Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown redirector/rootkit (ToSeekA?)


  • This topic is locked This topic is locked
17 replies to this topic

#1 Jongira

Jongira

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 28 March 2009 - 03:02 PM

Hi. I have an unknown redirector or rootkit(?) -- I'm new to the virus world, but am certainly infected.
I read the 'how to post' page, downloaded 'DDS.SCR', but it does not run, just opens in notepad. Does not run from the "Run..." command either. I will post a HiJackThis log at the end of this post.

EDIT: I have attached the DSS.txt and attach.txt(zip) as a reply to this post, I finally got 'DDS.COM' to run.

First symptom was that TOAD for mySQL no longer ran (problem with script engine).
Then I got a popup for "MS antispyware 2009" which installed that program and started running it. I cancelled.
(I run Norton, so I was surprised that anything was installed without my permission.)

Current symptoms:
  • On startup, error message that viewpoint manager has a script error and halted.
  • On startup, error message that google updater 'experienced a problem and needs to close'.
  • System restore does not work.
  • IExplorer keeps restarting, but doesn't show in the taskbar, only in "Windows Task Manager"
  • Malwarebytes won't run, uninstall, or re-install.
  • HiJackThis wouldn't install, until I renamed the install file.
  • ComboFix won't install, even after I renamed the install file.
  • Something keeps adding "C:\\WINDOWS\\system32\\sdra64.exe" to my registry file in the key ""Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\sdra64.exe,"", even after I delete the "sdra64" part.
  • IExplorer: The old google sytem tray utility doesn't display results, just brings up a new instance of IExplorer
  • Task Manager: even when I stop the IExplorer process, it comes back after a while, it doesn't show on screen or in the taskbar, it only shows up in the Task Manager.
  • In Task Manager, the user name wasn't listed in the "user name" column. (This was fixed, see below).
  • IExplorer: running a google search brings up alien search results (ToSeekA after a short redirect stop at windowsclick_com)
  • The Google page looks a little strange, I don't know why, but I think the font is too big.
  • When running IExplorer, there are two instances of IExplorer in the task manager, but only one on screen.
  • Clicking on a IE link shortcut on the desktop brings up the link in IExplorer, but also launches a new instance of IExplorer to Google.
What I know, or have done:
  • I renamed "SDRA64.exe" to "SDRA64.exe DISABLED" in ...\System32. After doing this, the username listings in "TaskManager" re-appeared. I used sysinternals process viewer to stop the process, in order to rename the file. It doesn't appear in the sysinternals listing after reboot, even tho the registry entry keeps re-appearing.
  • Windows firewall came up with an advisory that it was disabled. I did not disable it, the virus did that. I re-enabled it, and (so far) it has stayed active.
  • There is no match for "antispyware" in regedit.
  • I ran add/delete on "MS antispyware 2009" and seem to have sucessfully deleted it.
  • None of this things appear in "hidden drivers" : TDSSserv.sys or TDSSxyz.sys where xyz are random characters, msqpdxserv.sys, gaopdxserv.sys, seneka or seneka.sys.
  • There don't appear to be any alien things in start-up in MSCONFIG.
  • Tried to install Malwarebytes Anti-Malware, but it did not install, even after renaming the install file.
  • Ran system restore on a couple of different restore points, all failed.
  • Disabled the viewpoint service in administrative tools.
  • Used HiJackThis to remove this item (which appears to be a redirector?): O17 - HKLM\System\CCS\Services\Tcpip\..\{ABBB001E-8FF0-42DC-8A81-BAF6699EE28C}: NameServer = 68.87.64.146,68.87.75.194 ... But then IExplorer didn't work at all, so I put it back, using the HJT restore function.
  • Spent WAY too much time trying to figure this out on my own... There is so much info on the web! Gave up at 4am, and decided to post here.
Some additional questions which might be related to this (cuz I'm a newbie at viruses)
  • There are three entries in HJT which say "(no file)". Can I just get rid of them?
  • What is "Bonjour Service" and can i get rid of it? I don't use Extensis Suitcase anymore.
  • Is the scripting failure due to the virus, or another issue entirely. I really need TOAD back!.
Thanks so much for any help offered, John

EDIT: I just added, as a reply to this post, the DDS.txt and DDS attach.txt(zip).


HJT log (by HJT, not DDS.scr, because DDS.scr wouldn't run).
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:39:20 PM, on 3/28/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exeC:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Utility\UPHClean\uphclean.exeC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\A4Tech\Mouse\Amoumain.exeC:\WINDOWS\system32\LVCOMSX.EXEC:\Program Files\Logitech\Video\LogiTray.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Logitech\Video\FxSvr2.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\WINDOWS\system32\taskmgr.exeC:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exeC:\Utility\hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.yahoo.com"]http://www.yahoo.com[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com"]http://www.yahoo.com[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet ExplorerR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com;localhost;*.localF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--442460914.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dllO3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--442460914.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Code\ZENDST~1.1\bin\ZENDIE~1.DLLO3 - Toolbar: NuSphere ToolBar - {0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - C:\Code\phped\NuSphereIEBar.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startupO4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /ConsumerO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exeO4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXEO4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\astragal\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htmO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: NuSphere PhpED :: Debug this page - res://C:\Code\phped\NuSphereIEBar.dll/1000O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Code\ZendStudio-5.5.1\bin\ZendIEToolbar.dll/DebugCurrent.htmlO8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Code\ZendStudio-5.5.1\bin\ZendIEToolbar.dll/DebugNext.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Broken Internet access because of LSP provider 'c:\program files\extensis\extensis suitcase 11\bonjour\mdnsnsp.dll' missingO16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [url="https://support.microsoft.com/OAS/ActiveX/MSDcode.cab"]https://support.microsoft.com/OAS/ActiveX/MSDcode.cab[/url]O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [url="http://www.musicnotes.com/download/mnviewer.cab"]http://www.musicnotes.com/download/mnviewer.cab[/url]O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url="http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab"]http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab[/url]O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url]O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [url="http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab"]http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab[/url]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152213961966"]http://update.microsoft.com/microsoftupdat...b?1152213961966[/url]O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - [url="http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab"]http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url="http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab"]http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{ABBB001E-8FF0-42DC-8A81-BAF6699EE28C}: NameServer = 68.87.64.146,68.87.75.194O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Art\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exeO23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXEO23 - Service: Nsynas32 - Symantec Corporation - (no file)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exeO23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exeO23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXEO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeO23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe--End of file - 15564 bytes

Attached Files


Edited by Jongira, 29 March 2009 - 01:31 AM.


BC AdBot (Login to Remove)

 


#2 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 28 March 2009 - 10:16 PM

Hi. This is an update to my previous post.

First, I found out "dds.com" from another post, and it did run (unlike "dds.scr"). So I'm posting the text and attaching the zip of attach.txt.

Second, I was looking at processes with sysinternal's Process Explorer, and found this weird thing: \\?\globalroot\systemroot\system32\UACaplvsnfn.dll. When I Google "UACaplvsnfn.dll" I get nothing. But sysinternals shows that it is a "packed image" (whatever that is), and that it attached to almost every process. Stranger still, that file ("UACaplvsnfn.dll") does not appear in ...\system32\ at all!


Third, an instance of "IExplorer" recreates itself every 10-20 minutes in Task Manager, and generally interrupts whatever I'm working on. But IE doesn't appear in the taskbar or in the main window, just in Task Manager.

EDIT, some hours later I got malwarebytes to run (it's an older version, the new one won't install) by renaming the .exe file. It located two alerts, both referring to the "UAC..." file noted above. I quarantined them, but they seem to have come back. My computer completely hung on reboot (stuck in the "loading your preferences" screen) -- yikes!. Fortunately (and after much terror) I could boot into safe mode, and the subsequently into normal mode. But the Malwarebytes "fix" didn't work.


Here is the DDS.txt file (and ATTACH.txt.zip is, well, attached)... THANKS!

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jongira at 22:35:50.57 on Sat 03/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.446 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Utility\UPHClean\uphclean.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\astragal\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\astragal\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = actsvr.comcastonline.com;localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\code\zendst~1.1\bin\ZENDIE~1.DLL
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - c:\code\phped\NuSphereIEBar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\astragal\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [AcctMgr] "c:\program files\norton systemworks\password manager\AcctMgr.exe" /startup
mRun: [Symantec NetDriver Monitor] "c:\progra~1\symnet~1\SNDMon.exe" /Consumer
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WheelMouse] c:\program files\a4tech\mouse\Amoumain.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoExpandedNewMenu = 1 (0x1)
mPolicies-explorer: RevertWebViewSecurity = 1 (0x1)
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\code\phped\NuSphereIEBar.dll/1000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Zend Studio - Debug current page - c:\code\zendstudio-5.5.1\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\code\zendstudio-5.5.1\bin\ZendIEToolbar.dll/DebugNext.html
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
Trusted Zone: localhost
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152213961966
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {ABBB001E-8FF0-42DC-8A81-BAF6699EE28C} = 68.87.64.146,68.87.75.194
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\astragal\applic~1\mozilla\firefox\profiles\default.5ht\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\astragal\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\astragal\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\opera\program\plugins\npmio.dll
FF - plugin: c:\program files\opera\program\plugins\npmusicn.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-4-5 305288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\savrtpel.sys [2005-4-5 37000]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2005-11-21 33792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090325.002\NAVENG.Sys [2009-3-25 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090325.002\NavEx15.Sys [2009-3-25 876144]
S1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-8-17 11264]
S3 Aspmancs;Aspmancs; [x]
S4 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-03-28 00:23 18,240 a------- C:\move_after.xml
2009-03-28 00:23 18,156 a------- C:\move_before.xml
2009-03-28 00:07 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-25 03:37 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-25 02:23 <DIR> --d----- c:\windows\722C0D0B7ABD4995A43F82FDC15C7939.TMP
2009-03-24 21:52 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-24 21:52 1,409 a------- c:\windows\QTFont.for
2009-03-24 12:43 <DIR> --d----- c:\program files\MSXML 6.0
2009-03-24 11:38 <DIR> --d----- c:\program files\Microsoft
2009-03-24 02:10 <DIR> --d----- c:\program files\MSXML 6(2).0
2009-03-24 02:02 <DIR> --d----- C:\xmlinst

==================== Find3M ====================

2009-03-25 03:36 32,192 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-11 15:35 32,192 a------- c:\docume~1\astragal\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-01-01 17:52 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-09-28 15:38 305,152 a------- c:\documents and settings\astragal\MB-Screenview.dat
2005-11-02 12:31 24 a------- c:\documents and settings\astragal\mylist.dat
2002-05-12 22:50 95,744 a------- c:\program files\metapad.exe
2005-10-19 20:01 8 ---shr-- c:\windows\system32\01FB7E5099.sys
2004-08-15 00:15 56 ---shr-- c:\windows\system32\5A2617B1D5.sys
2004-08-15 00:38 56 ---shr-- c:\windows\system32\89EDEEAB62.sys
2005-02-22 18:01 56 ---shr-- c:\windows\system32\F1DC128362.sys
2005-10-20 00:04 8 ---shr-- c:\windows\system32\F5B51B3F6F.sys
2008-08-13 00:49 23 a--sh--- c:\windows\system32\fcdcaa_z.dll
2008-06-23 03:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062320080624\index.dat

============= FINISH: 22:37:25.78 ===============

Attached Files


Edited by Jongira, 29 March 2009 - 01:39 AM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:57 PM

Posted 06 April 2009 - 11:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 06 April 2009 - 02:06 PM

Hello KoanYorel, thank you for the response. There was a description of my original symptoms in my first post, and the DDS file and attachment in my second post in this thread.

I read more in this site, and decided to run "ComboFix" on my own. It solved the majority of the symptoms. I manually removed the keylogger SDRA64 before running combo fix.

As per your instructions, I am now posting a new DSS pair, the text below, and the 'attach' file attached. I am also enclosing a .zip of the ComboFix log and list of quarantines. The QOOBOX folder created by ComboFix is still on my computer.

I do not know if my remaining symptoms are related to the virus, or the removing of the virus. My remaining symptoms are:
  • Scripts do not run (for example DDS.SCR will not run, but DDS.COM will).
  • Some software (like TOAD for mySQL) fails because of scripting errors.
  • Log-in Authentication to 'localhost' fails. (I read somewhere that this might be due to scripting).
  • My explorer.exe process is about 60K. In another thread on this forum, folks have said that it should be about 25K
I noticed that ComboFix removed some MSXML* files (but they were in a 'wrong' directory).

Malwarebytes now does run, and returns no errors. SuperAntiSpyware now runs, and returns no errors. My OLD (2004) Norton did a complete system scan, and found nothing. However, in Norton, if i try to "view reports", I get a program error... which I'll bet is related to the scripting problem.

Here is the NEW dds report (DDS.txt). (As I mentioned, the OLD dds report is in a previous post.)

Thank you so much for your help. I'm guessing I still have a problem, this doesn't look good:
"2005-02-22 18:01 56 ---shr-- c:\windows\system32\F1DC128362.sys"
I really hope to get the scripting problem fixed.

Many thanks for your good work here, especially during the virus outbreak alarm of last week, John



DDS (Ver_09-03-16.01) - NTFSx86
Run by astragal at 14:23:12.73 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.535 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Utility\UPHClean\uphclean.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\astragal\Desktop\Virus\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = actsvr.comcastonline.com;localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\code\zendst~1.1\bin\ZENDIE~1.DLL
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - c:\code\phped\NuSphereIEBar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [AcctMgr] "c:\program files\norton systemworks\password manager\AcctMgr.exe" /startup
mRun: [Symantec NetDriver Monitor] "c:\progra~1\symnet~1\SNDMon.exe" /Consumer
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WheelMouse] c:\program files\a4tech\mouse\Amoumain.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoExpandedNewMenu = 1 (0x1)
mPolicies-explorer: RevertWebViewSecurity = 1 (0x1)
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\code\phped\NuSphereIEBar.dll/1000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Zend Studio - Debug current page - c:\code\zendstudio-5.5.1\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\code\zendstudio-5.5.1\bin\ZendIEToolbar.dll/DebugNext.html
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
Trusted Zone: localhost
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152213961966
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {ABBB001E-8FF0-42DC-8A81-BAF6699EE28C} = 68.87.64.146,68.87.75.194
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\utility\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\utility\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\astragal\applic~1\mozilla\firefox\profiles\default.5ht\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\astragal\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\astragal\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\opera\program\plugins\npmio.dll
FF - plugin: c:\program files\opera\program\plugins\npmusicn.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\utility\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\utility\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-4-5 305288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\savrtpel.sys [2005-4-5 37000]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-8-14 255648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-8-14 235168]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton systemworks\norton antivirus\navapsvc.exe [2003-8-17 158848]
R2 SAVScan;SAVScan;c:\program files\norton systemworks\norton antivirus\SAVSCAN.EXE [2003-8-9 194272]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2004-8-14 585728]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2005-11-21 33792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090401.003\NAVENG.Sys [2009-4-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090401.003\NavEx15.Sys [2009-4-1 876144]
S1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-8-17 11264]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-24 66784]
S3 Aspmancs;Aspmancs; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-8-14 87712]
S3 NProtectService;Norton Unerase Protection;c:\progra~1\norton~1\norton~2\NPROTECT.EXE [2003-9-10 81920]
S3 SASENUM;SASENUM;c:\utility\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 mrtRate;mrtRate; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-5 24652]

=============== Created Last 30 ================

2009-03-29 20:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-29 20:43 <DIR> --d----- c:\docume~1\astragal\applic~1\SUPERAntiSpyware.com
2009-03-29 18:39 161,792 a------- c:\windows\SWREG.exe
2009-03-29 18:39 98,816 a------- c:\windows\sed.exe
2009-03-29 18:39 <DIR> --d----- C:\jrKomboFix
2009-03-29 17:55 <DIR> --dshr-- C:\cmdcons
2009-03-29 17:55 <DIR> --d----- c:\windows\setup.pss
2009-03-29 17:54 <DIR> --d----- c:\windows\setupupd
2009-03-28 00:23 18,240 a------- C:\move_after.xml
2009-03-28 00:23 18,156 a------- C:\move_before.xml
2009-03-25 03:37 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-25 02:23 <DIR> --d----- c:\windows\722C0D0B7ABD4995A43F82FDC15C7939.TMP
2009-03-24 12:43 <DIR> --d----- c:\program files\MSXML 6.0
2009-03-24 11:38 <DIR> --d----- c:\program files\Microsoft
2009-03-24 02:10 <DIR> --d----- c:\program files\MSXML 6(2).0
2009-03-24 02:02 <DIR> --d----- C:\xmlinst

==================== Find3M ====================

2009-03-30 15:05 32,192 a------- c:\docume~1\astragal\applic~1\GDIPFONTCACHEV1.DAT
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 03:36 32,192 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-01-01 17:52 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-09-28 15:38 305,152 a------- c:\documents and settings\astragal\MB-Screenview.dat
2005-11-02 12:31 24 a------- c:\documents and settings\astragal\mylist.dat
2002-05-12 22:50 95,744 a------- c:\program files\metapad.exe
2005-02-22 18:01 56 ---shr-- c:\windows\system32\F1DC128362.sys
2005-10-20 00:04 8 ---shr-- c:\windows\system32\F5B51B3F6F.sys
2008-08-13 00:49 23 a--sh--- c:\windows\system32\fcdcaa_z.dll
2008-06-23 03:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062320080624\index.dat

============= FINISH: 14:23:46.51 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 06 April 2009 - 02:29 PM

ComboFix log.

ComboFix 09-03-29.02 - astragal 2009-03-29 18:50:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.565 [GMT -4:00]
Running from: c:\documents and settings\astragal\Desktop\Virus\jrKomboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\IE4 Error Log.txt
c:\windows\system32\ban_list.txt
c:\windows\system32\Cache
c:\windows\system32\dbbfdedf_z.dll
c:\windows\system32\drivers\UACusohvwia.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\MabryObj.dll
c:\windows\system32\MScsfn313.1.5.0.dll
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll
c:\windows\system32\UACaiclnygl.dll
c:\windows\system32\UACaplvsnfn.dll
c:\windows\system32\UACdsmcuknh.log
c:\windows\system32\UACfqkmsvbr.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACoetfmexv.log
c:\windows\system32\UACqnoqeggi.dll
c:\windows\system32\UACrqoovemg.log
c:\windows\system32\UACuhritqks.dat
c:\windows\system32\UACwgedsdpc.dll
c:\windows\system32\wservice.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2196-10-05 22:46 . 2196-10-05 22:46 3,120 --a------ c:\windows\MF_C421.lfa
2196-10-05 22:46 . 2196-10-05 22:46 3,120 --a------ c:\windows\MF_C420.lfa
2009-03-28 00:23 . 2009-03-28 00:23 18,240 --a------ C:\move_after.xml
2009-03-28 00:23 . 2009-03-28 00:23 18,156 --a------ C:\move_before.xml
2009-03-25 03:37 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-25 02:23 . 2009-03-25 02:23 <DIR> d-------- c:\windows\722C0D0B7ABD4995A43F82FDC15C7939.TMP
2009-03-24 21:52 . 2009-03-24 21:52 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-24 21:52 . 2009-03-24 21:52 1,409 --a------ c:\windows\QTFont.for
2009-03-24 12:43 . 2009-03-24 12:43 <DIR> d-------- c:\program files\MSXML 6.0
2009-03-24 11:38 . 2009-03-24 11:38 <DIR> d-------- c:\program files\Microsoft
2009-03-24 02:10 . 2009-03-24 12:43 <DIR> d-------- c:\program files\MSXML 6(2).0
2009-03-24 02:02 . 2009-03-24 12:43 <DIR> d-------- C:\xmlinst
2009-03-23 23:19 . 2009-03-24 13:13 <DIR> d-------- c:\documents and settings\astragal\Application Data\Notepad++

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 05:40 --------- d-----w c:\program files\StartupRun
2009-03-27 21:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-25 06:34 --------- d-----w c:\program files\Common Files\Quest Shared
2009-03-25 05:36 --------- d-----w c:\documents and settings\astragal\Application Data\MySQL
2009-03-20 03:41 --------- d-----w c:\program files\Opera
2009-03-11 19:35 32,192 ----a-w c:\documents and settings\astragal\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 15:47 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-22 01:02 --------- d-----w c:\program files\Guitar Pro 5
2009-02-17 05:40 --------- d-----w c:\program files\Shareaza
2009-02-11 15:11 --------- d-----w c:\documents and settings\astragal\Application Data\Mozilla Embedded Browser
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-31 21:07 --------- d-----w c:\program files\Google
2008-01-01 21:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-09-28 19:38 305,152 ----a-w c:\documents and settings\astragal\MB-Screenview.dat
2005-11-02 16:31 24 ----a-w c:\documents and settings\astragal\mylist.dat
2002-05-13 02:50 95,744 ----a-w c:\program files\metapad.exe
2005-10-20 00:01 8 --sh--r c:\windows\system32\01FB7E5099.sys
2004-08-15 04:15 56 --sh--r c:\windows\system32\5A2617B1D5.sys
2004-08-15 04:38 56 --sh--r c:\windows\system32\89EDEEAB62.sys
2005-02-22 22:01 56 --sh--r c:\windows\system32\F1DC128362.sys
2005-10-20 04:04 8 --sh--r c:\windows\system32\F5B51B3F6F.sys
2008-08-13 04:49 23 --sha-w c:\windows\system32\fcdcaa_z.dll
2008-06-23 07:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080624\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AcctMgr"="c:\program files\Norton SystemWorks\Password Manager\AcctMgr.exe" [2004-08-18 586896]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-08-16 100056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2008-03-21 188416]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"RevertWebViewSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoExpandedNewMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i263"= i263_32.drv
"VIDC.MJPG"= Pvmjpg30.dll
"vidc.XVID"= :xvidvfw.dll
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^astragal^Start Menu^Programs^Startup^Suitcase 11.0.lnk]
path=c:\documents and settings\astragal\Start Menu\Programs\Startup\Suitcase 11.0.lnk
backup=c:\windows\pss\Suitcase 11.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^astragal^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
backup=c:\windows\pss\WinMySQLadmin.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1\1&1 EasyLogin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe]
1&1 EasyLogin HIDE [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]
--------- 2001-12-10 17:34 20739 c:\program files\Classic PhoneTools\capFax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-13 14:33 133104 c:\documents and settings\astragal\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 01:00 385024 c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\mm\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2002-06-26 17:36 90112 c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-16 21:56 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 14:49 36352 c:\audio\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-02 23:38 64512 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Utility\\CuteFTP Pro\\cftppro.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"e:\\Games\\AOE2\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\QuoteTracker - small\\stocks.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Utility\\CuteFTP Pro\\TE\\ftpte.exe"=
"c:\\Utility\\eMule\\emule.exe"=
"e:\\Games\\AOE2\\age2_x1\\age2_x1.icd"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"e:\\Mirc\\NICE\\mirc.exe"=
"e:\\Mirc\\JONG\\mirc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force V-Bar.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Adobe\\Adobe Contribute CS3\\Contribute.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Art\\LightWave\\Programs\\LightWav.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\dmremote.exe"=
"c:\\Program Files\\RedLightCenter\\RedlightCenter\\Redlightcenter.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Art\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"e:\\Mirc\\COBWEB\\mirc.exe"=
"c:\\Audio\\Winamp\\winamp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Games\\Worms World Party\\wwp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Code\\ZendStudio-5.5.1\\jre\\bin\\javaw.exe"=
"c:\\Code\\Toad for MySQL\\Toad.exe"=
"c:\\Code\\phped\\debugger\\DbgListener.exe"=
"c:\\Code\\phped\\Srv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\astragal\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\astragal\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Code\\SQL Maestro for MySQL\\mymaestro.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6363:TCP"= 6363:TCP:shareaza
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3306:TCP"= 3306:TCP:mySQL

R1 Asapi;Asapi; [x]
R3 Aspmancs;Aspmancs; [x]
R3 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~1\NORTON~2\NPROTECT.EXE [2003-09-10 81920]
R4 mrtRate;mrtRate; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-10-23 33792]


--- Other Services/Drivers In Memory ---

*Deregistered* - 6to4
*Deregistered* - a347bus
*Deregistered* - a347scsi
*Deregistered* - AFD
*Deregistered* - Amfilter
*Deregistered* - atapi
*Deregistered* - AudioSrv
*Deregistered* - Automatic LiveUpdate Scheduler
*Deregistered* - Beep
*Deregistered* - ccEvtMgr
*Deregistered* - ccSetMgr
*Deregistered* - Cdfs
*Deregistered* - CLEDX
*Deregistered* - CryptSvc
*Deregistered* - ctsfm2k
*Deregistered* - DcomLaunch
*Deregistered* - DefragFS
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ElbyCDIO
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - IISADMIN
*Deregistered* - IntelIde
*Deregistered* - ip6fw
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LVUSBSta
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - MSDTC
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - navapsvc
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - ossrv
*Deregistered* - PartMgr
*Deregistered* - PCIIde
*Deregistered* - PCLEPCI
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcLocator
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - SAVScan
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - SiFilter
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec Core LC
*Deregistered* - SymEvent
*Deregistered* - symlcbrd
*Deregistered* - SYMTDI
*Deregistered* - SymWSC
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tunmp
*Deregistered* - Update
*Deregistered* - UPHClean
*Deregistered* - uphcleanhlp
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WIBUKEY
*Deregistered* - winmgmt
*Deregistered* - wuauserv
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 13:01]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-2147205427-725345543-1003.job
- c:\documents and settings\astragal\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 14:33]

2007-04-22 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2007-09-18 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 04:48]

2007-04-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1124506028\ee\AOLHostManager.exe
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
MSConfigStartUp-RunSpellCheckAnywhere - c:\program files\Spell Check Anywhere\sa.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
MSConfigStartUp-WService - WService.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = actsvr.comcastonline.com;localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\code\phped\NuSphereIEBar.dll/1000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: Zend Studio - Debug current page - c:\code\ZendStudio-5.5.1\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\code\ZendStudio-5.5.1\bin\ZendIEToolbar.dll/DebugNext.html
Trusted Zone: localhost
TCP: {ABBB001E-8FF0-42DC-8A81-BAF6699EE28C} = 68.87.64.146,68.87.75.194
FF - ProfilePath - c:\documents and settings\astragal\Application Data\Mozilla\Firefox\Profiles\default.5ht\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\astragal\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\astragal\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera\program\plugins\npmio.dll
FF - plugin: c:\program files\Opera\program\plugins\npmusicn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 19:00:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-2147205427-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{68CA6530-C78E-1FB4-A4E9-EF6FFC9C43EC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oapinclohemioobidpdlamjklkkpkp"=hex:6a,61,6d,6e,6f,64,6f,6e,65,64,67,6c,65,63,
6e,6b,67,6c,69,66,00,00
"najjdgmoomejgcimddlbmcbhhioc"=hex:6a,61,6d,6e,6f,64,6f,6e,65,64,67,6c,65,63,
6e,6b,67,6c,69,66,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{057AFF8E-18BB-3F80-364CCC2831522BE6}\{99AD5AFA-2676-F639-545B2C570527D246}\{9515C81F-50C9-6ACD-17AF77618A15A8EB}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,f3,3e,
5a,2c,9e,f4,a3,4e,e2,85,ad,2b,f5,9b,29,5a,03,c0,c9,4f,ac,30,a1,b8,fa,0d,8a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1036D5BA-CA0B-6EFB-A816166A3C4364C2}\{9AB25E74-55C5-EF48-A2C588CFA5A2438C}\{DC8259A3-8AE9-348D-2F7CC1007F2DBE93}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,f3,3e,
5a,2c,9e,f4,a3,4e,e2,85,ad,2b,f5,9b,29,5a,03,c0,c9,4f,ac,30,a1,b8,fa,0d,8a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18E09523-0BB1-0E75-6B141AE958ABE9E7}\{8E8BA3D9-389B-9F43-3B5B6490B54F898E}\{0E0922CC-9ECE-C3AB-5B05A5FA1997F2CA}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{207A1422-7CE2-3F0D-CB0619EAC3E5A348}\{36711064-4D57-673B-128E50084FEF4668}\{C13F5A8B-0B9D-FCC2-F6ECFF62882D3E51}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{25A785AE-3892-CA84-EA9A006458EDF41F}\{C494D2DB-9D8B-1943-CDB4B7EB0238E0C7}\{76739E62-5E8B-35F4-1BE90E5C477012C5}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44034FD7-1AAB-56DE-05376226E3E18762}\{E5927D01-F17A-5508-2A74EFC6C5188D90}\{F4E471EB-CB8D-E257-550ABC7FEB789AD1}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,ce,31,8a,fd,95,
e4,5c,17,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5E0963E7-CF46-1B5D-310DACB8805375B2}\{86E3B77C-EAE1-9D87-4C70ABEC16202E62}\{393DA271-51DF-0FF7-C96F576EB71CB867}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,9b,59,c3,41,52,
4f,01,8c,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,4f,11,7e,eb,b8,
2f,08,88,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,77,a0,30,c6,97,
a3,3d,b4,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{79DD782F-DD9B-90C8-01AB82140B2B65EB}\{DE7D83BF-EB3B-F5D9-D52C430ACBAFB5F9}\{D743F1FE-35C6-E579-63E67F5CCF1E1FA7}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,f3,3e,
5a,2c,9e,f4,a3,4e,e2,85,ad,2b,f5,9b,29,5a,03,c0,c9,4f,ac,30,a1,b8,fa,0d,8a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,0a,d3,3d,1f,ab,
4e,77,aa,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,f3,3e,
5a,2c,9e,f4,a3,4e,e2,85,ad,2b,f5,9b,29,5a,03,c0,c9,4f,ac,30,a1,b8,fa,0d,8a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{93E6CEFD-CA56-59D1-C6A1E22689695F47}\{E62B984B-3624-15D7-6BC3102B23FA8A76}\{D0F98AA7-EDD9-94A9-9F817DE029F1BE16}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,f3,3e,
5a,2c,9e,f4,a3,4e,e2,85,ad,2b,f5,9b,29,5a,03,c0,c9,4f,ac,30,a1,b8,fa,0d,8a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,aa,33,c2,dc,08,
b0,f7,6b,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,f3,3e,
5a,2c,9e,f4,a3,4e,e2,85,ad,2b,f5,9b,29,5a,03,c0,c9,4f,ac,30,a1,b8,fa,0d,8a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,a1,76,15,3f,16,
b6,dd,6c,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD7DA6D0-C8A5-2AB7-AFAFBAF6CCA2EFA4}\{BFF22B84-84BD-C376-CF902D4CFF2D2B8A}\{C30500AE-8022-F8A1-791309212C4775E7}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:0f,4d,96,3e,c0,7c,85,45,0e,5b,3c,81,b6,0c,25,15,c7,75,7b,e1,46,
d3,37,bd,a2,6d,11,61,88,6d,80,84,ee,cf,92,d4,45,9a,15,cb,d0,a5,b0,94,73,60,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C18DDE7F-B01D-EC05-6A16D6A2450CCC27}\{CFCDBF00-A36B-6669-7EDDA0E076477353}\{70254CBA-F98D-F660-E5E1D86F3471B9F7}*]
"VBOGEGOY1DKTBDELSVQBDYRDXB1"=hex:01,00,01,00,00,00,00,00,d4,b3,d7,da,ae,5a,86,
f1,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,5a,39,18,cc,e1,
94,a1,f6,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,32,08,98,2a,15,
8c,c3,d7,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,c6,b7,fc,83,a7,
37,e8,bc,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F64D8EBD-3DAE-BD3C-0991ACE292CAB5ED}\{17BB8CA8-D706-1AC7-CFA17C6657F849D4}\{8429EDDF-869B-0FCF-6695830B33322B0A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,f3,3e,
5a,2c,9e,f4,a3,4e,e2,85,ad,2b,f5,9b,29,5a,03,c0,c9,4f,ac,30,a1,b8,fa,0d,8a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,92,90,89,cd,fd,
48,eb,67,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,44,28,28,9b,94,
97,15,38,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:0f,4d,96,3e,c0,7c,85,45,0e,5b,3c,81,b6,0c,25,15,c7,75,7b,e1,46,
d3,37,bd,a2,6d,11,61,88,6d,80,84,ee,cf,92,d4,45,9a,15,cb,d0,a5,b0,94,73,60,\
.
Completion time: 2009-03-29 19:08:27
ComboFix-quarantined-files.txt 2009-03-29 23:06:55

Pre-Run: 21,878,374,400 bytes free
Post-Run: 22,068,129,792 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
558 --- E O F --- 2009-03-25 16:58:53

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 06 April 2009 - 02:33 PM

Hello.

ComboFix had removed a nasty infection.

Posted ImageBackdoor Threat
I'm sorry to say that your computer was infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.


Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#7 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 06 April 2009 - 08:26 PM

Hi Panda, and thanks for your help.

I have enclosed the GMER log. Do you have any thoughts on the two issues in my last post (that strange key, and about scripting)?

Thanks again for helping me with this. - J

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 07 April 2009 - 07:17 AM

Hello.

The Userinit value was being modified by an infection.

I don't think the "script" problems are being caused by malware. DDS run the same way regardless how it is named.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/214756/unknown-redirectorrootkit-toseeka/
  • Under Browse to the file you want to submit, input:
    c:\windows\system32\F1DC128362.sys
  • Under the comments section, say that Panda asked for the submission.
Update Java to Version 6 Update 13
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Also take a new DDS.txt log after please.

With Regards,
The Panda

#9 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 07 April 2009 - 05:10 PM

Hi Panda. This is weird, my last reply didn't post. Oh well.
Thanks for all your help to date!

I uploaded two files to the file scan link you provided.

I ran Kapersky, and it found many infected files, but it appears that all the files it found were in Norton Quarantine (how do I empty Norton Quarantine, anyway?).

I ran DDS. Attaching the files.

In the DDS, there are entries in IE that say "no file". Can I safely delete these with HijackTHis?

In the DDS, there are entries for "incredimail" and "stumble upon". Those programs are long gone. Can I safely delete the entries shown for them?

I worry about this entry:
2008-08-13 00:49 23 a--sh--- c:\windows\system32\fcdcaa_z.dll
A Google search returns nothing for fcdaa or fdcaa_z.

Thanks again for your help. :thumbup2:

DDS (Ver_09-03-16.01) - NTFSx86
Run by astragal at 15:20:32.07 on Tue 04/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.527 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Utility\UPHClean\uphclean.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcrobatInfo.exe
C:\Documents and Settings\astragal\Desktop\Virus\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = actsvr.comcastonline.com;localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\code\zendst~1.1\bin\ZENDIE~1.DLL
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - c:\code\phped\NuSphereIEBar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--442460914.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [AcctMgr] "c:\program files\norton systemworks\password manager\AcctMgr.exe" /startup
mRun: [Symantec NetDriver Monitor] "c:\progra~1\symnet~1\SNDMon.exe" /Consumer
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WheelMouse] c:\program files\a4tech\mouse\Amoumain.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoExpandedNewMenu = 1 (0x1)
mPolicies-explorer: RevertWebViewSecurity = 1 (0x1)
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - c:\code\phped\NuSphereIEBar.dll/1000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Zend Studio - Debug current page - c:\code\zendstudio-5.5.1\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\code\zendstudio-5.5.1\bin\ZendIEToolbar.dll/DebugNext.html
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
Trusted Zone: localhost
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152213961966
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {ABBB001E-8FF0-42DC-8A81-BAF6699EE28C} = 68.87.64.146,68.87.75.194
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\utility\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\utility\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\astragal\applic~1\mozilla\firefox\profiles\default.5ht\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\astragal\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\astragal\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\opera\program\plugins\npmio.dll
FF - plugin: c:\program files\opera\program\plugins\npmusicn.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\utility\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\utility\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-4-5 305288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\savrtpel.sys [2005-4-5 37000]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-8-14 255648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-8-14 235168]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton systemworks\norton antivirus\navapsvc.exe [2003-8-17 158848]
R2 SAVScan;SAVScan;c:\program files\norton systemworks\norton antivirus\SAVSCAN.EXE [2003-8-9 194272]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2004-8-14 585728]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2005-11-21 33792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090401.003\NAVENG.Sys [2009-4-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090401.003\NavEx15.Sys [2009-4-1 876144]
S1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-8-17 11264]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-24 66784]
S3 Aspmancs;Aspmancs; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-8-14 87712]
S3 NProtectService;Norton Unerase Protection;c:\progra~1\norton~1\norton~2\NPROTECT.EXE [2003-9-10 81920]
S3 SASENUM;SASENUM;c:\utility\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 mrtRate;mrtRate; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-5 24652]

=============== Created Last 30 ================

2009-04-07 10:32 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-07 10:32 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-29 20:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-29 20:43 <DIR> --d----- c:\docume~1\astragal\applic~1\SUPERAntiSpyware.com
2009-03-29 18:39 161,792 a------- c:\windows\SWREG.exe
2009-03-29 18:39 98,816 a------- c:\windows\sed.exe
2009-03-29 18:39 <DIR> --d----- C:\jrKomboFix
2009-03-29 17:55 <DIR> --dshr-- C:\cmdcons
2009-03-29 17:55 <DIR> --d----- c:\windows\setup.pss
2009-03-29 17:54 <DIR> --d----- c:\windows\setupupd
2009-03-28 00:23 18,240 a------- C:\move_after.xml
2009-03-28 00:23 18,156 a------- C:\move_before.xml
2009-03-25 03:37 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-25 02:23 <DIR> --d----- c:\windows\722C0D0B7ABD4995A43F82FDC15C7939.TMP
2009-03-24 12:43 <DIR> --d----- c:\program files\MSXML 6.0
2009-03-24 11:38 <DIR> --d----- c:\program files\Microsoft
2009-03-24 02:10 <DIR> --d----- c:\program files\MSXML 6(2).0
2009-03-24 02:02 <DIR> --d----- C:\xmlinst

==================== Find3M ====================

2009-03-30 15:05 32,192 a------- c:\docume~1\astragal\applic~1\GDIPFONTCACHEV1.DAT
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 03:36 32,192 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-01-01 17:52 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-09-28 15:38 305,152 a------- c:\documents and settings\astragal\MB-Screenview.dat
2005-11-02 12:31 24 a------- c:\documents and settings\astragal\mylist.dat
2002-05-12 22:50 95,744 a------- c:\program files\metapad.exe
2005-02-22 18:01 56 ---shr-- c:\windows\system32\F1DC128362.sys
2005-10-20 00:04 8 ---shr-- c:\windows\system32\F5B51B3F6F.sys
2008-08-13 00:49 23 a--sh--- c:\windows\system32\fcdcaa_z.dll
2008-06-23 03:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062320080624\index.dat

============= FINISH: 15:21:22.79 ===============



Attached File  DDS3.txt   16.14KB   21 downloads
Attached File  kapersky_4_7_09.txt   16.88KB   21 downloads

Attached Files


Edited by PropagandaPanda, 08 April 2009 - 07:12 AM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 07 April 2009 - 05:48 PM

Hello.

To empty the quarentine, simply delete the files under this folder:
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\

The incredimail items are browser buttons. This can be safely removed.

Please point out where the "stumble upon" items are.

In the DDS, there are entries in IE that say "no file". Can I safely delete these with HijackTHis?

I am actually working on a script to remove these kinds of entries. Let's try using it, if you don't mind.

I worry about this entry:
2008-08-13 00:49 23 a--sh--- c:\windows\system32\fcdcaa_z.dll
A Google search returns nothing for fcdaa or fdcaa_z.

Though the file is suspicious in that it returns no results, it is too small (only 23 bytes) to contain a program, so there's no need to worry about it.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Please download the attachment to this post. Extract the file Remove Orphans.vbs. Double click the vbs file. Post back with the log created please.


With Regards,
The Panda

#11 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 07 April 2009 - 08:56 PM

Hi Panda. It was a little scarey to be a guinea pig for your script, but I went for it.

(of course it triggered a "malicious script" warning in Norton, you might want to warn and comfort people about that :thumbup2: )

Your script caught the "Stumble Upon" Error! (I'm posting the log below).

I'm glad it removed Bonjour (but the Bonjour service is still listed in Admin/Services, even though I uninstalled it... I set it to "disabled").

Please verify I don't need the Pcouffin thing, "low level driver" sounds important, but, as your script notes, there's no file. The Pcouffin didn't even show up in the DDS log (that I saw, anyway).

Pretty cool work, on that script. Gratz.

Thanks for your help again. What next?

////////Orphans\\\\\\\\
Microsoft Windows XP Professional 5.1.2600.3 (2009-4-7 21:48)

BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
mTB: (StumbleUpon Toolbar) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)
uTB: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
uTB: (no name) - ITBarLayout - (no file)
SRV: S4: Bonjour Service;Bonjour Service;"C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe" (*file not found)
DRV: S3: Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys (*file not found)

Entries marked by '*' were not removed.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 08 April 2009 - 07:22 AM

Hello.

Thank you for taking the time to help test it. Caught a small bug which is now fixed.

All the items listed will not cause a problem. Windows doesn't care about services whose file's are missing. When programs are uninstalled, some leftovers often remain.

Looks good. Unless there are any issues, we can wrap up.

Download and Run OTCleanIt
This program will remove the tools we have used.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Delete the file after use, if it did not delete itself.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Remove ERUNT Backups
You should remove all the backups that ERUNT has made. Those backups may contain old registry keys, possibly those created by malware.

Delete everything under:
C:\WINDOWS\erdnt\

ERUNT will automatically remove backups older than 30 days, so there is no need to clear that folder manually in the future.

It is a good idea to have ERUNT installed, even when you are not infected. Tasks like installing programs and changing settings, which involve working with the registry, can cause problems that can be quickly undone by reverting to a backup. However, if you wish to uninstall the program, do so using Add/Remove Programs

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 08 April 2009 - 01:10 PM

Hello Panda (I think of you as "Protector Panda" more than "Propaganda Panda".

I ran the cleaner, made a sysrestore point called "after Panda", and am ready to rock.

I have some questions, if you have time.

In the DDS log there are references to UACd* in "Control Set 001" and "Control Set 002". There are new Control Sets 004 and 005. I think these were created by combo fix.
In Regedit, I cannot delete the keys in Control Sets 1 and 2 (right click to look at permissions, and there are no permissions listed at all).
Should I worry about this? If so, How do I fix it?

Second, when I run "netstat -a" I get an entry:
TCP woods:1067 network-209-62-190-11.doubleclick.net:http ESTABLISHED
I know it's not a virus, it's just an annoyance. But should it be there? How do I stop it?

Third, I have many drives. Can i just turn off/ turn on system restore as detailed here:
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/
To clear out all the restore information, then set a new restore point? Or do i have to repeat that Cleanmgr command on each drive?
Cleanmgr takes forever when scanning a 500 Gig drive!

Finally, I have installed "SuperAntiSpyware" "Ad-aware" "CCcleaner" "MalwareBytes" "SpyBot" at various times.
Which of these (or similar programs) is best? How much to they overlap? Should I get rid of them now?
I do run an Updated Norton (I pay for it, so wtf did I get the virus in the first place? grr.) and automatically update the system from MS.

Thanks again, and again, John

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 08 April 2009 - 03:10 PM

Hello John.

Thanks for the kind words.

In the DDS log there are references to UACd* in "Control Set 001" and "Control Set 002". There are new Control Sets 004 and 005. I think these were created by combo fix.
In Regedit, I cannot delete the keys in Control Sets 1 and 2 (right click to look at permissions, and there are no permissions listed at all).

The items in ControlSets other than CurrentControlSet are not active. These are loaded when a critical system driver fails, or when you select the Last Known Configuration option during boot due to Windows not being bootable. You don't need to worry about these.

Second, when I run "netstat -a" I get an entry:
TCP woods:1067 network-209-62-190-11.doubleclick.net:http ESTABLISHED

Does the information here look familiar at all? If you don't mind me asking, could you tell me where you are located?

Third, I have many drives. Can i just turn off/ turn on system restore as detailed here:

That works fine as well.

We usually ask to use the cleanmgr because it removes files that may be left in the temporary folders.

Finally, I have installed "SuperAntiSpyware" "Ad-aware" "CCcleaner" "MalwareBytes" "SpyBot" at various times.
Which of these (or similar programs) is best? How much to they overlap? Should I get rid of them now?

All antimalware programs will have some overlap. SAS and AdAware are good general scanners, while SpyBot's TeaTimer provides realtimer intrusion protection. Your protection looks solid.

The best protection is good habits in my opinion. Some of the links I provided in my previous post have some specifics.

One thing I would definately suggest you add is the MSVP hosts file. This custom hosts file blocks out the domains of many malicious websites. You can install the hosts file refering to the directions given here.

With Regards,
The Panda

#15 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 09 April 2009 - 12:22 AM

Hi Panda, thanks again. I'm in New Jersey, near the coast.
I used the hosts file you suggested to block the double-click thing.

Have a great summer. I'll look you up if i ever get into a mess like this again. You're a lifesaver.
- J




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users