Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ATLSYSTEM infection - others as well?


  • This topic is locked This topic is locked
9 replies to this topic

#1 suiycfui

suiycfui

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:59 PM

Posted 23 February 2009 - 02:04 PM

I don't know if this is one problem or more. To start with, my computer is generating ATLSYSTEM(random number).exe files. These files try to get access to the internet, which my Norton firewall catches. Other files that have tried to get access include MSRSTART, DER5399872.dll and TPSZXYD.sys.

When booting up, if my computer's wireless function is turned on I have only a 50/50 chance of getting through the startup process. Sometimes I will get to my desktop with no icons showing and the machine sems to freeze at that point. The other times, if it boots up completely, I can access the web but my machine wants to load a program calling itself PhotoGallery. A box asks me to insert the CD for the program, a CD that I do not have. Clicking "OK" or "CANCEL" leads to (eventually) a warning box titled Microsoft .NET Framework," with a message saying, "An unhandled exception has occurred in a component in your application. Click continue and the application will ignore this error and attempt to continue. Object reference not set to an instance of an object." Presing continue does not help, and this message box will not go away.

Booting up with the wireless function turned off always gets me to the full desktop, but the PhotoGallery installation attempt still occurs.

I have run my fully updated Norton and Trend Micro's Housecall. Housecall removed some items, but nothing (it appears) that relates to my current problem.

I have followed the site's Preparation Guide in submitting this problem. Hope I haven't left anything out! My thanks in advance for any and all help received.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Diane at 13:42:52.73 on 23/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.98 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\WINDOWS\System32\TCtrlIOHook.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\NAV\NAVW32.EXE
C:\Documents and Settings\Diane\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: (@B9560-04F9-4bbc-943D-298DDF1699E1} - No File
BHO: x@38D8D-E480-4D52-B7A2-731BB6995FDD} - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\yahoo!\nav\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
BHO: °?3D70E-1895-11CF-8E15-001234567890} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Update Manager] "c:\program files\rogers\update manager\UpdateManager.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [<NO NAME>]
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ZoomingHook] c:\windows\system32\ZoomingHook.exe
mRun: [TCtryIOHook] c:\windows\system32\TCtrlIOHook.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TFncKy] TFncKy.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6

"USB001" /M "Stylus Photo R200"
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunServices: [DJSNetCN] c:\program files\common files\symantec shared\DJSNETCN.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5050/mcfscan.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\yahoo!\nav\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\yahoo!\nav\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-17 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]
R2 eq2soft;Service Eset;c:\windows\system32\svchost.exe -k netsvcs [2004-9-2 14336]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\yahoo!\nav\NAVAPSVC.EXE [2006-4-14 139888]
R2 softyinforwow1;Sysmtens;c:\windows\system32\svchost.exe -k netsvcs [2004-9-2 14336]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-31 1128640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090223.002\NAVENG.Sys [2009-2-23 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090223.002\NavEx15.Sys [2009-2-23 876144]
S2 defaultlib;Service AntiVir;c:\windows\system32\svchost.exe -k netsvcs [2004-9-2 14336]
S3 SAVScan;Symantec AVScan;c:\program files\yahoo!\nav\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-02-23 09:33 <DIR> --d----- c:\documents and settings\diane\.housecall6.6
2009-02-22 13:36 86,016 a------- c:\windows\system32\u132234354.dll
2009-02-22 13:36 90,112 a------- c:\windows\system32\200923642.dll
2009-02-22 09:57 90,112 a------- c:\windows\system32\200925749.dll
2009-02-22 09:57 86,016 a------- c:\windows\system32\u92246852.dll
2009-02-21 11:40 86,016 a------- c:\windows\system32\u11216562.dll
2009-02-21 11:39 90,112 a------- c:\windows\system32\200923956.dll

==================== Find3M ====================

2009-02-22 13:46 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-22 13:46 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-22 13:46 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-22 13:46 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2005-10-17 18:51 32 a----r-- c:\documents and settings\all users\hash.dat
2008-08-20 19:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5

\mshist012008082020080821\index.dat

============= FINISH: 13:44:11.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 25 February 2009 - 01:52 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 suiycfui

suiycfui
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:59 PM

Posted 25 February 2009 - 04:46 PM

ComboFix 09-02-25.01 - Diane 2009-02-25 16:22:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.102 [GMT -5:00]
Running from: c:\documents and settings\Diane\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\200923642.dll
c:\windows\system32\200923956.dll
c:\windows\system32\200925749.dll
c:\windows\system32\comsa32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DEFAULTLIB
-------\Legacy_SOFTYINFORWOW1
-------\Service_defaultlib
-------\Service_softyinforwow1


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-23 09:33 . 2009-02-23 11:40 <DIR> d-------- c:\documents and settings\Diane\.housecall6.6
2009-02-22 13:36 . 2009-02-22 13:36 86,016 --a------ c:\windows\system32\u132234354.dll
2009-02-22 11:43 . 2009-02-22 13:29 <DIR> d-------- c:\program files\RegCure
2009-02-22 09:57 . 2009-02-22 09:57 86,016 --a------ c:\windows\system32\u92246852.dll
2009-02-21 11:40 . 2009-02-21 11:40 86,016 --a------ c:\windows\system32\u11216562.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 21:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-25 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-22 19:50 --------- d-----w c:\program files\Coupons
2009-02-22 18:46 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-02-22 18:46 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-22 18:46 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-22 18:46 --------- d-----w c:\program files\Symantec
2009-02-22 18:19 --------- d-----w c:\documents and settings\Diane\Application Data\StarOffice8
2009-02-22 16:42 --------- d-----w c:\documents and settings\Diane\Application Data\U3
2009-02-13 11:26 --------- d-----w c:\program files\Google
2009-01-28 20:25 --------- d-----w c:\program files\Paint Shop Pro 5
2005-10-17 23:51 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-08-21 00:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2004-05-27 136992]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 339968]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 643072]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 53248]
"ZoomingHook"="c:\windows\System32\ZoomingHook.exe" [2004-07-14 24576]
"TCtryIOHook"="c:\windows\System32\TCtrlIOHook.exe" [2004-08-05 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-07-20 122939]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 135168]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-08-31 448040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 c:\windows\agrsmmsg.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DJSNetCN"="c:\program files\Common Files\Symantec Shared\DJSNETCN.exe" [2006-02-02 54976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-09-02 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PVW2"= pvwv220.dll
"VIDC.PIMJ"= pvljpg20.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Diane^Start Menu^Programs^Startup^StarOffice 8.lnk]
path=c:\documents and settings\Diane\Start Menu\Programs\Startup\StarOffice 8.lnk
backup=c:\windows\pss\StarOffice 8.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 eq2soft;Service Eset;c:\windows\System32\svchost.exe -k netsvcs [2004-09-02 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eq2soft
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-21 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Diane.job
- c:\progra~1\Yahoo!\NAV\Navw32.exe [2007-05-23 12:13]

2009-02-25 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-25 c:\windows\Tasks\User_Feed_Synchronization-{A1705FDD-3F9B-4212-97F6-A46EBCC21049}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TPSMain - TPSMain.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Settings,ProxyOverride = *.local
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 16:29:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Yahoo!\NAV\NAVAPSVC.EXE
c:\program files\Yahoo!\NAV\IWP\NPFMNTOR.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\YOP\secstat.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-02-25 16:39:05 - machine was rebooted [Diane]
ComboFix-quarantined-files.txt 2009-02-25 21:38:05

Pre-Run: 81,005,703,168 bytes free
Post-Run: 81,792,614,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

183 --- E O F --- 2009-02-12 03:39:56









DDS (Ver_09-02-01.01) - NTFSx86
Run by Diane at 16:41:00.68 on 25/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.109 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\WINDOWS\System32\TCtrlIOHook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Diane\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: (@B9560-04F9-4bbc-943D-298DDF1699E1} - No File
BHO: x@38D8D-E480-4D52-B7A2-731BB6995FDD} - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\yahoo!\nav\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: °?3D70E-1895-11CF-8E15-001234567890} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Update Manager] "c:\program files\rogers\update manager\UpdateManager.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ZoomingHook] c:\windows\system32\ZoomingHook.exe
mRun: [TCtryIOHook] c:\windows\system32\TCtrlIOHook.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TFncKy] TFncKy.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunServices: [DJSNetCN] c:\program files\common files\symantec shared\DJSNETCN.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5050/mcfscan.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\yahoo!\nav\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\yahoo!\nav\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-17 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]
R2 eq2soft;Service Eset;c:\windows\system32\svchost.exe -k netsvcs [2004-9-2 14336]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\yahoo!\nav\NAVAPSVC.EXE [2006-4-14 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-31 1128640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090224.017\NAVENG.Sys [2009-2-25 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090224.017\NavEx15.Sys [2009-2-25 876144]
S3 SAVScan;Symantec AVScan;c:\program files\yahoo!\nav\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-02-25 16:20 <DIR> a-dshr-- C:\cmdcons
2009-02-25 16:16 161,792 a------- c:\windows\SWREG.exe
2009-02-25 16:16 98,816 a------- c:\windows\sed.exe
2009-02-23 09:33 <DIR> --d----- c:\documents and settings\diane\.housecall6.6
2009-02-22 13:36 86,016 a------- c:\windows\system32\u132234354.dll
2009-02-22 09:57 86,016 a------- c:\windows\system32\u92246852.dll
2009-02-21 11:40 86,016 a------- c:\windows\system32\u11216562.dll

==================== Find3M ====================

2009-02-22 13:46 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-22 13:46 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-22 13:46 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-22 13:46 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2005-10-17 18:51 32 a----r-- c:\documents and settings\all users\hash.dat
2008-08-20 19:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 16:41:45.98 ===============

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 25 February 2009 - 05:37 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=205915&view=findpost&p=1152588

KillAll::

NetSvc::
eq2soft

Driver::
eq2soft

Collect::
c:\windows\system32\u132234354.dll
c:\windows\system32\u92246852.dll
c:\windows\system32\u11216562.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 suiycfui

suiycfui
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:59 PM

Posted 25 February 2009 - 07:46 PM

ComboFix 09-02-25.01 - Diane 2009-02-25 19:24:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.129 [GMT -5:00]
Running from: c:\documents and settings\Diane\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Diane\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\u11216562.dll
c:\windows\system32\u132234354.dll
c:\windows\system32\u92246852.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EQ2SOFT
-------\Service_eq2soft


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-23 09:33 . 2009-02-23 11:40 <DIR> d-------- c:\documents and settings\Diane\.housecall6.6
2009-02-22 11:43 . 2009-02-22 13:29 <DIR> d-------- c:\program files\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 00:31 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-25 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-22 19:50 --------- d-----w c:\program files\Coupons
2009-02-22 18:46 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-02-22 18:46 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-22 18:46 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-22 18:46 --------- d-----w c:\program files\Symantec
2009-02-22 18:19 --------- d-----w c:\documents and settings\Diane\Application Data\StarOffice8
2009-02-22 16:42 --------- d-----w c:\documents and settings\Diane\Application Data\U3
2009-02-13 11:26 --------- d-----w c:\program files\Google
2009-01-28 20:25 --------- d-----w c:\program files\Paint Shop Pro 5
2005-10-17 23:51 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-08-21 00:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2004-05-27 136992]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 339968]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 643072]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 53248]
"ZoomingHook"="c:\windows\System32\ZoomingHook.exe" [2004-07-14 24576]
"TCtryIOHook"="c:\windows\System32\TCtrlIOHook.exe" [2004-08-05 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-07-20 122939]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 135168]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-08-31 448040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 c:\windows\agrsmmsg.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DJSNetCN"="c:\program files\Common Files\Symantec Shared\DJSNETCN.exe" [2006-02-02 54976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-09-02 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PVW2"= pvwv220.dll
"VIDC.PIMJ"= pvljpg20.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Diane^Start Menu^Programs^Startup^StarOffice 8.lnk]
path=c:\documents and settings\Diane\Start Menu\Programs\Startup\StarOffice 8.lnk
backup=c:\windows\pss\StarOffice 8.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-21 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Diane.job
- c:\progra~1\Yahoo!\NAV\Navw32.exe [2007-05-23 12:13]

2009-02-26 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-25 c:\windows\Tasks\User_Feed_Synchronization-{A1705FDD-3F9B-4212-97F6-A46EBCC21049}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Settings,ProxyOverride = *.local
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 19:32:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Yahoo!\NAV\NAVAPSVC.EXE
c:\program files\Yahoo!\NAV\IWP\NPFMNTOR.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\YOP\secstat.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system32\msiexec.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-02-25 19:41:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-26 00:41:14
ComboFix2.txt 2009-02-25 21:39:08

Pre-Run: 81,781,403,648 bytes free
Post-Run: 81,787,998,208 bytes free

166 --- E O F --- 2009-02-12 03:39:56











DDS (Ver_09-02-01.01) - NTFSx86
Run by Diane at 19:44:31.34 on 25/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.87 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\WINDOWS\System32\TCtrlIOHook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Diane\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: (@B9560-04F9-4bbc-943D-298DDF1699E1} - No File
BHO: x@38D8D-E480-4D52-B7A2-731BB6995FDD} - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\yahoo!\nav\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: °?3D70E-1895-11CF-8E15-001234567890} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Update Manager] "c:\program files\rogers\update manager\UpdateManager.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ZoomingHook] c:\windows\system32\ZoomingHook.exe
mRun: [TCtryIOHook] c:\windows\system32\TCtrlIOHook.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TFncKy] TFncKy.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunServices: [DJSNetCN] c:\program files\common files\symantec shared\DJSNETCN.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5050/mcfscan.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\yahoo!\nav\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\yahoo!\nav\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-17 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\yahoo!\nav\NAVAPSVC.EXE [2006-4-14 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-31 1128640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090225.021\NAVENG.Sys [2009-2-25 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090225.021\NavEx15.Sys [2009-2-25 876144]
S3 SAVScan;Symantec AVScan;c:\program files\yahoo!\nav\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-02-25 16:20 <DIR> a-dshr-- C:\cmdcons
2009-02-25 16:16 161,792 a------- c:\windows\SWREG.exe
2009-02-25 16:16 98,816 a------- c:\windows\sed.exe
2009-02-23 09:33 <DIR> --d----- c:\documents and settings\diane\.housecall6.6

==================== Find3M ====================

2009-02-22 13:46 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-22 13:46 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-22 13:46 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-22 13:46 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2005-10-17 18:51 32 a----r-- c:\documents and settings\all users\hash.dat
2008-08-20 19:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 19:45:20.28 ===============

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 25 February 2009 - 08:40 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post these logs in your next reply..

1. Malwarebytes'
2. ESET Online Scanner

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 suiycfui

suiycfui
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:59 PM

Posted 26 February 2009 - 11:12 AM

Malwarebytes' Anti-Malware 1.34
Database version: 1806
Windows 5.1.2600 Service Pack 3

26/02/2009 9:41:08 AM
mbam-log-2009-02-26 (09-41-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 132254
Time elapsed: 46 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Applications\nxtepad.exe (Hijack.Notepad) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{EFFB8611-C1D0-4C1C-BA9E-6FDA29A9CA30}\RP641\A0086737.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EFFB8611-C1D0-4C1C-BA9E-6FDA29A9CA30}\RP641\A0086738.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EFFB8611-C1D0-4C1C-BA9E-6FDA29A9CA30}\RP641\A0088798.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EFFB8611-C1D0-4C1C-BA9E-6FDA29A9CA30}\RP641\A0090752.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EFFB8611-C1D0-4C1C-BA9E-6FDA29A9CA30}\RP641\A0094754.sys (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EFFB8611-C1D0-4C1C-BA9E-6FDA29A9CA30}\RP641\A0094768.ocx (Adware.Coupons) -> Quarantined and deleted successfully.







# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3891 (20090226)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=605086252b19e74c95d128c0676adb8c
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-26 04:08:38
# local_time=2009-02-26 11:08:38 (-0500, Eastern Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 3
# scanned=283130
# found=4
# scan_time=4443
C:\Qoobox\Quarantine\[4]-Submit_2009-02-25@19.23.zip Win32/PSW.WOW.NIB trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-02-25@19.23.zip ╗ZIP ╗u11216562.dll Win32/PSW.WOW.NIB trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-02-25@19.23.zip ╗ZIP ╗u132234354.dll Win32/PSW.WOW.NIB trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-02-25@19.23.zip ╗ZIP ╗u92246852.dll Win32/PSW.WOW.NIB trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 26 February 2009 - 01:44 PM

Looks good to me.. Lets do some cleanup...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between combofix and /u is needed

    Posted Image


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Read these links about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm



Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 suiycfui

suiycfui
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:59 PM

Posted 26 February 2009 - 03:21 PM

Hi -

Yep, seems fine, except that PhotoGallery auto installer is still popping up. Any way I can get rid of it? It won't go away regardless of what I do, and it being there stops the computer from shutting down. (I have to cold boot to restart or shut down.)

#10 suiycfui

suiycfui
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:59 PM

Posted 26 February 2009 - 05:48 PM

Hi again -

Actually, it looks like I was able to track down the offending application and remove it. The pop up is no longer here! (YAY!!!)

Many thanks for your time and effort. I can't thank you guys enough for the help I have received.

I think it's safe to close this topic.

Thanks again,

Nick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users