Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 Reepicheep

Reepicheep

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 11 April 2009 - 02:41 PM

I am running Windows XP and have Symantec endpoint protection, which has been popping up with a generic trojan alert and quarentine it for the past ten days. Here is the latest one (all look alike): "00463c07.cor.dll Location: C:Windows/system32/.00463c07" The description at Symantec says: "Trojan-Spy.HTML.Smitfraud.c [Kaspersky], Phish-BankFraud.eml.a [McAfee], Trj/Citifraud.A [Panda Software], generic5 [AVG] Type: Trojan"

I have cleaned out cookies and temp internet files, and switched to safe mode and tried the SmithFruadFix Tool, which came up negative, and have run Malwarebytes, and Spybot, which have cleaned out various things but the trojan alert still pops up--always at startup, and then at about one-half hour intervals. Every once in awhile a tracking cookie is also deleted.

Here is my DSS.txt log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Tina at 14:16:00.26 on Sat 04/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.794 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Symantec Endpoint Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iGive_Toolbar\igvtt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iGive_Toolbar\igvtp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Documents and Settings\Tina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: iGive Toolbar: {fa73ae1b-4ba9-4e8b-832b-54a287ff1b7f} - c:\program files\igive_toolbar\igvtb.dll
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YComp 5.0.0.0; MathPlayer 2.0; YPC 3.2.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)" -"http://pbskids.org/zoom/fromyou/funny/?campaign=go_vndr"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [igvtm] "c:\program files\igive_toolbar\igvtt.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - d:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://www2.snapfish.com/SnapfishOutlookImport.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} - hxxp://agent.celebrateexpress.com/netagent/objects/custappx3.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://jran.uscourts.gov/whalecomec32b699752db7cbc29caf21a3355e519eb14ae3b56cad20/whalecom0/iNotes6W.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6D85864F-C902-4C4C-AECB-541E9B929DF6} - hxxp://www.icoachmath.com/MathPlayer/ICMMathPlayer.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://jran.uscourts.gov/InternalSite/WhlCompMgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tina\applic~1\mozilla\firefox\profiles\28p0vuon.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexff15.js - pref("capability.policy.default.classid.cid4c8d6404-a9f6-4236-8488-6c5732cb3bfa", "allaccess");c:\program files\mozilla firefox\defaults\pref\firefox.js:pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-5 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusdefs\20090410.040\NAVENG.SYS [2009-4-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusdefs\20090410.040\NAVEX15.SYS [2009-4-11 876144]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 DMService;Whale Component Manager;c:\windows\downlo~1\DMService.exe [2009-1-13 423576]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2008-12-20 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2008-12-20 3072]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2004-3-30 118106]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2007-8-27 53307]

=============== Created Last 30 ================

2009-04-11 11:38 3,182 a------- c:\windows\system32\tmp.reg
2009-04-10 18:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-10 18:40 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-09 19:12 <DIR> --d----- c:\program files\iPod
2009-04-09 19:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 19:03 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-04-08 17:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2009-04-08 17:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83FC5D7A-8875-4931-80D6-1E3AC725D336}
2009-04-08 15:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-06 17:43 110,872,640 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-05 17:20 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-05 14:30 92,488 a------- c:\windows\system32\drivers\SysPlant.sys
2009-04-05 14:29 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-05 14:29 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-05 14:29 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-05 14:29 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-03 14:35 <DIR> --dsh--- c:\documents and settings\tina\IECompatCache
2009-04-02 18:33 <DIR> --dsh--- c:\documents and settings\tina\PrivacIE
2009-04-02 17:17 <DIR> --dsh--- c:\documents and settings\tina\IETldCache
2009-04-02 17:06 <DIR> -cd-h--- c:\windows\ie8
2009-04-02 17:05 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-02 16:21 <DIR> --d----- C:\Intel
2009-04-02 16:19 31,048 a------- c:\windows\system32\drivers\point32.sys
2009-04-02 16:19 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2009-04-02 16:06 520,192 -------- c:\windows\system32\ati2sgag.exe
2009-04-02 16:01 <DIR> --d----- C:\ATI
2009-04-02 15:55 1,904 -------- c:\windows\system32\SetupBD.din
2009-04-02 15:15 <DIR> --d----- c:\program files\Uniblue DriverScanner 2009
2009-04-02 14:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{DC840DBC-2CB0-4FEA-98ED-F4E3BD2970C7}
2009-04-02 14:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{F19A02B4-1684-448C-B152-43B554F2E722}
2009-04-02 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-04-02 13:14 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-02 11:14 <DIR> --d----- c:\docume~1\tina\applic~1\Malwarebytes
2009-04-02 11:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 11:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 11:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 11:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-02 00:08 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 18:01 149,768 a------- c:\windows\system32\drivers\WpsHelper.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\win32k.sys
2004-04-20 23:15 330,752 ac------ c:\documents and settings\tina\aswclnr.exe
2008-05-11 15:27 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-20 15:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122020081221\index.dat

============= FINISH: 14:17:21.70 ===============

I am new at this. Thanks in advance for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:45 AM

Posted 25 April 2009 - 06:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Reepicheep

Reepicheep
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 26 April 2009 - 04:34 PM

Thanks for your help. I'm still having the problem with the trogan being detected, removed, and then reappearing. Also, a box often pops up that says "IE is not currently set as your default browser, please click here..." and then it disappears after about 5-10 seconds. I did not know if that was related. Here is the new log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Tina at 16:25:01.35 on Sun 04/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.923 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iGive_Toolbar\igvtt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\iGive_Toolbar\igvtp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: iGive Toolbar: {fa73ae1b-4ba9-4e8b-832b-54a287ff1b7f} - c:\program files\igive_toolbar\igvtb.dll
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; YComp 5.0.0.0; MathPlayer 2.0; YPC 3.2.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://www.fisher-price.com/us/rescueheroes/fun/cdgames/meteor_pop.asp"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [igvtm] "c:\program files\igive_toolbar\igvtt.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - d:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://www2.snapfish.com/SnapfishOutlookImport.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} - hxxp://agent.celebrateexpress.com/netagent/objects/custappx3.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://jran.uscourts.gov/whalecomec32b699752db7cbc29caf21a3355e519eb14ae3b56cad20/whalecom0/iNotes6W.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6D85864F-C902-4C4C-AECB-541E9B929DF6} - hxxp://www.icoachmath.com/MathPlayer/ICMMathPlayer.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://jran.uscourts.gov/InternalSite/WhlCompMgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexff15.js - pref("capability.policy.default.classid.cid4c8d6404-a9f6-4236-8488-6c5732cb3bfa", "allaccess");c:\program files\mozilla firefox\defaults\pref\firefox.js:pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-5 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusdefs\20090425.020\NAVENG.SYS [2009-4-25 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusdefs\20090425.020\NAVEX15.SYS [2009-4-25 876144]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 DMService;Whale Component Manager;c:\windows\downlo~1\DMService.exe [2009-1-13 423576]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2008-12-20 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2008-12-20 3072]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2004-3-30 118106]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2007-8-27 53307]

=============== Created Last 30 ================

2009-04-16 17:43 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 17:43 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 17:43 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 17:43 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 17:43 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 17:43 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 17:43 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 17:43 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 17:43 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 17:41 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 17:41 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 17:41 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 11:02 <DIR> --d----- C:\Tlcwin
2009-04-11 11:38 3,182 a------- c:\windows\system32\tmp.reg
2009-04-10 18:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-10 18:40 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-09 19:12 <DIR> --d----- c:\program files\iPod
2009-04-09 19:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 19:03 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-04-08 17:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2009-04-08 17:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83FC5D7A-8875-4931-80D6-1E3AC725D336}
2009-04-08 15:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-06 17:43 110,872,640 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-05 17:20 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-05 14:30 92,488 a------- c:\windows\system32\drivers\SysPlant.sys
2009-04-05 14:29 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-05 14:29 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-05 14:29 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-05 14:29 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-03 14:35 <DIR> --dsh--- c:\documents and settings\tina\IECompatCache
2009-04-02 18:33 <DIR> --dsh--- c:\documents and settings\tina\PrivacIE
2009-04-02 17:17 <DIR> --dsh--- c:\documents and settings\tina\IETldCache
2009-04-02 17:06 <DIR> -cd-h--- c:\windows\ie8
2009-04-02 17:05 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-02 16:21 <DIR> --d----- C:\Intel
2009-04-02 16:19 31,048 a------- c:\windows\system32\drivers\point32.sys
2009-04-02 16:19 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2009-04-02 16:06 520,192 -------- c:\windows\system32\ati2sgag.exe
2009-04-02 16:01 <DIR> --d----- C:\ATI
2009-04-02 15:55 1,904 -------- c:\windows\system32\SetupBD.din
2009-04-02 15:15 <DIR> --d----- c:\program files\Uniblue DriverScanner 2009
2009-04-02 14:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{DC840DBC-2CB0-4FEA-98ED-F4E3BD2970C7}
2009-04-02 14:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{F19A02B4-1684-448C-B152-43B554F2E722}
2009-04-02 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-04-02 13:14 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-02 11:14 <DIR> --d----- c:\docume~1\tina\applic~1\Malwarebytes
2009-04-02 11:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 11:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 11:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 11:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-02 00:08 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 18:01 149,768 a------- c:\windows\system32\drivers\WpsHelper.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-06 06:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2004-04-20 23:15 330,752 ac------ c:\documents and settings\tina\aswclnr.exe
2008-05-11 15:27 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-20 15:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122020081221\index.dat

============= FINISH: 16:26:17.84 ===============

#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:45 AM

Posted 26 April 2009 - 07:34 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Please update Malwarebytes' Anti-Malware and do a full scan instead of a quick scan, and post the log.

Also after Malwarebytes' Anti-Malware is done, * Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Also please post up a log from Symantec that shows the location of the infection. Does the location ever change?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Reepicheep

Reepicheep
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 26 April 2009 - 11:06 PM

Thanks for helping me out. Sorry it took awhile to get back to you.
Yes, it always shows up in the same place--C:\WINDOWS\system32\.00463c07

Here is the Malwarebytes' Anti-Malware Log:
Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 3

4/26/2009 10:04:03 PM
mbam-log-2009-04-26 (22-04-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 235221
Time elapsed: 43 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
+++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++
Here is the ComboFix Log:
ComboFix 09-04-25.A3 - Tina 04/26/2009 22:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.990 [GMT -5:00]
Running from: c:\documents and settings\Tina\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tina\Local Settings\TempICMMathPlayer.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-16 22:43 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 22:43 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 22:43 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 22:43 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 22:43 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 22:43 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 22:43 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 22:43 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 22:43 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 22:41 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 22:41 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 22:41 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 16:02 . 2009-04-14 16:02 -------- d-----w C:\Tlcwin
2009-04-13 20:21 . 2009-04-13 20:21 -------- d-----w c:\documents and settings\Pearce\Application Data\NewSoft
2009-04-11 16:38 . 2009-04-11 16:38 3182 ----a-w c:\windows\system32\tmp.reg
2009-04-11 16:32 . 2008-12-12 06:57 78336 ----a-w c:\windows\system32\Agent.OMZ.Fix.exe
2009-04-11 16:32 . 2008-11-29 23:58 82944 ----a-w c:\windows\system32\IEDFix.C.exe
2009-04-11 16:32 . 2008-09-20 17:45 80384 ----a-w c:\windows\system32\o4Patch.exe
2009-04-11 16:32 . 2008-10-01 20:51 87552 ----a-w c:\windows\system32\VACFix.exe
2009-04-11 16:32 . 2008-08-18 17:19 82432 ----a-w c:\windows\system32\404Fix.exe
2009-04-11 16:32 . 2008-05-19 02:40 82944 ----a-w c:\windows\system32\IEDFix.exe
2009-04-11 16:32 . 2007-10-04 05:36 25600 ----a-w c:\windows\system32\WS2Fix.exe
2009-04-11 16:32 . 2007-09-06 05:22 289144 ----a-w c:\windows\system32\VCCLSID.exe
2009-04-11 16:32 . 2006-04-27 22:49 288417 ----a-w c:\windows\system32\SrchSTS.exe
2009-04-11 16:32 . 2004-07-31 23:50 51200 ----a-w c:\windows\system32\dumphive.exe
2009-04-11 16:32 . 2003-06-06 02:13 53248 ----a-w c:\windows\system32\Process.exe
2009-04-10 23:40 . 2009-04-10 23:40 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-10 23:40 . 2009-04-10 23:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-10 23:40 . 2009-04-10 23:40 -------- d-----w c:\program files\Java
2009-04-10 00:12 . 2009-04-10 00:12 -------- d-----w c:\program files\iPod
2009-04-10 00:12 . 2009-04-10 00:13 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 00:08 . 2009-04-10 00:09 -------- d-----w c:\program files\QuickTime
2009-04-10 00:03 . 2009-03-26 20:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-04-09 23:53 . 2009-04-09 23:54 -------- d-----w c:\program files\Safari
2009-04-09 04:56 . 2009-04-09 05:11 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-08 22:18 . 2009-04-08 22:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2009-04-08 22:18 . 2009-04-08 22:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83FC5D7A-8875-4931-80D6-1E3AC725D336}
2009-04-08 20:20 . 2009-04-08 20:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-07 19:25 . 2009-04-07 19:44 -------- d-----w c:\documents and settings\Tina\Local Settings\Application Data\Canon Easy-PhotoPrint EX
2009-04-06 22:43 . 2009-04-06 22:43 110872640 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2009-04-06 20:12 . 2009-04-06 20:12 -------- d-----w c:\documents and settings\Pearce\Local Settings\Application Data\ATI
2009-04-06 20:12 . 2009-04-06 20:12 -------- d-----w c:\documents and settings\Pearce\Application Data\ATI
2009-04-06 20:11 . 2009-04-06 20:11 -------- d-sh--w c:\documents and settings\Pearce\IETldCache
2009-04-05 22:20 . 2009-04-05 22:20 -------- d-----w c:\program files\Enigma Software Group
2009-04-05 19:30 . 2008-12-09 02:45 92488 ----a-w c:\windows\system32\drivers\SysPlant.sys
2009-04-05 19:29 . 2009-04-05 19:29 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-05 19:29 . 2009-04-05 19:29 60800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-05 19:29 . 2009-04-05 19:29 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-05 19:29 . 2009-04-05 19:29 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-03 19:35 . 2009-04-03 19:35 -------- d-sh--w c:\documents and settings\Tina\IECompatCache
2009-04-03 03:14 . 2009-04-03 03:14 -------- d-sh--w c:\documents and settings\NetworkService\PrivacIE
2009-04-03 03:04 . 2009-04-03 03:04 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-03 01:54 . 2009-04-10 13:24 1341496 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-02 23:33 . 2009-04-02 23:33 -------- d-sh--w c:\documents and settings\Tina\PrivacIE
2009-04-02 22:39 . 2009-04-02 22:39 -------- d-sh--w c:\documents and settings\LocalService\PrivacIE
2009-04-02 22:18 . 2009-04-02 22:18 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-02 22:17 . 2009-04-02 22:17 -------- d-sh--w c:\documents and settings\Tina\IETldCache
2009-04-02 22:06 . 2009-04-02 22:07 -------- dc-h--w c:\windows\ie8
2009-04-02 22:05 . 2009-04-02 22:11 -------- d--h--w c:\windows\msdownld.tmp
2009-04-02 21:32 . 2009-04-02 21:32 -------- d-----w c:\documents and settings\Tina\Local Settings\Application Data\ATI
2009-04-02 21:32 . 2009-04-02 21:32 -------- d-----w c:\documents and settings\Tina\Application Data\ATI
2009-04-02 21:21 . 2009-04-02 21:21 -------- d-----w C:\Intel
2009-04-02 21:19 . 2008-06-10 18:04 31048 ----a-w c:\windows\system32\drivers\point32.sys
2009-04-02 21:19 . 2009-04-02 21:19 -------- d-----w c:\program files\Microsoft IntelliPoint
2009-04-02 21:06 . 2006-05-03 16:57 520192 ------w c:\windows\system32\ati2sgag.exe
2009-04-02 21:01 . 2009-04-02 21:01 -------- d-----w C:\ATI
2009-04-02 20:55 . 2006-01-12 19:52 1904 ------w c:\windows\system32\SetupBD.din
2009-04-02 20:15 . 2009-04-08 22:17 -------- d-----w c:\program files\Uniblue DriverScanner 2009
2009-04-02 19:19 . 2009-04-02 19:19 -------- dc-h--w c:\documents and settings\All Users\Application Data\{DC840DBC-2CB0-4FEA-98ED-F4E3BD2970C7}
2009-04-02 19:18 . 2009-04-02 19:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{F19A02B4-1684-448C-B152-43B554F2E722}
2009-04-02 19:12 . 2009-04-08 22:21 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-02 18:14 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-02 16:14 . 2009-04-02 16:14 -------- d-----w c:\documents and settings\Tina\Application Data\Malwarebytes
2009-04-02 16:13 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 16:13 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 16:13 . 2009-04-02 16:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 16:13 . 2009-04-08 05:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-02 05:08 . 2009-04-02 05:40 -------- d-----w c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 03:08 . 2008-12-14 14:19 -------- d-----w c:\documents and settings\Tina\Application Data\iGive_Toolbar
2009-04-26 22:32 . 2007-04-03 21:46 -------- d-----w c:\program files\JumpStart
2009-04-20 15:55 . 2008-03-19 01:21 -------- d-----w c:\program files\Typing Instructor for Kids 3
2009-04-16 22:54 . 2008-05-10 23:13 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 16:06 . 2009-03-03 20:18 -------- d-----w c:\documents and settings\Pearce\Application Data\iGive_Toolbar
2009-04-11 16:42 . 2009-04-11 16:38 2902 ----a-w C:\rapport.txt
2009-04-10 00:12 . 2008-12-21 01:31 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 22:18 . 2008-04-03 20:57 -------- d-----w c:\program files\Uniblue
2009-04-07 23:03 . 2008-01-19 18:57 65131 ----a-w C:\logfile
2009-04-06 20:12 . 2009-03-10 20:59 113096 ----a-w c:\documents and settings\Pearce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 19:34 . 2003-10-02 23:46 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-05 19:31 . 2003-10-02 23:46 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-05 19:29 . 2004-09-17 03:50 -------- d-----w c:\program files\Symantec
2009-04-05 19:22 . 2004-12-08 03:08 -------- d-----w c:\program files\Lavasoft Ad-Aware
2009-04-02 21:43 . 2004-01-08 17:18 113096 -c--a-w c:\documents and settings\Tina\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 21:08 . 2003-08-15 21:04 -------- d-----w c:\program files\ATI Technologies
2009-04-02 20:56 . 2003-08-14 21:50 -------- d-----w c:\program files\Intel
2009-04-02 19:32 . 2008-04-03 20:57 -------- d-----w c:\documents and settings\Tina\Application Data\Uniblue
2009-04-02 07:27 . 2008-06-14 23:29 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-02 06:51 . 2003-08-14 21:50 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 23:20 . 2005-02-11 15:32 -------- d-----w c:\documents and settings\Pearce\Application Data\Yahoo!
2009-03-26 20:23 . 2008-12-21 01:32 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-22 16:32 . 2009-03-22 16:32 -------- d-----w c:\documents and settings\Rob\Application Data\iGive_Toolbar
2009-03-19 21:32 . 2008-12-21 01:36 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 23:01 . 2008-06-20 04:12 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-08 09:34 . 2005-06-18 05:49 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2003-08-14 02:58 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2003-08-14 02:57 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2003-08-14 02:58 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2003-08-14 02:57 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2003-08-14 02:58 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2003-08-14 02:58 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2003-08-14 02:58 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2003-08-14 02:58 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2003-08-14 02:58 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 15:47 . 2009-03-06 15:47 -------- d-----w c:\documents and settings\Tina\Application Data\InstallShield
2009-03-06 14:22 . 2003-08-14 02:58 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-28 16:41 . 2008-12-14 14:19 -------- d-----w c:\program files\iGive_Toolbar
2009-02-26 16:13 . 2009-02-26 16:13 -------- d-----w c:\program files\Discovery Multimedia
2009-02-26 16:07 . 2009-02-26 16:07 -------- d-----w c:\program files\directx
2009-02-26 15:57 . 2009-02-26 15:56 -------- d-----w c:\documents and settings\Tina\Application Data\NewSoft
2009-02-26 15:21 . 2008-05-26 05:39 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 12:10 . 2003-08-14 02:58 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-08-14 02:58 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-08-14 02:57 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-08-14 02:58 1846784 ------w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-08-14 02:58 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:06 . 2002-08-29 01:04 2145280 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-08-14 02:58 35328 ------w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2003-08-14 02:58 56832 ----a-w c:\windows\system32\secur32.dll
2006-01-09 23:15 . 2006-01-09 23:15 66224 -c--a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-04-21 04:15 . 2004-04-21 04:15 330752 -c--a-w c:\documents and settings\Tina\aswclnr.exe
2007-11-28 01:2007-11-28 01:05 05:48 . c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 01:2007-11-28 01:05 05:49 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 01:2007-11-28 01:05 05:48 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-11 20:27 . 2008-05-11 20:27 848 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-12-20 20:48 . 2008-12-20 20:48 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122020081221\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"igvtm"="c:\program files\iGive_Toolbar\igvtt.exe" [2008-08-29 300328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-10 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remocon Driver.lnk]
backup=c:\windows\pss\Remocon Driver.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54Gv42SVC"=2 (0x2)
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-MusicServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-AppServer"=2 (0x2)
"Sony TV Tuner Manager"=3 (0x3)
"Sony TV Tuner Controller"=3 (0x3)
"MSSQL$SOSHOME22"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Sony\\giga pocket\\gps.exe"=
"c:\\Program Files\\Yahoo!\\browser\\YBrowser.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SBC Self Support Tool\\SmartBridge\\MotiveSB.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\browser\\ycommon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-11-18 23888]
R3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [2009-01-14 423576]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2008-11-25 8704]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2008-11-25 3072]
R3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\DRIVERS\mr97310v.sys [2004-03-30 118106]
R4 WUSB54Gv42SVC;WUSB54Gv42SVC; [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]

2003-11-11 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-08-14 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103470 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; YComp 5.0.0.0; MathPlayer 2.0; YPC 3.2.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - d:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {6D85864F-C902-4C4C-AECB-541E9B929DF6} - hxxp://www.icoachmath.com/MathPlayer/ICMMathPlayer.CAB
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");c:\program files\Mozilla Firefox\defaults\pref\firefox.js:pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 22:36
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

c:\windows\system32\.00463c07\00463c07.exe [1844] 0x88EACDA0

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\.00463c07

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\00463c07]
"ImagePath"="c:\windows\system32\.00463c07\00463c07.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-27 22:40
ComboFix-quarantined-files.txt 2009-04-27 03:39

Pre-Run: 17,118,629,888 bytes free
Post-Run: 17,269,526,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

313 --- E O F --- 2009-04-16 22:58

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:45 AM

Posted 27 April 2009 - 02:43 AM

Also please post up a log from Symantec that shows the location of the infection. Does the location ever change?


Can you go to the file? C:\WINDOWS\system32\.00463c07
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 Reepicheep

Reepicheep
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 April 2009 - 09:28 AM

I haven't been able to find it. That was one of the first things I tried, but I can't find it in the system32 folder.

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:45 AM

Posted 27 April 2009 - 09:38 AM

Do you have your computer set to display hidden and system folders and files?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 Reepicheep

Reepicheep
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 April 2009 - 11:52 AM

How do I do that?

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:45 AM

Posted 27 April 2009 - 12:15 PM

1.Double-click on the My Computer icon.
2.Select the Tools menu and click Folder Options.
3.After the new window appears select the View tab.
4.Put a checkmark in the checkbox labeled Display the contents of system folders.
5.Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6.Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7.Remove the checkmark from the checkbox labeled Hide protected operating system files.
8.Press the Apply button and then the OK button and close My Computer.
9.Now your computer is configured to show all hidden files.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 Reepicheep

Reepicheep
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 April 2009 - 10:03 PM

Done. But no luck on finging the file in the system32 folder.

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:45 AM

Posted 28 April 2009 - 11:14 AM

Please perform a BitDefender Online Virus and Malware Scan here:
http://www.bitdefender.com/scan8/ie.html
* Click on I Agree.
* An ActiveX warning box will appear, click on Install.
* Under Select What You Want To Check For Viruses.
* Please Check My Computer and Click Ok
* Now Click On Click Here To Scan
* Next, Click on Click here to export the scan report
* Save it to your Desktop.
* In your next reply, please include the BitDefender log and a fresh HijackThis log.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 Reepicheep

Reepicheep
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 28 April 2009 - 08:38 PM

Both are attached

Attached Files



#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:45 AM

Posted 28 April 2009 - 09:49 PM

Do another scan with Symantec and see if it still finds the Trojan. If it does, Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 Reepicheep

Reepicheep
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 29 April 2009 - 12:11 AM

SmitFraudFix v2.412

Scan done at 0:07:46.51, Wed 04/29/2009
Run from C:\Documents and Settings\Tina\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iGive_Toolbar\igvtt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\iGive_Toolbar\igvtp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\Tina\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Tina


C:\DOCUME~1\Tina\LOCALS~1\Temp


C:\Documents and Settings\Tina\Application Data


Start Menu


C:\WINDOWS\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® PRO/100 VE Network Connection - Teefer2 Miniport
DNS Server Search Order: 192.168.1.254

Description: Intel® PRO/100 VE Network Connection - Teefer2 Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3DA15ACF-1254-4A74-A789-51ECABD51682}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6E704D84-2BB9-4139-83CB-FDE2D9C10551}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3DA15ACF-1254-4A74-A789-51ECABD51682}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6E704D84-2BB9-4139-83CB-FDE2D9C10551}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3DA15ACF-1254-4A74-A789-51ECABD51682}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6E704D84-2BB9-4139-83CB-FDE2D9C10551}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users