--- c:\windows\yacht.xws
2009-02-17 21:31 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-02-17 21:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SolidWorks
2009-02-06 19:42 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-02-06 19:41 <DIR> --d--r-- c:\program files\Skype

==================== Find3M ====================

2009-02-22 12:06 52,613 a------- c:\program files\SolidWorksswxJRNL.BAK
2009-01-06 00:51 410,984 a------- c:\windows\system32\deploytk.dll
2008-05-20 17:57 22,328 a------- c:\docume~1\troy\applic~1\PnkBstrK.sys

============= FINISH: 10:31:21.92 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 04 March 2009 - 05:53 PM

Hello.

That log looks clean. Let's see what we can find.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
With Regards,
The Panda

#5 andersonrua

andersonrua
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 05 March 2009 - 10:56 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, March 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 04, 2009 14:59:58
Records in database: 1868423
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 246965
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:33:13


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22BE67FB.dll Infected: Trojan-Downloader.Win32.Small.cgu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\270E573D.dll Infected: Trojan-Downloader.Win32.Small.cgu 1

The selected area was scanned.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-05 10:48:04
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8A5BA678 ZwAlertResumeThread
SSDT 8A5C9FD0 ZwAlertThread
SSDT 8A568268 ZwAllocateVirtualMemory
SSDT 8A5FCB28 ZwConnectPort
SSDT sptd.sys ZwCreateKey [0xB9EC00D0]
SSDT 8A7A5510 ZwCreateMutant
SSDT 8A5E72A8 ZwCreateThread
SSDT sptd.sys ZwEnumerateKey [0xB9EC5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC61BA]
SSDT 89CBB410 ZwFreeVirtualMemory
SSDT 8A5B8618 ZwImpersonateAnonymousToken
SSDT 8A5BA500 ZwImpersonateThread
SSDT 8A5E6008 ZwMapViewOfSection
SSDT 8A5B8540 ZwOpenEvent
SSDT sptd.sys ZwOpenKey [0xB9EC00B0]
SSDT 8A5DC1E8 ZwOpenProcessToken
SSDT 89C856A0 ZwOpenThreadToken
SSDT sptd.sys ZwQueryKey [0xB9EC6292]
SSDT sptd.sys ZwQueryValueKey [0xB9EC6112]
SSDT 8A494340 ZwResumeThread
SSDT 8A5D00E0 ZwSetContextThread
SSDT 8A5D3B50 ZwSetInformationProcess
SSDT 8A8CEFC0 ZwSetInformationThread
SSDT sptd.sys ZwSetValueKey [0xB9EC6324]
SSDT 8A7971E0 ZwSuspendProcess
SSDT 8A5CCC78 ZwSuspendThread
SSDT 8A5DC2C0 ZwTerminateProcess
SSDT 8A5CD3A8 ZwTerminateThread
SSDT 8A5D0318 ZwUnmapViewOfSection
SSDT 8A5730D0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2394 80501BCC 6 Bytes [ 78, A6, 5B, 8A, D0, 9F ]
.text ntkrnlpa.exe!ZwCallbackReturn + 243A 80501C72 2 Bytes [ 5E, 8A ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F90 6 Bytes [ E0, 71, 79, 8A, 78, CC ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2768 80501FA0 6 Bytes [ C0, C2, 5D, 8A, A8, D3 ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B95898AC 5 Bytes JMP 8A6D55C0
? System32\Drivers\annmrsnl.SYS The system cannot find the file specified. !
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EC0AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EC0C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EC0B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EC1748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EC161E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED5ACA] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A9121E8

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A6D47A0
Device \Driver\usbuhci \Device\USBPDO-1 8A6D47A0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A9811E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A9811E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A9811E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A9811E8
Device \Driver\usbuhci \Device\USBPDO-2 8A6D47A0
Device \Driver\usbuhci \Device\USBPDO-3 8A6D47A0
Device \Driver\usbehci \Device\USBPDO-4 8A6D31E8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9141E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9141E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{753AF2C5-4771-43D8-8576-2AB996F1AFE6} 8A6FB4B8
Device \Driver\Cdrom \Device\CdRom0 8A64F1E8
Device \Driver\Cdrom \Device\CdRom1 8A64F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A9141E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A6FB4B8
Device \Driver\NetBT \Device\NetbiosSmb 8A6FB4B8
Device \Driver\PCI_NTPNP6012 \Device\0000005c sptd.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{DB0DB531-12A8-4A8B-ABD5-4243D56B9D9E} 8A6FB4B8

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 8A6D47A0
Device \Driver\usbuhci \Device\USBFDO-1 8A6D47A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A6D2648
Device \Driver\usbuhci \Device\USBFDO-2 8A6D47A0
Device 8A6D2648
Device \Driver\usbuhci \Device\USBFDO-3 8A6D47A0
Device \Driver\usbehci \Device\USBFDO-4 8A6D31E8
Device \Driver\Ftdisk \Device\FtControl 8A9141E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{39334427-37B1-4C30-8271-EA0384013D71} 8A6FB4B8
Device \Driver\annmrsnl \Device\Scsi\annmrsnl1Port2Path0Target0Lun0 8A6441E8
Device \Driver\annmrsnl \Device\Scsi\annmrsnl1 8A6441E8
Device 896D7660
Device A5C43297

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 89C411E8
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x22 0x27 0x5B 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB0 0x63 0x69 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6C 0x19 0x89 0xAB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x22 0x27 0x5B 0xBB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB0 0x63 0x69 0x07 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6C 0x19 0x89 0xAB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x22 0x27 0x5B 0xBB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB0 0x63 0x69 0x07 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xF3 0xFC 0xFC ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D565BC0-CB47-80E1-FC9A-6F62249D8E10}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D565BC0-CB47-80E1-FC9A-6F62249D8E10}@eabhncdale 0x66 0x61 0x6C 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D565BC0-CB47-80E1-FC9A-6F62249D8E10}@damgockp 0x64 0x62 0x6A 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D565BC0-CB47-80E1-FC9A-6F62249D8E10}@iajfmpiggalginipjp 0x6A 0x61 0x66 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D565BC0-CB47-80E1-FC9A-6F62249D8E10}@hadfglganndmpodl 0x6A 0x61 0x66 0x65 ...

---- EOF - GMER 1.0.14 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 05 March 2009 - 11:50 AM

Hello.

Looks completely clean.

Any issues at the moment?

With Regards,
The Panda

#7 andersonrua

andersonrua
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 05 March 2009 - 03:05 PM

Nope and thank you for helping me with this issue.

#8 andersonrua

andersonrua
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 17 March 2009 - 10:36 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 16, 2009 19:44:01
Records in database: 1917679
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 73926
Threat name: 8
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 03:53:20


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04560A05.tmp Infected: Trojan.Java.ClassLoader.i 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12465F8D.dll Infected: Trojan-Downloader.Win32.Small.cgu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\163E612F.dll Infected: Trojan-Downloader.Win32.Small.cgu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B05783A.tmp Infected: Trojan.Java.ClassLoader.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31B16374.tmp Infected: Trojan.Java.ClassLoader.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\070C0000\4F9E319E.VBN Infected: Trojan.Win32.BHO.awg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\070C0001\4F9E3688.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ach 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\070C0002\4F9E4408.VBN Infected: Trojan.Win32.Genome.pwc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\070C0003\4F9E6A69.VBN Infected: Trojan.Win32.BHO.ng 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080000\499C7419.VBN Infected: Trojan.Win32.Genome.pwc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080001\499C7E5C.VBN Infected: Trojan.Win32.Genome.pwc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A540000\4BDF7C48.VBN Infected: Trojan.Win32.Genome.pwc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A540001\4BDF7D00.VBN Infected: Trojan.Win32.Genome.pwc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A540002\4BDF7DA8.VBN Infected: Trojan.Win32.Genome.pwc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B300000\4BBDFAF6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ach 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B300001\4BBE08CF.VBN Infected: Trojan.Win32.BHO.awg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600000\4DFC6B60.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ach 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600001\4DFC6B82.VBN Infected: Trojan.Win32.BHO.awg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600002.VBN Infected: Trojan.Win32.Agent.aoy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600003.VBN Infected: Trojan.Win32.BHO.awg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600004.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ach 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D5C0000\4DDEE64A.VBN Infected: Trojan.Win32.BHO.ng 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F0C0000\4F9E23D9.VBN Infected: Trojan.Win32.Agent.aoy 1

The selected area was scanned.





GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-17 11:35:13
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 82B84818 ZwAlertResumeThread
SSDT 82EBAD50 ZwAlertThread
SSDT 82DDC2F8 ZwAllocateVirtualMemory
SSDT 82ECDB30 ZwConnectPort
SSDT 82DD2908 ZwCreateMutant
SSDT 82DABB30 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xBAD17350]
SSDT 82CE97D8 ZwFreeVirtualMemory
SSDT 82DB6AA0 ZwImpersonateAnonymousToken
SSDT 82DA9398 ZwImpersonateThread
SSDT 82CCB0B0 ZwMapViewOfSection
SSDT 82ED0C68 ZwOpenEvent
SSDT 82BA3E78 ZwOpenProcessToken
SSDT 82CF6008 ZwOpenThreadToken
SSDT 82F5FC10 ZwQueryValueKey
SSDT 82D00CB8 ZwResumeThread
SSDT 82B5B6F8 ZwSetContextThread
SSDT 82F162A8 ZwSetInformationProcess
SSDT 82C6BD98 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xBAD17580]
SSDT 82EC1670 ZwSuspendProcess
SSDT 82ED2CA8 ZwSuspendThread
SSDT 82B62560 ZwTerminateProcess
SSDT 82B933A0 ZwTerminateThread
SSDT 82EC97C0 ZwUnmapViewOfSection
SSDT 82DCFC08 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 17 March 2009 - 04:40 PM

Hello.

Oops, this topic is still open?

The items detected were in quarentine. Nothing to worry about.

With Regards,
The Panda

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 27 March 2009 - 07:13 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users