Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Erratic behavior. Win MCE 2005 hangs, Explorer.exe consumes 350+K when not running, goodle redirects, explorer hangs


  • This topic is locked This topic is locked
26 replies to this topic

#1 morty732

morty732

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 04 April 2009 - 08:01 PM

Hi All,

OK, first I am not sure if I am still infected, but the computer is still not acting right and considering everything I don't trust it :thumbup2:.

Running Win Xp / MCE Version 2002 SP 2

I run NIS 2008, last full scan was 3/31/09, and last update was 4/1/09. Run NIS religiously, always keep subscription/updates up to date.

Ran MBAM 4/2/2009 DB 1939 - now clean
SuperAntiSpyware 4/04/2009 7:10 AM Core 3829 - now clean

Here is the scenario.

On 4/1 Firefox began crashing erratically. I did the update for 3.0.8
When I restarted Firefox I could not get an Internet connection, even though IE7 connected fine.
I did a system reboot, at that time decided to go forward with Microsoft update to SP3 (I never reboot my computer, usually leave it running and just hibernate).
AFter that, system would load, prompt for user/pass but then just go to wallpaper, nothing else.
System would just hang there, did several reboot attempts.

System would give black screen on Safe Mode, would still hang with Wallpaper on "Last Known Configuration".
AFter that used MSCONFIG to get system running with wireless connection. At that point noticed several things:
*Google in Firefox and IE would redirect search results randomly to different pages
*Explorer.exe even though not technically running, was eating a LOT of memory, I am talking 350K+ and up,
Tried to run DDS.scr, just blipped the Dos prompt and disappeared. Would not run.
Uninstalled MS SP 3.


Got system up and running on Safe Mode with Networking.
Was able to get MBAM on system but not update it. Had to bring an update over on CD from a good computer.
Ran updated MBAM, got several hits, rebooted, and ran again clean.
Couldn't run Kaspersky, kept getting a pop up to update Java, but when I went to update Java I got an error message.
Got Java "offline" update(jre-6u13-windows-i586-p-s.exe), burned to a CD, brought it over to infected computer, tried to run and got an error message still.

Brought Super AntiSpyware and manual update over on CD, installed, ran & got several hits on stuff, rebooted, ran again got a few more, then ran clean.
Then ran NIS 2008, full scan, NOTHING came up.
Can now run DDS.scr (see attached).
Was able to update Java using offline download (jre-6u13-windows-i586-p-s.exe)
Kaspernsky still will not run, gave me error " You need to install Java version 1.5 or later to use Kaspernsky 7.0)
From what I can tell, I have Java 1.6.0_13 installed now.



System still takes forever to boot, I have it bootiing using MSCONFIG, with everything but "Startup" files.



Help!!!! (mucho thanks in advance!)

**oops*** EDIT***** forgot, ran sfc /scannow in hopes to repair any files, but had to cancel due to only having Dell reinstall CD and not correct full CD.

DDS.scr below



DDS (Ver_09-03-16.01) - NTFSx86
Run by JM at 11:40:03.15 on Sat 04/04/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyServer = http=192.168.0.1:83
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 7\SnagItBHO.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google notebook\gnotes1.0.2.19-1683046411.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit 7\SnagItIEAddin.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1683046411.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} - %SystemRoot%\system32\browseui.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1683046411.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: turbotax.com
Trusted Zone: virusschlacht.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} - hxxp://phx.vsmusic.com:81/XNC600NetCam.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://eservices.scottsdaleaz.gov/myneighborhood/downloads/mgaxctrl.cab
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c1/v19.108/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://klinegroup.webex.com/client/T26L/webex/ieatgpc.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages =

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jm\applic~1\mozilla\firefox\profiles\m164swfz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\jm\application data\mozilla\firefox\profiles\m164swfz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-03 16:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-03 16:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-03 16:58 <DIR> --d----- c:\docume~1\jm\applic~1\SUPERAntiSpyware.com
2009-04-03 16:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-03 15:23 23,392 a------- c:\windows\system32\nscompat.tlb
2009-04-03 15:23 16,832 a------- c:\windows\system32\amcompat.tlb
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresko.dll
2009-04-03 15:08 73,728 a------- c:\windows\system32\dllcache\ehresja.dll
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresfr.dll
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresde.dll
2009-04-03 15:08 61,440 a------- c:\windows\system32\dllcache\ehreschs.dll
2009-04-03 15:03 221,184 a------- c:\windows\system32\dllcache\wmpns.dll
2009-04-03 14:21 3,151 a------- c:\windows\system32\spupdsvc.inf
2009-04-03 12:43 <DIR> --d----- C:\I--386
2009-04-03 11:33 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-04-03 11:33 17,408 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-04-03 11:32 19,328 a------- c:\windows\system32\dllcache\wstcodec.sys
2009-04-03 11:32 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-04-03 11:32 8,832 a------- c:\windows\system32\dllcache\wmiacpi.sys
2009-04-03 11:31 31,744 a------- c:\windows\system32\dllcache\wceusbsh.sys
2009-04-03 11:31 53,760 a------- c:\windows\system32\dllcache\vfwwdm32.dll
2009-04-03 11:30 17,024 a------- c:\windows\system32\dllcache\usbohci.sys
2009-04-03 11:30 59,264 a------- c:\windows\system32\dllcache\usbaudio.sys
2009-04-03 11:29 82,432 a------- c:\windows\system32\dllcache\tp4mon.exe
2009-04-03 11:28 149,376 a------- c:\windows\system32\dllcache\tffsport.sys
2009-04-03 11:27 15,360 a------- c:\windows\system32\dllcache\streamip.sys
2009-04-03 11:27 7,552 a------- c:\windows\system32\dllcache\sonyait.sys
2009-04-03 11:26 6,912 a------- c:\windows\system32\dllcache\smbclass.sys
2009-04-03 11:26 16,128 a------- c:\windows\system32\dllcache\smbbatt.sys
2009-04-03 11:26 11,136 a------- c:\windows\system32\dllcache\slip.sys
2009-04-03 11:25 10,880 a------- c:\windows\system32\dllcache\scsiscan.sys
2009-04-03 11:24 43,264 a------- c:\windows\system32\dllcache\sbp2port.sys
2009-04-03 11:23 26,624 a------- c:\windows\system32\dllcache\rw450ext.dll
2009-04-03 11:23 24,576 a------- c:\windows\system32\dllcache\rw430ext.dll
2009-04-03 11:23 79,104 a------- c:\windows\system32\dllcache\rocket.sys
2009-04-03 11:23 6,016 a------- c:\windows\system32\dllcache\qic157.sys
2009-04-03 11:22 159,232 a------- c:\windows\system32\dllcache\ptpusd.dll
2009-04-03 11:22 17,664 a------- c:\windows\system32\dllcache\ppa3.sys
2009-04-03 11:22 8,832 a------- c:\windows\system32\dllcache\powerfil.sys
2009-04-03 11:22 259,328 a------- c:\windows\system32\dllcache\perm3dd.dll
2009-04-03 11:22 28,032 a------- c:\windows\system32\dllcache\perm3.sys
2009-04-03 11:22 211,712 a------- c:\windows\system32\dllcache\perm2dll.dll
2009-04-03 11:21 27,904 a------- c:\windows\system32\dllcache\perm2.sys
2009-04-03 11:20 28,672 a------- c:\windows\system32\dllcache\nscirda.sys
2009-04-03 11:19 10,880 a------- c:\windows\system32\dllcache\ndisip.sys
2009-04-03 11:19 85,376 a------- c:\windows\system32\dllcache\nabtsfec.sys
2009-04-03 11:18 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-04-03 11:18 5,504 a------- c:\windows\system32\dllcache\mstee.sys
2009-04-03 11:18 22,016 a------- c:\windows\system32\dllcache\msircomm.sys
2009-04-03 11:18 51,328 a------- c:\windows\system32\dllcache\msdv.sys
2009-04-03 11:18 15,360 a------- c:\windows\system32\dllcache\mpe.sys
2009-04-03 11:18 26,112 a------- c:\windows\system32\dllcache\memstpci.sys
2009-04-03 11:17 7,040 a------- c:\windows\system32\dllcache\ltotape.sys
2009-04-03 11:17 34,688 a------- c:\windows\system32\dllcache\lbrtfdc.sys
2009-04-03 11:17 43,008 a------- c:\windows\system32\dllcache\ksxbar.ax
2009-04-03 11:17 90,624 a------- c:\windows\system32\dllcache\kswdmcap.ax
2009-04-03 11:17 61,952 a------- c:\windows\system32\dllcache\kstvtune.ax
2009-04-03 11:16 242,176 a------- c:\windows\system32\dllcache\kdsusd.dll
2009-04-03 11:16 45,568 a------- c:\windows\system32\dllcache\kdsui.dll
2009-04-03 11:16 6,144 a------- c:\windows\system32\dllcache\kbd106.dll
2009-04-03 11:16 27,136 a------- c:\windows\system32\dllcache\irmon.dll
2009-04-03 11:16 152,576 a------- c:\windows\system32\dllcache\irftp.exe
2009-04-03 11:16 87,424 a------- c:\windows\system32\dllcache\irda.sys
2009-04-03 11:16 16,384 a------- c:\windows\system32\dllcache\ipsink.ax
2009-04-03 11:15 702,845 a------- c:\windows\system32\dllcache\i81xdnt5.dll
2009-04-03 11:13 19,200 a------- c:\windows\system32\dllcache\hidbatt.sys
2009-04-03 11:13 28,288 a------- c:\windows\system32\dllcache\grserial.sys
2009-04-03 11:13 59,136 a------- c:\windows\system32\dllcache\gckernel.sys
2009-04-03 11:13 10,624 a------- c:\windows\system32\dllcache\gameenum.sys
2009-04-03 11:11 20,992 a------- c:\windows\system32\dllcache\dshowext.ax
2009-04-03 11:11 207,360 a------- c:\windows\system32\dllcache\dot4.sys
2009-04-03 11:11 8,320 a------- c:\windows\system32\dllcache\dlttape.sys
2009-04-03 11:10 249,856 a------- c:\windows\system32\dllcache\ctmasetp.dll
2009-04-03 11:09 8,192 a------- c:\windows\system32\dllcache\changer.sys
2009-04-03 11:09 17,024 a------- c:\windows\system32\dllcache\ccdecode.sys
2009-04-03 11:09 119,296 a------- c:\windows\system32\dllcache\camext30.dll
2009-04-03 11:08 18,432 a------- c:\windows\system32\dllcache\bdaplgin.ax
2009-04-03 11:08 11,776 a------- c:\windows\system32\dllcache\bdasup.sys
2009-04-03 11:08 13,696 a------- c:\windows\system32\dllcache\avcstrm.sys
2009-04-03 11:08 38,912 a------- c:\windows\system32\dllcache\avc.sys
2009-04-03 11:08 48,128 a------- c:\windows\system32\dllcache\61883.sys
2009-04-03 11:08 12,288 a------- c:\windows\system32\dllcache\4mmdat.sys
2009-04-02 18:26 <DIR> --d----- c:\docume~1\jm\applic~1\Malwarebytes
2009-04-02 18:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 18:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 18:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-02 18:16 2,906,216 a------- c:\temp\mbam-setup.exe
2009-04-01 16:30 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-01 16:30 1,409 a------- c:\windows\QTFont.for
2009-03-13 17:53 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-03-13 17:39 <DIR> --d----- c:\temp\turbo tax setup

==================== Find3M ====================

2009-02-19 12:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 12:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 11:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 11:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 11:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 11:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 11:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 11:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 11:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 11:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 11:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 11:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-03 08:38 88,467 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-08 20:48 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-08-20 10:58 60,744 a------- c:\documents and settings\jm\g2mdlhlpx.exe
2006-10-29 21:57 421,888 a------- c:\program files\putty.exe

============= FINISH: 11:41:18.73 ===============

Attached Files


Edited by morty732, 04 April 2009 - 08:17 PM.


BC AdBot (Login to Remove)

 


#2 morty732

morty732
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 05 April 2009 - 09:55 PM

Was able to finally run Kaspersky. Here is the result:

Sunday, April 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, April 05, 2009 19:35:30
Records in database: 2015756
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 570864
Threat name 4
Infected objects 11
Suspicious objects 13
Duration of the scan 07:32:12

File name Threat name Threats count
C:\Documents and Settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\ScrapBook\data\20061102095541\popup.php Infected: Trojan-Clicker.HTML.Agent.a 1
C:\Documents and Settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\ScrapBook\data\20061102095541\popup_001.php Infected: Trojan-Clicker.HTML.Agent.a 1
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-10.29.2006_10-02-03_heres1c.tar.gz Infected: Email-Worm.Win32.Mydoom.m 2
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-10.29.2006_10-02-03_heres1c.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-heres1.com-10-29-2006.tar.gz Infected: Email-Worm.Win32.Mydoom.m 4
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-heres1.com-10-29-2006.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\Janice\HomeDir\backup-heres1.com-10-26-2006.tar.gz Infected: Email-Worm.Win32.Mydoom.m 1
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\Janice\HomeDir\backup-heres1.com-10-26-2006.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\mail\inbox Infected: Email-Worm.Win32.Mydoom.m 1
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\mail\inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\JM\My Documents\Eudora\AND\In.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\JM\My Documents\Eudora\AND\Norton AntiSpam Folder.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\JM\My Documents\Eudora\AND\Trash.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\User2\Local Settings\Temporary Internet Files\Content.IE5\SHMNGXAR\stats[1].htm Infected: Trojan-Downloader.VBS.Agent.n 1
The selected area was scanned.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:27 AM

Posted 13 April 2009 - 01:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 morty732

morty732
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 13 April 2009 - 01:57 PM

Hi,
Here is what I have done since I posted.
Ran and updated NIS 2008 - still shows clean.

Reinstalled Win XP service pack 3

DDS report below:

DDS (Ver_09-03-16.01) - NTFSx86
Run by JM at 11:32:09.17 on Mon 04/13/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.374 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Nero\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\File-Ex 3\FileEx.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\QUICKB~1\COMPON~1\QBAgent\QBDAGE~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QuickBooks\qbw32.exe
C:\PROGRA~1\QUICKB~1\AXLBRI~1.EXE
C:\Documents and Settings\JM\My Documents\dds1.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&o

e=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyServer = http=192.168.0.1:83
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit

7\SnagItBHO.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer:

{3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} -

c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common

files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} -

c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} -

c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\googleafe\GoogleAE.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program

files\google\google notebook\gnotes1.0.2.19-1683046411.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit

7\SnagItIEAddin.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program

files\google\google notebook\gnotes1.0.2.19-1683046411.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\google toolbar\GoogleToolbar.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common

files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} -

%SystemRoot%\system32\browseui.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program

files\google\google notebook\gnotes1.0.2.19-1683046411.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\ahead\data\xtras\mssysmgr.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShowLOMControl] 
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe"

-start
mRun: [ISUSPM Startup] "c:\program files\common

files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
StartupFolder: c:\docume~1\jm\startm~1\programs\startup\file-ex.lnk - c:\program

files\file-ex 3\FileEx.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program

files\mozyhome\mozystat.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:\windows\system32\Shdocvw.dll
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} - hxxp://phx.vsmusic.com:81/XNC600NetCam.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program

files\yahoo!\common\Yinsthelper.dll
DPF: {62789780-B744-11D0-986B-00609731A21D} -

hxxp://eservices.scottsdaleaz.gov/myneighborhood/downloads/mgaxctrl.cab
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} -

hxxps://accounting.quickbooks.com/c1/v19.108/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

hxxps://klinegroup.webex.com/client/T26L/webex/ieatgpc.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program

files\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jm\applic~1\mozilla\firefox\profiles\m164swfz.default\
FF - prefs.js: browser.search.defaulturl -

hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\jm\application

data\mozilla\firefox\profiles\m164swfz.default\extensions\moveplayer@movenetworks.com\platf

orm\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-5-27 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec

shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec

shared\CCSVCHST.EXE [2008-1-25 149352]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update

service\IntuitUpdateService.exe [2008-10-10 13088]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec

shared\CCSVCHST.EXE [2008-1-25 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec

shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090413.003\NAVENG.SYS [2009-4-13

89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090413.003\NAVEX15.SYS

[2009-4-13 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe

[2008-5-17 1245064]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver

(install);c:\windows\system32\drivers\grmn0200.sys [2006-5-30 16777]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys

[2006-5-30 12905]
S4 Innmbterns;Innmbterns;c:\windows\system32\drivers\processr.sys [2009-2-3 35840]

=============== Created Last 30 ================

2009-04-09 07:06 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-08 18:03 <DIR> --d----- c:\program files\DellSupport
2009-04-06 07:33 <DIR> --d----- c:\program files\SpywareBlaster
2009-04-05 19:57 43,985,744 a------- c:\temp\kis8.0.0.506en.exe
2009-04-05 08:04 69,120 -------- c:\windows\system32\wlanapi.dll
2009-04-05 08:02 144,384 -------- c:\windows\system32\onex.dll
2009-04-05 08:01 37,376 -------- c:\windows\system32\l2gpstore.dll
2009-04-05 08:00 19,569 a------- c:\windows\003599_.tmp
2009-04-04 17:39 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-04 17:39 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 17:06 144,896 -------- c:\windows\system32\dllcache\schannel.dll
2009-04-03 16:59 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-03 16:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-03 16:58 <DIR> --d-----

c:\docume~1\jm\applic~1\SUPERAntiSpyware.com
2009-04-03 16:58 <DIR> --d----- c:\program files\common files\Wise

Installation Wizard
2009-04-03 15:23 23,392 a------- c:\windows\system32\nscompat.tlb
2009-04-03 15:23 16,832 a------- c:\windows\system32\amcompat.tlb
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresko.dll
2009-04-03 15:08 73,728 a------- c:\windows\system32\dllcache\ehresja.dll
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresfr.dll
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresde.dll
2009-04-03 15:08 61,440 a------- c:\windows\system32\dllcache\ehreschs.dll
2009-04-03 15:03 221,184 a------- c:\windows\system32\dllcache\wmpns.dll
2009-04-03 12:43 <DIR> --d----- C:\I--386
2009-04-02 18:26 <DIR> --d----- c:\docume~1\jm\applic~1\Malwarebytes
2009-04-02 18:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 18:26 38,496 a-------

c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 18:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-02 18:16 2,906,216 a------- c:\temp\mbam-setup.exe
2009-04-01 16:30 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-01 16:30 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-02-19 12:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 12:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 11:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 11:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 11:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 11:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 11:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 11:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 11:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 11:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 11:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 11:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 --------

c:\windows\system32\dllcache\win32k.sys
2009-02-03 08:38 88,467 a-------

c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 21:35 3,594,752 a-------

c:\windows\system32\dllcache\mshtml.dll
2008-08-20 10:58 60,744 a------- c:\documents and settings\jm\g2mdlhlpx.exe
2006-10-29 21:57 421,888 a------- c:\program files\putty.exe

============= FINISH: 11:33:50.94 ===============

#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:27 PM

Posted 13 April 2009 - 03:32 PM

Hi

Please turn word wrap off in notepad to make logs appear in more readable format and post dds.txt contents again. Attach also attach.txt file.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 morty732

morty732
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 13 April 2009 - 03:58 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by JM at 11:32:09.17 on Mon 04/13/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.374 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Nero\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\File-Ex 3\FileEx.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\QUICKB~1\COMPON~1\QBAgent\QBDAGE~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QuickBooks\qbw32.exe
C:\PROGRA~1\QUICKB~1\AXLBRI~1.EXE
C:\Documents and Settings\JM\My Documents\dds1.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyServer = http=192.168.0.1:83
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 7\SnagItBHO.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google notebook\gnotes1.0.2.19-1683046411.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit 7\SnagItIEAddin.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1683046411.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} - %SystemRoot%\system32\browseui.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1683046411.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\ahead\data\xtras\mssysmgr.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShowLOMControl] 
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
StartupFolder: c:\docume~1\jm\startm~1\programs\startup\file-ex.lnk - c:\program files\file-ex 3\FileEx.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} - hxxp://phx.vsmusic.com:81/XNC600NetCam.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://eservices.scottsdaleaz.gov/myneighborhood/downloads/mgaxctrl.cab
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c1/v19.108/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://klinegroup.webex.com/client/T26L/webex/ieatgpc.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jm\applic~1\mozilla\firefox\profiles\m164swfz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\jm\application data\mozilla\firefox\profiles\m164swfz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-5-27 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090413.003\NAVENG.SYS [2009-4-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090413.003\NAVEX15.SYS [2009-4-13 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-5-17 1245064]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [2006-5-30 16777]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [2006-5-30 12905]
S4 Innmbterns;Innmbterns;c:\windows\system32\drivers\processr.sys [2009-2-3 35840]

=============== Created Last 30 ================

2009-04-09 07:06 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-08 18:03 <DIR> --d----- c:\program files\DellSupport
2009-04-06 07:33 <DIR> --d----- c:\program files\SpywareBlaster
2009-04-05 19:57 43,985,744 a------- c:\temp\kis8.0.0.506en.exe
2009-04-05 08:04 69,120 -------- c:\windows\system32\wlanapi.dll
2009-04-05 08:02 144,384 -------- c:\windows\system32\onex.dll
2009-04-05 08:01 37,376 -------- c:\windows\system32\l2gpstore.dll
2009-04-05 08:00 19,569 a------- c:\windows\003599_.tmp
2009-04-04 17:39 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-04 17:39 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 17:06 144,896 -------- c:\windows\system32\dllcache\schannel.dll
2009-04-03 16:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-03 16:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-03 16:58 <DIR> --d----- c:\docume~1\jm\applic~1\SUPERAntiSpyware.com
2009-04-03 16:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-03 15:23 23,392 a------- c:\windows\system32\nscompat.tlb
2009-04-03 15:23 16,832 a------- c:\windows\system32\amcompat.tlb
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresko.dll
2009-04-03 15:08 73,728 a------- c:\windows\system32\dllcache\ehresja.dll
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresfr.dll
2009-04-03 15:08 69,632 a------- c:\windows\system32\dllcache\ehresde.dll
2009-04-03 15:08 61,440 a------- c:\windows\system32\dllcache\ehreschs.dll
2009-04-03 15:03 221,184 a------- c:\windows\system32\dllcache\wmpns.dll
2009-04-03 12:43 <DIR> --d----- C:\I--386
2009-04-02 18:26 <DIR> --d----- c:\docume~1\jm\applic~1\Malwarebytes
2009-04-02 18:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 18:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 18:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-02 18:16 2,906,216 a------- c:\temp\mbam-setup.exe
2009-04-01 16:30 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-01 16:30 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-02-19 12:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 12:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 11:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 11:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 11:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 11:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 11:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 11:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 11:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 11:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 11:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 11:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-03 08:38 88,467 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-08-20 10:58 60,744 a------- c:\documents and settings\jm\g2mdlhlpx.exe
2006-10-29 21:57 421,888 a------- c:\program files\putty.exe

============= FINISH: 11:33:50.94 ===============

Attached Files



#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:27 PM

Posted 13 April 2009 - 04:29 PM

Hi again,

Are you familiar with these proxy settings:
uInternet Settings,ProxyServer = http=192.168.0.1:83
uInternet Settings,ProxyOverride = 127.0.0.1;*.local


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 morty732

morty732
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 13 April 2009 - 09:28 PM

Hi Blade,
In regards to:
uInternet Settings,ProxyServer = http=192.168.0.1:83
uInternet Settings,ProxyOverride = 127.0.0.1;*.local

Not completely familiar with these, I have a 2 computer network on a wireless router, the local host though is 192.168.2.X

Here is the Goored Log:
GooredFix v1.92 by jpshortstuff
Log created at 14:56 on 13/04/2009 running Option #1 (JM)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"



The ComboFix Log (FYI, I got the following error when launching it: "Incompatible OS, ComboFix only words for workstations with Win2000 & XP". ComboFix still ran (I am on XP/ MCE). However after it ran and displayed the log it completely stalled. After 20 minutes, I rebooted the machine)



ComboFix 09-04-13.A2 - JM 2009-04-13 16:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.740 [GMT -7:00]
Running from: c:\documents and settings\JM\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\azip32.dll
c:\windows\system32\dzgtactx.dll
c:\windows\system32\FTPx.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\mdm.exe
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-09 14:06 . 2009-04-09 14:17 -------- d-----w c:\windows\ServicePackFiles
2009-04-09 01:03 . 2009-04-09 01:03 -------- d-----w c:\program files\DellSupport
2009-04-06 14:34 . 2009-04-13 18:30 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 14:33 . 2009-04-06 14:34 -------- d-----w c:\program files\SpywareBlaster
2009-04-06 02:57 . 2009-04-06 02:58 43985744 ----a-w c:\temp\kis8.0.0.506en.exe
2009-04-05 15:04 . 2008-04-14 00:12 69120 ------w c:\windows\system32\wlanapi.dll
2009-04-05 15:02 . 2008-04-14 00:12 144384 ------w c:\windows\system32\onex.dll
2009-04-05 15:01 . 2008-04-14 00:11 37376 ------w c:\windows\system32\l2gpstore.dll
2009-04-05 15:00 . 2008-04-14 00:12 20992 ------w c:\windows\system32\faxpatch.exe
2009-04-05 00:39 . 2009-04-05 00:38 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 00:39 . 2009-04-05 00:38 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 00:06 . 2008-12-05 06:54 144896 ------w c:\windows\system32\dllcache\schannel.dll
2009-04-03 23:59 . 2009-04-03 23:59 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 23:58 . 2009-04-08 22:56 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-03 23:58 . 2009-04-03 23:58 -------- d-----w c:\documents and settings\JM\Application Data\SUPERAntiSpyware.com
2009-04-03 23:58 . 2009-04-03 23:58 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-03 22:23 . 2009-04-09 14:47 23392 ----a-w c:\windows\system32\nscompat.tlb
2009-04-03 22:23 . 2009-04-09 14:47 16832 ----a-w c:\windows\system32\amcompat.tlb
2009-04-03 22:08 . 2004-08-10 11:13 69632 ----a-w c:\windows\system32\dllcache\ehresko.dll
2009-04-03 22:08 . 2004-08-10 11:13 73728 ----a-w c:\windows\system32\dllcache\ehresja.dll
2009-04-03 22:08 . 2004-08-10 11:13 69632 ----a-w c:\windows\system32\dllcache\ehresfr.dll
2009-04-03 22:08 . 2004-08-10 11:13 69632 ----a-w c:\windows\system32\dllcache\ehresde.dll
2009-04-03 22:08 . 2004-08-10 11:13 61440 ----a-w c:\windows\system32\dllcache\ehreschs.dll
2009-04-03 22:03 . 2004-08-10 11:00 221184 ----a-w c:\windows\system32\dllcache\wmpns.dll
2009-04-03 19:43 . 2009-04-03 19:46 -------- d-----w C:\I--386
2009-04-03 02:45 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-03 01:26 . 2009-04-03 01:26 -------- d-----w c:\documents and settings\JM\Application Data\Malwarebytes
2009-04-03 01:26 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 01:26 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 01:26 . 2009-04-03 01:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 01:26 . 2009-04-06 23:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 01:16 . 2009-04-03 01:16 2906216 ----a-w c:\temp\mbam-setup.exe
2009-04-01 23:30 . 2009-04-01 23:30 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-01 23:30 . 2009-04-01 23:30 1409 ----a-w c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 22:09 . 2006-03-20 19:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-13 02:11 . 2006-03-21 02:05 -------- d-----w c:\program files\SnagIt 7
2009-04-13 01:52 . 2009-02-02 22:30 -------- d-----w c:\program files\PrimoPDF
2009-04-09 16:58 . 2006-11-15 15:52 -------- d-----w c:\program files\NetConceal Anonymizer
2009-04-09 16:57 . 2006-11-15 15:52 125 ----a-w C:\ioSpecial.ini
2009-04-09 16:56 . 2009-02-16 15:01 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-09 16:25 . 2006-03-20 18:55 -------- d-----w c:\program files\Yahoo!
2009-04-09 15:24 . 2006-03-20 19:40 42600 ----a-w c:\documents and settings\JM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 14:46 . 2009-04-09 14:46 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040920090410\index.dat
2009-04-09 14:00 . 2005-08-16 10:18 250048 --sha-r C:\ntldr
2009-04-09 01:03 . 2007-06-14 18:26 -------- d--h--w c:\documents and settings\User2\Application Data\Gtek
2009-04-09 01:03 . 2006-05-03 13:43 -------- d--h--w c:\documents and settings\Marvella\Application Data\Gtek
2009-04-09 01:03 . 2006-03-20 18:07 -------- d--h--w c:\documents and settings\JM\Application Data\Gtek
2009-04-09 00:40 . 2008-05-18 02:55 -------- d-----w c:\program files\Norton Internet Security
2009-04-05 00:38 . 2006-03-14 22:00 -------- d-----w c:\program files\Java
2009-03-28 13:45 . 2006-03-20 19:47 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-23 18:41 . 2006-03-20 23:03 -------- d-----w c:\program files\QuickBooks
2009-03-14 01:12 . 2006-09-13 14:31 -------- d-----w c:\documents and settings\JM\Application Data\File-Ex
2009-03-14 00:53 . 2009-03-14 00:53 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-03-14 00:50 . 2008-03-09 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-03-14 00:50 . 2006-03-20 23:04 -------- d-----w c:\program files\Common Files\Intuit
2009-03-14 00:48 . 2008-03-09 00:00 -------- d-----w c:\program files\TurboTax
2009-03-09 03:17 . 2006-03-14 22:21 -------- d-----w c:\program files\Google
2009-03-07 19:03 . 2006-09-19 21:03 -------- d-----w c:\program files\CalorieKing
2009-02-24 15:02 . 2009-02-16 15:11 -------- d-----w c:\documents and settings\JM\Application Data\skypePM
2009-02-20 15:22 . 2006-11-05 12:49 -------- d-----w c:\program files\CallWave
2009-02-19 19:03 . 2009-02-19 19:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 19:03 . 2009-02-19 19:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 18:31 . 2009-02-19 18:31 9844 ----a-w c:\windows\system32\drivers\SymRedir.cat
2009-02-19 18:31 . 2009-02-19 18:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 18:31 . 2009-02-19 18:31 1611 ----a-w c:\windows\system32\drivers\SymRedir.inf
2009-02-19 18:31 . 2009-02-19 18:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 18:31 . 2009-02-19 18:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 18:31 . 2009-02-19 18:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 18:31 . 2009-02-19 18:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 18:31 . 2009-02-19 18:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 18:31 . 2009-02-19 18:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 18:31 . 2009-02-19 18:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
2009-02-14 10:02 . 2008-05-27 12:54 -------- d-----w c:\program files\MozyHome
2009-02-09 11:13 . 2009-02-03 15:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 . 2008-10-16 05:41 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-06 19:18 . 2009-02-06 19:18 102374 ----a-w c:\documents and settings\All Users\Application Data\tmp526.tmp
2009-02-03 15:38 . 2005-08-16 10:41 88467 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-17 04:35 . 2005-08-16 10:18 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 17:58 . 2007-05-08 18:55 60744 ----a-w c:\documents and settings\JM\g2mdlhlpx.exe
2006-10-30 04:57 . 2006-10-30 04:57 421888 ----a-w c:\program files\putty.exe
2006-03-24 02:02 . 2006-03-20 18:07 125 ----a-w c:\documents and settings\JM\Local Settings\Application Data\fusioncache.dat
2005-08-17 02:52 . 2007-06-14 18:26 136 ----a-w c:\documents and settings\User2\Local Settings\Application Data\fusioncache.dat
2005-08-17 02:52 . 2006-05-03 13:43 136 ----a-w c:\documents and settings\Marvella\Local Settings\Application Data\fusioncache.dat
2005-08-17 02:52 . 2005-08-17 02:52 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2008-07-29 15:2007-03-08 15:30 00:03 . c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-07-29 15:2007-03-08 15:30 00:03 . c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-07-29 15:2008-07-29 15:00 00:19 . c:\program files\mozilla firefox\plugins\atmccli.dll
2008-07-29 15:2008-07-29 15:00 00:24 . c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-04-01 05:2008-05-18 02:59 47:26 . c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-01-30 14:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-01-30 14:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ShowLOMControl"="" [X]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-09 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\JM\Start Menu\Programs\Startup\
File-Ex.lnk - c:\program files\File-Ex 3\FileEx.exe [2006-09-13 212992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-01-30 2737464]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XJPG"= camfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"napagent"=3 (0x3)
"hkmsvc"=3 (0x3)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Harmony Remote\\HarmonyClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777]
R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R4 Innmbterns;Innmbterns;c:\windows\system32\drivers\processr.sys [2008-04-13 35840]
S1 mozyFilter;mozyFilter;c:\windows\system32\DRIVERS\mozy.sys [2008-10-06 53752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - JM.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-OE_OEM - c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Eudora\EuShlExt.dll
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyServer = http=192.168.0.1:83
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: turbotax.com
Trusted Zone: virusschlacht.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} - hxxp://phx.vsmusic.com:81/XNC600NetCam.cab
FF - ProfilePath - c:\documents and settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\documents and settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSVG3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 16:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2428)
c:\program files\MozyHome\mozyshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-13 16:32 - machine was rebooted [JM]
ComboFix-quarantined-files.txt 2009-04-13 23:31

Pre-Run: 11,194,007,552 bytes free
Post-Run: 16,177,967,104 bytes free

285 --- E O F --- 2009-04-11 23:39

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:27 PM

Posted 14 April 2009 - 08:07 AM

Hi

Ok. Let's move those proxy settings anyway. They can be resetted if things are not working after removal.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Upload following file to http://www.virustotal.com and post back the results:
c:\windows\system32\drivers\processr.sys


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = http=192.168.0.1:83
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: turbotax.com
Trusted Zone: virusschlacht.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!

Uninstall also Java versions below Java 6 Update 13.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run Kaspersky online scanner.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 morty732

morty732
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 14 April 2009 - 11:56 PM

Hi Blade,
Did all the stuff you asked , updated Adobe and removed older Java versions, ran ATF, etc.

When I ran ComboFix it took at least 30 minutes, maybe more. I looked at the task manager and did NOT see any of the processes you mentioned running. ComboFix did finally finish....

One point of note, when I do a normal reboot, after I login to the OS, it takes about 30-40 minutes (I am not exaggerating) for the OS to fully load as it stalls at various points. I have learned that if I leave it alone, it will come up and running eventually. Any interaction within explorer.exe (which is the way I access most of my files) is painfully slow, with about a minute lag... Best word, painful to describe system performance.

Here's the info, please let me know if I let anything out (BTW, not sure if it matters but it took Kaspernsky about 10 hours to do a full scan, this is much longer than I remember the previous scan running).

BiG HUGE THANKS!!!
Morty

virustotal.com Results ##########################

File has already been analysed:
MD5: a32bebaf723557681bfc6bd93e98bd26
First received: -
Date: 01.06.2009 20:21:45 (CET) [>97D]
Results: 0/38
Permalink: http://www.virustotal.com/analisis/9329dae...c7c4ec11049e45b

################################################

ComboFix Log ##########################################
ComboFix 09-04-13.A2 - JM 2009-04-14 6:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.520 [GMT -7:00]
Running from: c:\documents and settings\JM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JM\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 13:49 . 2006-03-03 06:42 73728 ----a-w C:\pv.exe
2009-04-09 14:06 . 2009-04-09 14:17 -------- d-----w c:\windows\ServicePackFiles
2009-04-09 01:03 . 2009-04-09 01:03 -------- d-----w c:\program files\DellSupport
2009-04-06 14:34 . 2009-04-13 18:30 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 14:33 . 2009-04-06 14:34 -------- d-----w c:\program files\SpywareBlaster
2009-04-06 02:57 . 2009-04-06 02:58 43985744 ----a-w c:\temp\kis8.0.0.506en.exe
2009-04-05 15:04 . 2008-04-14 00:12 69120 ------w c:\windows\system32\wlanapi.dll
2009-04-05 15:02 . 2008-04-14 00:12 144384 ------w c:\windows\system32\onex.dll
2009-04-05 15:01 . 2008-04-14 00:11 37376 ------w c:\windows\system32\l2gpstore.dll
2009-04-05 15:00 . 2008-04-14 00:12 20992 ------w c:\windows\system32\faxpatch.exe
2009-04-05 00:39 . 2009-04-05 00:38 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 00:39 . 2009-04-05 00:38 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 00:06 . 2008-12-05 06:54 144896 ------w c:\windows\system32\dllcache\schannel.dll
2009-04-03 23:59 . 2009-04-03 23:59 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 23:58 . 2009-04-08 22:56 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-03 23:58 . 2009-04-03 23:58 -------- d-----w c:\documents and settings\JM\Application Data\SUPERAntiSpyware.com
2009-04-03 23:58 . 2009-04-03 23:58 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-03 22:23 . 2009-04-09 14:47 23392 ----a-w c:\windows\system32\nscompat.tlb
2009-04-03 22:23 . 2009-04-09 14:47 16832 ----a-w c:\windows\system32\amcompat.tlb
2009-04-03 22:08 . 2004-08-10 11:13 69632 ----a-w c:\windows\system32\dllcache\ehresko.dll
2009-04-03 22:08 . 2004-08-10 11:13 73728 ----a-w c:\windows\system32\dllcache\ehresja.dll
2009-04-03 22:08 . 2004-08-10 11:13 69632 ----a-w c:\windows\system32\dllcache\ehresfr.dll
2009-04-03 22:08 . 2004-08-10 11:13 69632 ----a-w c:\windows\system32\dllcache\ehresde.dll
2009-04-03 22:08 . 2004-08-10 11:13 61440 ----a-w c:\windows\system32\dllcache\ehreschs.dll
2009-04-03 22:03 . 2004-08-10 11:00 221184 ----a-w c:\windows\system32\dllcache\wmpns.dll
2009-04-03 19:43 . 2009-04-03 19:46 -------- d-----w C:\I--386
2009-04-03 02:45 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-03 01:26 . 2009-04-03 01:26 -------- d-----w c:\documents and settings\JM\Application Data\Malwarebytes
2009-04-03 01:26 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 01:26 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 01:26 . 2009-04-03 01:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 01:26 . 2009-04-06 23:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 01:16 . 2009-04-03 01:16 2906216 ----a-w c:\temp\mbam-setup.exe
2009-04-01 23:30 . 2009-04-01 23:30 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-01 23:30 . 2009-04-01 23:30 1409 ----a-w c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 13:50 . 2006-03-20 19:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-13 02:11 . 2006-03-21 02:05 -------- d-----w c:\program files\SnagIt 7
2009-04-13 01:52 . 2009-02-02 22:30 -------- d-----w c:\program files\PrimoPDF
2009-04-09 16:58 . 2006-11-15 15:52 -------- d-----w c:\program files\NetConceal Anonymizer
2009-04-09 16:57 . 2006-11-15 15:52 125 ----a-w C:\ioSpecial.ini
2009-04-09 16:56 . 2009-02-16 15:01 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-09 16:25 . 2006-03-20 18:55 -------- d-----w c:\program files\Yahoo!
2009-04-09 15:24 . 2006-03-20 19:40 42600 ----a-w c:\documents and settings\JM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 14:46 . 2009-04-09 14:46 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040920090410\index.dat
2009-04-09 14:00 . 2005-08-16 10:18 250048 --sha-r C:\ntldr
2009-04-09 01:03 . 2007-06-14 18:26 -------- d--h--w c:\documents and settings\User2\Application Data\Gtek
2009-04-09 01:03 . 2006-05-03 13:43 -------- d--h--w c:\documents and settings\Marvella\Application Data\Gtek
2009-04-09 01:03 . 2006-03-20 18:07 -------- d--h--w c:\documents and settings\JM\Application Data\Gtek
2009-04-09 00:40 . 2008-05-18 02:55 -------- d-----w c:\program files\Norton Internet Security
2009-04-05 00:38 . 2006-03-14 22:00 -------- d-----w c:\program files\Java
2009-03-28 13:45 . 2006-03-20 19:47 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-23 18:41 . 2006-03-20 23:03 -------- d-----w c:\program files\QuickBooks
2009-03-14 01:12 . 2006-09-13 14:31 -------- d-----w c:\documents and settings\JM\Application Data\File-Ex
2009-03-14 00:53 . 2009-03-14 00:53 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-03-14 00:50 . 2008-03-09 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-03-14 00:50 . 2006-03-20 23:04 -------- d-----w c:\program files\Common Files\Intuit
2009-03-14 00:48 . 2008-03-09 00:00 -------- d-----w c:\program files\TurboTax
2009-03-09 03:17 . 2006-03-14 22:21 -------- d-----w c:\program files\Google
2009-03-07 19:03 . 2006-09-19 21:03 -------- d-----w c:\program files\CalorieKing
2009-02-24 15:02 . 2009-02-16 15:11 -------- d-----w c:\documents and settings\JM\Application Data\skypePM
2009-02-20 15:22 . 2006-11-05 12:49 -------- d-----w c:\program files\CallWave
2009-02-19 19:03 . 2009-02-19 19:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 19:03 . 2009-02-19 19:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 18:31 . 2009-02-19 18:31 9844 ----a-w c:\windows\system32\drivers\SymRedir.cat
2009-02-19 18:31 . 2009-02-19 18:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 18:31 . 2009-02-19 18:31 1611 ----a-w c:\windows\system32\drivers\SymRedir.inf
2009-02-19 18:31 . 2009-02-19 18:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 18:31 . 2009-02-19 18:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 18:31 . 2009-02-19 18:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 18:31 . 2009-02-19 18:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 18:31 . 2009-02-19 18:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 18:31 . 2009-02-19 18:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 18:31 . 2009-02-19 18:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
2009-02-14 10:02 . 2008-05-27 12:54 -------- d-----w c:\program files\MozyHome
2009-02-09 11:13 . 2009-02-03 15:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 . 2008-10-16 05:41 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-06 19:18 . 2009-02-06 19:18 102374 ----a-w c:\documents and settings\All Users\Application Data\tmp526.tmp
2009-02-03 15:38 . 2005-08-16 10:41 88467 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-17 04:35 . 2005-08-16 10:18 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 17:58 . 2007-05-08 18:55 60744 ----a-w c:\documents and settings\JM\g2mdlhlpx.exe
2006-10-30 04:57 . 2006-10-30 04:57 421888 ----a-w c:\program files\putty.exe
2006-03-24 02:02 . 2006-03-20 18:07 125 ----a-w c:\documents and settings\JM\Local Settings\Application Data\fusioncache.dat
2005-08-17 02:52 . 2007-06-14 18:26 136 ----a-w c:\documents and settings\User2\Local Settings\Application Data\fusioncache.dat
2005-08-17 02:52 . 2006-05-03 13:43 136 ----a-w c:\documents and settings\Marvella\Local Settings\Application Data\fusioncache.dat
2005-08-17 02:52 . 2005-08-17 02:52 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2008-07-29 15:2007-03-08 15:30 00:03 . c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-07-29 15:2007-03-08 15:30 00:03 . c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-07-29 15:2008-07-29 15:00 00:19 . c:\program files\mozilla firefox\plugins\atmccli.dll
2008-07-29 15:2008-07-29 15:00 00:24 . c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-04-01 05:2008-05-18 02:59 47:26 . c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-13_16.27.47.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 23:50 . 2009-04-13 23:50 16384 c:\windows\Temp\Perflib_Perfdata_414.dat
+ 2009-04-13 23:50 . 2009-04-13 23:50 16384 c:\windows\Temp\Perflib_Perfdata_3dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-01-30 14:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-01-30 14:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="" [X]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-09 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\JM\Start Menu\Programs\Startup\
File-Ex.lnk - c:\program files\File-Ex 3\FileEx.exe [2006-09-13 212992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-01-30 2737464]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XJPG"= camfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"napagent"=3 (0x3)
"hkmsvc"=3 (0x3)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Harmony Remote\\HarmonyClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777]
R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905]
R4 Innmbterns;Innmbterns;c:\windows\system32\drivers\processr.sys [2008-04-13 35840]
S1 mozyFilter;mozyFilter;c:\windows\system32\DRIVERS\mozy.sys [2008-10-06 53752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - JM.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} - hxxp://phx.vsmusic.com:81/XNC600NetCam.cab
FF - ProfilePath - c:\documents and settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSVG3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 07:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2532)
c:\program files\File-Ex 3\FxHook.dll
c:\program files\MozyHome\mozyshell.dll
.
Completion time: 2009-04-14 7:23
ComboFix-quarantined-files.txt 2009-04-14 14:21
ComboFix2.txt 2009-04-13 23:32

Pre-Run: 15,674,052,608 bytes free
Post-Run: 15,764,480,000 bytes free

240 --- E O F --- 2009-04-11 23:39


###########################################################


Kaspersky Log (also uploaded HTML in case it is difficult to read this way #################################################
File name Threat name Threats count
C:\Documents and Settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\ScrapBook\data\20061102095541\popup.php Infected: Trojan-Clicker.HTML.Agent.a 1

C:\Documents and Settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\ScrapBook\data\20061102095541\popup_001.php Infected: Trojan-Clicker.HTML.Agent.a 1

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-10.29.2006_10-02-03_heres1c.tar.gz Infected: Email-Worm.Win32.Mydoom.m 2

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-10.29.2006_10-02-03_heres1c.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 2

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-heres1.com-10-29-2006.tar.gz Infected: Email-Worm.Win32.Mydoom.m 3

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-heres1.com-10-29-2006.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 3

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\Janice\HomeDir\backup-heres1.com-10-26-2006.tar.gz Infected: Email-Worm.Win32.Mydoom.m 1

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\Janice\HomeDir\backup-heres1.com-10-26-2006.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\mail\inbox Infected: Email-Worm.Win32.Mydoom.m 1

C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\mail\inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\JM\My Documents\Eudora\AND\In.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\JM\My Documents\Eudora\AND\Norton AntiSpam Folder.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\JM\My Documents\Eudora\AND\Trash.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3

C:\Documents and Settings\JM\My Documents\weichert backup\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.

############################################


HJT Log ##########################################
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:28 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Nero\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\File-Ex 3\FileEx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1683046411.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1683046411.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: File-Ex.lnk = C:\Program Files\File-Ex 3\FileEx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://phx.vsmusic.com:81/XNC600NetCam.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://eservices.scottsdaleaz.gov/myneighb...ds/mgaxctrl.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v19.108/qboax10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://klinegroup.webex.com/client/T26L/webex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11874 bytes
##########################################

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:27 PM

Posted 15 April 2009 - 05:16 AM

Hi

Did you let the scanners scan c:\windows\system32\drivers\processr.sys file? The link at least leads to the old results. Please re-scan if you didn't so.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete these files:
C:\Documents and Settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\ScrapBook\data\20061102095541\popup.php
C:\Documents and Settings\JM\Application Data\Mozilla\Firefox\Profiles\m164swfz.default\ScrapBook\data\20061102095541\popup_001.php


Sorry to ask but are these somehow related to emails?
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-10.29.2006_10-02-03_heres1c.tar.gz
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\backup-heres1.com-10-29-2006.tar.gz
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\Janice\HomeDir\backup-heres1.com-10-26-2006.tar.gz

Check email messages in these mail boxes/archives and delete suspicious looking messages:
C:\Documents and Settings\JM\My Documents\and\HERES1\intial download\mail\inbox
C:\Documents and Settings\JM\My Documents\Eudora\AND\In.mbx
C:\Documents and Settings\JM\My Documents\Eudora\AND\Norton AntiSpam Folder.mbx
C:\Documents and Settings\JM\My Documents\Eudora\AND\Trash.mbx
C:\Documents and Settings\JM\My Documents\weichert backup\archive.pst


Have you run disk error check & defragged hard drive lately? If not, it's recommended to do so.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 morty732

morty732
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 15 April 2009 - 08:35 AM

Hi Blade,
I am not sure what you are asking.
I did everything in the order it was presented. So the virustotal.com scan of the processr.sys was done before the ComboFix and Kapernsky. Not sure if that matters. But the file was there for all the scans....

When you say rescan, which scan?

Thanks!

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:27 PM

Posted 15 April 2009 - 11:36 AM

File has already been analysed:
MD5: a32bebaf723557681bfc6bd93e98bd26
First received: -
Date: 01.06.2009 20:21:45 (CET) [>97D]

I'd like to know how the scanners see the file now. That was the situation in the beginning of this year :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 morty732

morty732
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 15 April 2009 - 11:54 AM

Here is the weird thing (very weird) , I don't think I have ever run that scan before. Never even heard of that Website before your post, so I have no idea where that 1/6/09 date came from. As far as I know, the first time I ever ran that scan was yesterday.

I went back, uploaded the file and this time hit re-analyze.
Here are the results.

File processr.sys received on 04.15.2009 18:46:37 (CET)
Current status: finished
Result: 0/40 (0.00%)

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.15 -
AhnLab-V3 5.0.0.2 2009.04.15 -
AntiVir 7.9.0.143 2009.04.15 -
Antiy-AVL 2.0.3.1 2009.04.15 -
Authentium 5.1.2.4 2009.04.14 -
Avast 4.8.1335.0 2009.04.15 -
AVG 8.5.0.287 2009.04.15 -
BitDefender 7.2 2009.04.15 -
CAT-QuickHeal 10.00 2009.04.15 -
ClamAV 0.94.1 2009.04.15 -
Comodo 1115 2009.04.15 -
DrWeb 4.44.0.09170 2009.04.15 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.15 -
F-Secure 8.0.14470.0 2009.04.15 -
Fortinet 3.117.0.0 2009.04.15 -
GData 19 2009.04.15 -
Ikarus T3.1.1.49.0 2009.04.15 -
K7AntiVirus 7.10.704 2009.04.15 -
Kaspersky 7.0.0.125 2009.04.15 -
McAfee 5585 2009.04.15 -
McAfee+Artemis 5585 2009.04.15 -
McAfee-GW-Edition 6.7.6 2009.04.15 -
Microsoft 1.4502 2009.04.15 -
NOD32 4011 2009.04.15 -
Norman 6.00.06 2009.04.15 -
nProtect 2009.1.8.0 2009.04.15 -
Panda 10.0.0.14 2009.04.14 -
PCTools 4.4.2.0 2009.04.15 -
Prevx1 V2 2009.04.15 -
Rising 21.25.24.00 2009.04.15 -
Sophos 4.40.0 2009.04.15 -
Sunbelt 3.2.1858.2 2009.04.15 -
Symantec 1.4.4.12 2009.04.15 -
TheHacker 6.3.4.0.309 2009.04.15 -
TrendMicro 8.700.0.1004 2009.04.15 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.15.1694 2009.04.15 -
VirusBuster 4.6.5.0 2009.04.15 -
Additional information
File size: 35840 bytes
MD5...: a32bebaf723557681bfc6bd93e98bd26
SHA1..: c3c96a042fac130553b92eb8f5c5d59a57a3cfd5
SHA256: 35039ba72a29f87b2ca37dcde4efdaabbdead8ce3eb8652acc665994118145a6
SHA512: ca50ab71e4e4068c50a9ec8911c835ed37c95ee02ed87b4dc7740a24cbe03868
9109a724a44e38a1ca1f97b406c071891b336766a3ffad41e46d2066c3809969
ssdeep: 768:VcbrjrFcZ7ZtL/4O+nfnJbA58ZLUbpPo8U6r3:abrjB2L/vUfx38Rr3
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5805
timedatestamp.....: 0x48025181 (Sun Apr 13 18:31:29 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x211a 0x2180 6.36 ef66b19ecb3c6f6d70141003843973db
.rdata 0x2500 0x2ad 0x300 4.57 c9665a395d67ba38286243ff332f578e
.data 0x2800 0x50c 0x580 0.39 d44f07e687bf9e33bb2df8670adcbf0b
PAGE 0x2d80 0x242a 0x2480 6.29 151e0a2e67d4324b5388c8acfbd52eab
PAGELK 0x5200 0x5cc 0x600 5.89 11504394c3bcd5f4d9de32e36f51f484
INIT 0x5800 0xad8 0xb00 5.71 d85d8b773cf3a8cb6d7f545c01bb3904
.rsrc 0x6300 0x23d0 0x2400 7.21 91d8c3da156db73f0cfc8be186e56945
.reloc 0x8700 0x4f4 0x500 5.65 1f155f914c8e318bce2b1177adc97f90

( 3 imports )
> ntoskrnl.exe: ZwPowerInformation, IoBuildSynchronousFsdRequest, KeSetEvent, KeRevertToUserAffinityThread, KeSetSystemAffinityThread, KeQueryActiveProcessors, MmMapIoSpace, ZwClose, RtlEqualUnicodeString, ZwOpenKey, MmUnmapIoSpace, IoQueueWorkItem, IoAllocateWorkItem, _snwprintf, RtlAnsiStringToUnicodeString, RtlInitAnsiString, _alldiv, _allmul, READ_REGISTER_UCHAR, READ_REGISTER_USHORT, READ_REGISTER_ULONG, WRITE_REGISTER_UCHAR, WRITE_REGISTER_USHORT, WRITE_REGISTER_ULONG, IoDetachDevice, IoFreeWorkItem, IoAttachDeviceToDeviceStack, PoSetPowerState, KeInitializeSpinLock, IoCreateDevice, ExUnregisterCallback, IofCompleteRequest, KefAcquireSpinLockAtDpcLevel, IoReleaseCancelSpinLock, KeClearEvent, KeNumberProcessors, ExRegisterCallback, ExCreateCallback, RtlCopyUnicodeString, IoWMIRegistrationControl, swprintf, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, PoCallDriver, PoStartNextPowerIrp, PoRequestPowerIrp, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlIntegerToUnicodeString, wcslen, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlInitUnicodeString, ZwQueryValueKey, strncpy, KeInitializeEvent, ExAllocatePoolWithTag, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, KeBugCheckEx, KeTickCount, IoDeleteDevice, ExFreePoolWithTag
> HAL.dll: KfReleaseSpinLock, KeQueryPerformanceCounter, READ_PORT_UCHAR, HalSetBusDataByOffset, KeStallExecutionProcessor, KfAcquireSpinLock, WRITE_PORT_UCHAR, WRITE_PORT_ULONG, WRITE_PORT_USHORT, READ_PORT_ULONG, READ_PORT_USHORT
> WMILIB.SYS: WmiCompleteRequest, WmiSystemControl, WmiFireEvent

( 0 exports )
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:27 PM

Posted 16 April 2009 - 08:02 AM

Hi

Seems like the file is ok. Did you run disk error check & hard drive defragmenter? Any help of those regarding slow startup?

Edited by Blade81, 16 April 2009 - 08:02 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users