Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pretty nasty infection; not sure what type? :\ Would love some help


  • This topic is locked This topic is locked
18 replies to this topic

#1 JethroTull

JethroTull

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 May 2009 - 04:36 PM

Greetings, for the past couple days I've been having a number of problems. My Symantec software, though outdated, has been alerting me of numerous attacks that have been prevented, and apparently blocked a huge amount of spam e-mails that my computer was apparently trying to send on its own. I've also been having a number of adware pop-ups constantly. Ran Malwarebytes' Anti-Malware a few times, and apparently it cleared a number of infections (Trojan.Agent, Vundo, Wormkit.Koobface, Trojan.Downloader, Hijack.Regedit, and a number of others); I've attached the last successful anti-malware log after the latest successful scan, along with the DDS file. Sorry I don't know anything more specific. : / Any help I could get would be GREATLY appreciated.
EDIT: Also, forgot to say that whatever is causing the numerous windows from Symantec saying that an attack on my computer has been prevented and that a number of e-mails have been blocked is apparently bogging down my internet connection TERRIBLY. It may have also changed some settings for connecting to the internet, I'm not really sure. Just navigating to this page takes a good 5 minutes, and I can't manage to get any of my anti-malware/virus software to connect to the internet to update/renew subscriptions. Again, any help would be appreciated.

Anywho, here's the DDS:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Carpenter at 17:17:17.81 on Sat 05/02/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.735 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Reader\msreader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\DOCUME~1\CARPEN~1\LOCALS~1\Temp\mozOpenDownload\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.warez.com/
mDefault_Page_URL = hxxp://www.defaulthomepage.info
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [\\BRIAN-1\EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\docume~1\carpen~1\locals~1\temp\E_S17C6.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [<NO NAME>] c:\docume~1\carpen~1\locals~1\temp\yu4qdpzczw.exe
uRun: [reader_s] c:\documents and settings\carpenter\reader_s.exe
uRun: [DL32] DL32
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Diamondback] c:\program files\razer\diamondback 3g\razerhid.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\client~1.lnk - c:\program files\buffalo\client manager3\cm3_tray.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203623500508
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: xcouqo.dll c:\windows\system32\topudimi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\topudimi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\carpen~1\applic~1\mozilla\firefox\profiles\y374ps1y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT649865&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - component: c:\documents and settings\carpenter\application data\mozilla\firefox\profiles\y374ps1y.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\carpenter\application data\mozilla\firefox\profiles\y374ps1y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\carpenter\application data\mozilla\firefox\profiles\y374ps1y.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\carpenter\application data\mozilla\firefox\profiles\y374ps1y.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\documents and settings\carpenter\application data\mozilla\firefox\profiles\y374ps1y.default\extensions\solidstateion@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\documents and settings\carpenter\application data\mozilla\firefox\profiles\y374ps1y.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\carpenter\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\carpenter\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0808270_sua_900\npoctoshape.dll
FF - plugin: c:\documents and settings\carpenter\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_000\npoctoshape.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\octoshape streaming services\carpenter\octoprogram-l03-nms0806110_sua_900\npoctoshape.dll
FF - plugin: c:\program files\octoshape streaming services\carpenter\octoprogram-l03-nms0806260_sua_000\npoctoshape.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-3-14 105632]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-24 179856]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-23 24652]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-3-14 105632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-1 101936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-24 15504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-24 38496]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090313.007\NAVENG.SYS [2009-3-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090313.007\NAVEX15.SYS [2009-3-13 876144]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-3-1 13225]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-14 1251720]
R3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;c:\windows\system32\drivers\usb8023.sys [2004-8-4 12800]

=============== Created Last 30 ================

2009-05-02 14:37 <DIR> --d----- c:\documents and settings\carpenter\.housecall6.6
2009-05-02 12:15 61,440 a------- c:\windows\system32\drivers\jlegjpr.sys
2009-05-02 11:23 93,564 a------- c:\windows\system32\drivers\58fccd0c.sys
2009-05-02 11:23 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-05-02 11:23 2 a------- C:\-2067336768
2009-04-30 21:40 <DIR> --d----- c:\program files\World of Warcraft Public Test
2009-04-30 16:55 <DIR> --d----- c:\program files\MediaMonkey
2009-04-27 07:12 5,632 a------- c:\windows\system32\ptpusb.dll
2009-04-27 07:12 159,232 a------- c:\windows\system32\ptpusd.dll
2009-04-27 07:12 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-04-27 07:12 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-04-24 18:53 <DIR> --d----- c:\program files\iPod
2009-04-24 18:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 11:51 <DIR> --d----- c:\program files\common files\DivX Shared
2009-04-18 10:51 1,409,571 ---sh--- c:\windows\system32\isakayug.ini
2009-04-09 10:46 695 a------- c:\windows\ST6UNST.000
2009-04-09 10:46 0 a------- c:\windows\SETUP.LST
2009-04-08 15:04 258,352 a------- c:\windows\system32\unicows.dll
2009-04-07 19:41 <DIR> --d----- c:\docume~1\carpen~1\applic~1\GetRightToGo
2009-04-05 13:30 <DIR> --d----- c:\docume~1\carpen~1\applic~1\id Software
2009-04-05 13:26 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-05 13:26 22,328 a------- c:\docume~1\carpen~1\applic~1\PnkBstrK.sys
2009-04-05 13:26 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-04-05 13:26 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-04-05 13:26 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-04-05 13:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software

==================== Find3M ====================

2009-05-02 11:23 578,560 a------- c:\windows\system32\user32.DLL
2009-05-02 11:23 63,488 a--sh--- c:\windows\system32\hipehuko.exe
2009-05-01 11:22 63,488 a--sh--- c:\windows\system32\kibarofa.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 16:29 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-29 16:29 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-29 16:29 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-29 16:29 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-20 18:25 41,808 a------- c:\windows\system32\xfcodec.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 00:32 1,665,122 ---sh--- c:\windows\system32\upapudep.tmp
2009-02-20 16:30 94,208 a------- c:\windows\ScUnin.exe
2009-02-20 16:30 35,190 a------- c:\windows\scunin.dat
2009-02-17 00:17 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-07-02 13:57 0 a------- c:\documents and settings\carpenter\jagex_runescape_preferences.dat
2008-04-17 17:53 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-10-20 11:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat

============= FINISH: 17:18:28.07 ===============

Attached Files


Edited by JethroTull, 03 May 2009 - 11:33 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:27 PM

Posted 04 May 2009 - 01:07 PM

Hello JethroTull,

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 JethroTull

JethroTull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 04 May 2009 - 11:30 PM

Hey, and thanks for replying :D
I would have replied earlier but I've been kind of busy. Anyway, I ran the Kaspersky scan, but I did it in Safe Mode, as I've had my computer running in Safe Mode for a while as it's the only possible way to get things done lately. Would that have made a difference in the scan results? Anyway, here's the scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, May 5, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 05, 2009 03:57:46
Records in database: 2132665
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 129701
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:58:05


File name / Threat name / Threats count
C:\Documents and Settings\Carpenter\Local Settings\Temp\403.tmp Infected: Trojan-Downloader.Win32.Boltolog.bqa 1
C:\Documents and Settings\Carpenter\Local Settings\Temp\e.exe Infected: Trojan.Win32.Stuh.ipb 1
C:\Documents and Settings\Carpenter\My Documents\My Pictures\SRSOBAMA.jpg Infected: Exploit.HTML.DialogArg 1

The selected area was scanned.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:27 PM

Posted 05 May 2009 - 12:26 PM

Hi JethroTull,

You have some suspicious files we need to check.

You will need to see hidden files, so follow these directions:
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\documents and settings\carpenter\reader_s.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

c:\program files\adobe\reader 8.0\reader\Reader_sl.exe


Once scanned, copy and paste the results in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 05 May 2009 - 12:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 JethroTull

JethroTull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 05 May 2009 - 02:00 PM

Apparently, I don't have the reader_s file. Not in that folder anyway. Results for c:\program files\adobe\reader 8.0\reader\Reader_sl.exe (I'm assuming you want the additional information; for all the antivirus programs it has listed, it only shows a '-' under results):

Additional information
File size: 39792 bytes
MD5...: 8b9145d229d4e89d15acb820d4a3a90f
SHA1..: 7c247e92e43a6e57dca062b771f487476a4653e5
SHA256: f3831d9ae752b6afbd3380e0bc849e4b051d6e06a88c1f61293a6de4f66794e1
SHA512: c704fa61cdf6c6ddd55a6b83e8c88a96d09b9c9895a6197c677f5b2cde1c0b24
fa1c8a9d3540e2da63293059efb5225adb3cecd52f81ca4633e30d73c87d5197
ssdeep: 768:kOnsr7SyE6SbAqbzTAmItEP/vycZiOL38DL4Ibc:WnfEpbBzTNItEP32OL38
Dlc
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (72.0%)
Windows Screen Saver (11.0%)
Win32 Executable Generic (7.1%)
Win32 Dynamic Link Library (generic) (6.3%)
Generic Win/DOS Executable (1.6%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3d84
timedatestamp.....: 0x47885b3e (Sat Jan 12 06:16:30 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x350c 0x3600 6.23 3cc9b10cf211ccd8e6c50ea043e51a26
.rdata 0x5000 0x4086 0x4200 4.14 9bbb5a9e9c137d78c09696de435911fd
.data 0xa000 0x76c 0x400 4.00 14ef9c05686b6419f58d1fbc12d6dfb5
.rsrc 0xb000 0x508 0x600 4.48 5b70504f65574cf69914659ebe040f89

( 6 imports )
> KERNEL32.dll: CloseHandle, TerminateThread, CreateThread, InitializeCriticalSection, CreateEventA, GetSystemInfo, UnmapViewOfFile, CreateFileA, VirtualQueryEx, GetCurrentProcess, MapViewOfFile, CreateFileMappingA, GetFileAttributesA, FindClose, FindNextFileA, FindFirstFileA, ReadFile, DeleteCriticalSection, GetTempPathA, GetWindowsDirectoryA, GetSystemDirectoryA, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoA, InterlockedCompareExchange, Sleep, InterlockedExchange, GetSystemTimeAsFileTime, GetCurrentThread, GetModuleHandleA, GetModuleFileNameA, EnterCriticalSection, SetEvent, SetThreadPriority, LeaveCriticalSection, SetFilePointer, WaitForSingleObject
> USER32.dll: GetMessageA, SetTimer, DispatchMessageA, TranslateMessage, KillTimer, DestroyWindow, UnregisterClassA, LoadIconA, LoadCursorA, RegisterClassExA, CreateWindowExA, DefWindowProcA, PostQuitMessage, FindWindowA
> ADVAPI32.dll: OpenSCManagerA, QueryServiceStatus, CloseServiceHandle, RegOpenKeyA, RegQueryValueExA, RegCloseKey, RegQueryValueA, OpenServiceA
> SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc
> MSVCP80.dll: _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBD@Z, __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, _erase@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@II@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBDI@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, _c_str@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEPBDXZ, __$_MDU_$char_traits@D@std@@V_$allocator@D@1@@std@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@0@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBD@Z
> MSVCR80.dll: _onexit, _decode_pointer, _invoke_watson, _controlfp_s, _lock, __dllonexit, strrchr, memset, malloc, __CxxFrameHandler3, __1exception@std@@UAE@XZ, __3@YAXPAX@Z, __0exception@std@@QAE@XZ, _invalid_parameter_noinfo, __2@YAPAXI@Z, _CxxThrowException, __0exception@std@@QAE@ABV01@@Z, ___V@YAXPAX@Z, strchr, free, _terminate@@YAXXZ, _amsg_exit, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, _acmdln, _initterm, _initterm_e, _configthreadlocale, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, _encode_pointer, __set_app_type, _crt_debugger_hook, __type_info_dtor_internal_method@type_info@@QAEXXZ, _except_handler4_common, _unlock

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:27 PM

Posted 05 May 2009 - 02:07 PM

The file log you posted is not correct. :thumbup2: I need to see then entire listing, not just the bottom of the listing.

Try this

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste each of the following files path into the "Suspicious files to scan"box on the top of the page ( do them one at a time):
    • c:\documents and settings\carpenter\reader_s.exe
      c:\program files\adobe\reader 8.0\reader\Reader_sl.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Edited by SifuMike, 05 May 2009 - 02:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 JethroTull

JethroTull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 05 May 2009 - 02:49 PM

Heh, sorry. Once again, c:\documents and settings\carpenter\reader_s.exe apparently doesn't exist on my system, unless I've become completely illiterate or something. I've browsed for it from both of those websites as well as windows explorer, can't seem to find it. : /
Anyway, scan result URL for c:\program files\adobe\reader 8.0\reader\Reader_sl.exe:
http://virscan.org/report/ef17d0f4c46b6a12...930e4b15f2.html
(Above the Copy to Clipboard button there was a notice stating: Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database. However, the URL still directed me to the scan results when I used it. Hope it does the same for you)

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:27 PM

Posted 05 May 2009 - 03:15 PM

Hi,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Symantec/Norton Antivirus before running ComboFix, as it will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 JethroTull

JethroTull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 05 May 2009 - 04:03 PM

I ran ComboFix, and it seemed to work well. I mean, after it rebooted my computer, there wasn't a massive cascade of spam e-mails trying to be sent on their own accord, so that's probably a good sign, right? :thumbup2: Here's the log report:

ComboFix 09-05-05.02 - Carpenter 05/05/2009 16:32.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1184 [GMT -4:00]
Running from: c:\documents and settings\Carpenter\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\58fccd0c.sys
c:\windows\system32\hipehuko.exe
c:\windows\system32\isakayug.ini
c:\windows\system32\kibarofa.exe
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 19:36 . 2009-05-05 19:36 -------- d-----w c:\documents and settings\Carpenter\Application Data\Windows Search
2009-05-03 18:43 . 2009-05-05 02:00 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-03 16:45 . 2009-05-03 16:46 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-05-02 18:37 . 2009-05-02 18:39 -------- d-----w c:\documents and settings\Carpenter\.housecall6.6
2009-05-02 16:15 . 2009-05-02 16:15 61440 ----a-w c:\windows\system32\drivers\jlegjpr.sys
2009-05-02 15:23 . 2009-05-05 20:33 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-01 01:40 . 2009-05-01 19:15 -------- d-----w c:\program files\World of Warcraft Public Test
2009-04-30 20:55 . 2009-04-30 21:28 -------- d-----w c:\documents and settings\Carpenter\Local Settings\Application Data\MediaMonkey
2009-04-30 20:55 . 2009-04-30 20:55 -------- d-----w c:\program files\MediaMonkey
2009-04-27 11:12 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-27 11:12 . 2008-04-14 09:42 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-27 11:12 . 2008-04-14 04:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-27 11:12 . 2008-04-14 04:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-24 22:53 . 2009-04-24 22:53 -------- d-----w c:\program files\iPod
2009-04-24 22:53 . 2009-04-24 22:54 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 15:51 . 2009-04-22 15:51 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-09 17:55 . 2009-04-09 17:57 -------- d-----w c:\documents and settings\Carpenter\Local Settings\Application Data\Qtrax2
2009-04-09 17:45 . 2009-04-09 17:45 -------- d-----w c:\documents and settings\Carpenter\Local Settings\Application Data\Downloaded Installations
2009-04-08 19:04 . 2005-05-11 01:54 258352 ----a-w c:\windows\system32\unicows.dll
2009-04-07 23:41 . 2009-04-07 23:45 -------- d-----w c:\documents and settings\Carpenter\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 20:33 . 2004-08-04 10:00 578560 ----a-w c:\windows\system32\user32.dll
2009-05-05 19:43 . 2008-02-23 18:54 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-02 20:13 . 2008-04-29 20:58 -------- d-----w c:\program files\City of Heroes
2009-05-02 19:50 . 2009-01-25 03:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 18:35 . 2009-02-05 20:25 -------- d-----w c:\program files\PeerGuardian2
2009-05-01 02:17 . 2008-03-14 23:46 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 02:15 . 2008-02-23 19:09 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-04-30 21:41 . 2008-02-23 19:08 -------- d-----w c:\program files\World of Warcraft
2009-04-27 19:57 . 2008-12-17 16:15 -------- d-----w c:\program files\Curse
2009-04-24 22:54 . 2008-11-23 17:22 -------- d-----w c:\program files\iTunes
2009-04-24 22:53 . 2008-02-23 18:49 -------- d-----w c:\program files\Common Files\Apple
2009-04-22 15:52 . 2008-02-23 19:21 -------- d-----w c:\program files\DivX
2009-04-21 21:57 . 2009-02-20 20:27 -------- d-----w c:\program files\Starcraft
2009-04-06 19:32 . 2009-01-25 03:39 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-25 03:40 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 17:50 . 2009-04-05 17:26 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-05 17:50 . 2009-04-05 17:26 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-05 17:50 . 2009-04-05 17:26 189784 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-05 17:26 . 2009-04-05 17:26 22328 ----a-w c:\documents and settings\Carpenter\Application Data\PnkBstrK.sys
2009-04-05 17:26 . 2009-04-05 17:26 2246144 ----a-w c:\windows\system32\pbsvc.exe
2009-04-04 13:21 . 2009-01-15 00:49 -------- d-----w c:\program files\Xfire
2009-03-31 00:05 . 2009-03-30 23:43 -------- d-----w c:\program files\Battle for Wesnoth 1.6
2009-03-29 21:05 . 2008-03-14 23:47 -------- d-----w c:\program files\Norton AntiVirus
2009-03-29 20:29 . 2008-03-14 23:46 -------- d-----w c:\program files\Symantec
2009-03-29 20:29 . 2008-03-15 00:09 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-29 20:29 . 2008-03-15 00:09 10635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-29 20:29 . 2008-03-14 23:46 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-29 20:29 . 2008-03-14 23:46 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign\VisualStyle\INSTALLFIRST!!!\Fonts
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign\VisualStyle\INSTALLFIRST!!!
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign\VisualStyle
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign
2009-03-15 01:38 . 2009-03-15 01:38 -------- d-----w c:\program files\WinSCP
2009-03-15 01:36 . 2009-03-15 01:35 -------- d-----w c:\program files\iPhone Tunnel Suite
2009-03-15 01:04 . 2008-02-21 19:48 38472 ----a-w c:\documents and settings\Carpenter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-14 23:49 . 2008-04-05 21:58 -------- d-----w c:\program files\Bonjour
2009-03-14 23:48 . 2009-03-14 23:48 -------- d-----w c:\program files\QuickTime
2009-03-08 17:14 . 2009-02-04 20:08 -------- d-----w c:\program files\MagicISO
2009-03-08 17:09 . 2008-07-11 00:35 -------- d-----w c:\program files\NeoTheme
2009-03-08 17:08 . 2008-02-23 20:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 17:06 . 2008-07-18 00:35 -------- d-----w c:\program files\Billy 4.1
2009-03-08 17:05 . 2008-07-03 05:51 -------- d-----w c:\program files\Yahoo!
2009-03-07 16:51 . 2009-02-11 20:47 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-07 01:18 . 2009-03-07 01:18 -------- d-----w c:\program files\Bethesda Softworks
2009-03-06 03:59 . 2008-09-10 19:47 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-02-23 18:50 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-02 04:32 . 2009-03-02 04:32 1665122 --sh--w c:\windows\system32\upapudep.tmp
2009-02-20 20:30 . 2009-02-20 20:28 967 ----a-w c:\windows\ScUnin.pif
2009-02-20 20:30 . 2009-02-20 20:28 94208 ----a-w c:\windows\ScUnin.exe
2009-02-20 20:30 . 2009-02-20 20:28 35190 ----a-w c:\windows\scunin.dat
2009-02-17 04:17 . 2008-02-25 22:03 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-11 20:33 . 2009-02-11 20:33 132 ----a-w c:\documents and settings\Carpenter\Local Settings\Application Data\fusioncache.dat
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-01 03:22 . 2009-02-01 03:22 69120 --sha-w c:\windows\system32\kimejiru.dll.tmp
2009-02-01 03:22 . 2009-02-01 03:22 69120 --sha-w c:\windows\system32\vaveseyi.dll.tmp
2009-02-01 03:22 . 2009-02-01 03:22 69120 --sha-w c:\windows\system32\yibamaka.dll.tmp
.
Infected c:\windows\system32\user32.dll hex repaired


------- Sigcheck -------

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 10:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2008-12-07 16:27 361600 7EE936A57B5901D6B1C4AF9A9E6C500A c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-12-07 16:27 361600 7EE936A57B5901D6B1C4AF9A9E6C500A c:\windows\system32\drivers\TCPIP.SYS

[7] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2003-03-31 12:00 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\system32\USERINIT.EXE
[7] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"\\BRIAN-1\EPSON Stylus CX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 179200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-04-27 1836032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Diamondback"="c:\program files\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-03-14 84640]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-03-14 26248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ClientManager3.lnk - c:\program files\BUFFALO\Client Manager3\cm3_tray.exe [2008-2-23 466944]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Carpenter\\Application Data\\Mozilla\\Firefox\\Profiles\\y374ps1y.default\\extensions\\SolidStateION@solidstatenetworks.com\\plugins\\solidnm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"34191:TCP"= 34191:TCP:SolidNetworkManager
"34191:UDP"= 34191:UDP:SolidNetworkManager

R2 mbamservice;mbamservice;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/24/2009 11:40 PM 179856]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/23/2008 2:42 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/1/2009 4:51 PM 101936]
R3 mbamprotector;mbamprotector;c:\windows\system32\drivers\mbam.sys [1/24/2009 11:40 PM 15504]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [3/1/2008 3:55 PM 13225]
R3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;c:\windows\system32\drivers\usb8023.sys [8/4/2004 6:00 AM 12800]
S1 58fccd0c;58fccd0c;c:\windows\system32\drivers\58fccd0c.sys --> c:\windows\system32\drivers\58fccd0c.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\Suppress_AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Suppress_AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afbf1e20-e0e3-11dd-bc57-0016019b47bd}]
\Shell\AutoRun\command - L:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afbf1e31-e0e3-11dd-bc57-0016019b47bd}]
\Shell\AutoRun\command - M:\RunGame.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-03-02 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Carpenter.job
- c:\progra~1\NORTON~1\Navw32.exe [2008-03-14 23:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.warez.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
FF - ProfilePath - c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT649865&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - component: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Carpenter\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2268)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\BUFFALO\Client Manager3\bwsvc\Bwsvc.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\searchindexer.exe
c:\program files\Zune\ZuneNss.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\rundll32.exe
c:\program files\Razer\Diamondback 3G\razertra.exe
c:\program files\Razer\Diamondback 3G\razerofa.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\COMMON~1\SYMANT~1\PIF\{B8E1D~1\pifCrawl.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-05-05 16:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 20:57

Pre-Run: 11,889,655,808 bytes free
Post-Run: 11,868,377,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

284 --- E O F --- 2008-05-16 07:01

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:27 PM

Posted 05 May 2009 - 04:28 PM

Hi JethroTull,


You need to disable your Symantec/Norton Antivirus before running ComboFix, as it will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\Documents and Settings\Carpenter\Local Settings\Temp\403.tmp 
C:\Documents and Settings\Carpenter\Local Settings\Temp\e.exe 
C:\Documents and Settings\Carpenter\My Documents\My Pictures\SRSOBAMA.jpg 
c:\windows\system32\drivers\jlegjpr.sys
c:\windows\system32\drivers\58fccd0c.sys

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
58fccd0c


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


BTW, is you Norton antivirus out of date or expired?

Edited by SifuMike, 05 May 2009 - 04:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 JethroTull

JethroTull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 05 May 2009 - 05:24 PM

Yeah, sadly my Norton subscription ran out within a couple days of this incident, so I didn't really have a chance to renew it. Know of any free alternatives I could use in the meantime once all this is done with? :thumbup2:
Here's the new log report:

ComboFix 09-05-05.03 - Carpenter 05/05/2009 17:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.883 [GMT -4:00]
Running from: c:\documents and settings\Carpenter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carpenter\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *enabled*

FILE ::
c:\documents and settings\Carpenter\Local Settings\Temp\403.tmp
c:\documents and settings\Carpenter\Local Settings\Temp\e.exe
c:\documents and settings\Carpenter\My Documents\My Pictures\SRSOBAMA.jpg
c:\windows\system32\drivers\58fccd0c.sys
c:\windows\system32\drivers\jlegjpr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Carpenter\My Documents\My Pictures\SRSOBAMA.jpg
c:\windows\system32\drivers\jlegjpr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_58fccd0c


((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 21:44 . 2009-05-05 21:44 -------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2009-05-05 21:37 . 2009-05-05 21:46 -------- d-----w c:\documents and settings\Carpenter\Local Settings\Application Data\Digsby
2009-05-05 21:37 . 2009-05-05 21:44 -------- d-----w c:\documents and settings\Carpenter\Application Data\Digsby
2009-05-05 21:36 . 2009-05-05 21:39 -------- d-----w c:\program files\Digsby
2009-05-05 19:36 . 2009-05-05 19:36 -------- d-----w c:\documents and settings\Carpenter\Application Data\Windows Search
2009-05-03 18:43 . 2009-05-05 02:00 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-03 16:45 . 2009-05-03 16:46 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-05-02 18:37 . 2009-05-02 18:39 -------- d-----w c:\documents and settings\Carpenter\.housecall6.6
2009-05-02 15:23 . 2009-05-05 20:33 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-01 01:40 . 2009-05-01 19:15 -------- d-----w c:\program files\World of Warcraft Public Test
2009-04-30 20:55 . 2009-05-05 21:10 -------- d-----w c:\documents and settings\Carpenter\Local Settings\Application Data\MediaMonkey
2009-04-30 20:55 . 2009-05-05 21:10 -------- d-----w c:\program files\MediaMonkey
2009-04-27 11:12 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-27 11:12 . 2008-04-14 09:42 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-27 11:12 . 2008-04-14 04:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-27 11:12 . 2008-04-14 04:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-24 22:53 . 2009-04-24 22:53 -------- d-----w c:\program files\iPod
2009-04-24 22:53 . 2009-04-24 22:54 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 15:51 . 2009-04-22 15:51 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-09 17:55 . 2009-04-09 17:57 -------- d-----w c:\documents and settings\Carpenter\Local Settings\Application Data\Qtrax2
2009-04-09 17:45 . 2009-04-09 17:45 -------- d-----w c:\documents and settings\Carpenter\Local Settings\Application Data\Downloaded Installations
2009-04-08 19:04 . 2005-05-11 01:54 258352 ----a-w c:\windows\system32\unicows.dll
2009-04-07 23:41 . 2009-04-07 23:45 -------- d-----w c:\documents and settings\Carpenter\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 21:11 . 2008-02-23 20:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-05 20:33 . 2004-08-04 10:00 578560 ----a-w c:\windows\system32\user32.dll
2009-05-05 19:43 . 2008-02-23 18:54 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-02 20:13 . 2008-04-29 20:58 -------- d-----w c:\program files\City of Heroes
2009-05-02 19:50 . 2009-01-25 03:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 18:35 . 2009-02-05 20:25 -------- d-----w c:\program files\PeerGuardian2
2009-05-01 02:17 . 2008-03-14 23:46 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 02:15 . 2008-02-23 19:09 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-04-30 21:41 . 2008-02-23 19:08 -------- d-----w c:\program files\World of Warcraft
2009-04-27 19:57 . 2008-12-17 16:15 -------- d-----w c:\program files\Curse
2009-04-24 22:54 . 2008-11-23 17:22 -------- d-----w c:\program files\iTunes
2009-04-24 22:53 . 2008-02-23 18:49 -------- d-----w c:\program files\Common Files\Apple
2009-04-22 15:52 . 2008-02-23 19:21 -------- d-----w c:\program files\DivX
2009-04-21 21:57 . 2009-02-20 20:27 -------- d-----w c:\program files\Starcraft
2009-04-06 19:32 . 2009-01-25 03:39 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-25 03:40 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 17:50 . 2009-04-05 17:26 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-05 17:50 . 2009-04-05 17:26 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-05 17:50 . 2009-04-05 17:26 189784 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-05 17:26 . 2009-04-05 17:26 22328 ----a-w c:\documents and settings\Carpenter\Application Data\PnkBstrK.sys
2009-04-05 17:26 . 2009-04-05 17:26 2246144 ----a-w c:\windows\system32\pbsvc.exe
2009-04-04 13:21 . 2009-01-15 00:49 -------- d-----w c:\program files\Xfire
2009-03-31 00:05 . 2009-03-30 23:43 -------- d-----w c:\program files\Battle for Wesnoth 1.6
2009-03-29 21:05 . 2008-03-14 23:47 -------- d-----w c:\program files\Norton AntiVirus
2009-03-29 20:29 . 2008-03-14 23:46 -------- d-----w c:\program files\Symantec
2009-03-29 20:29 . 2008-03-15 00:09 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-29 20:29 . 2008-03-15 00:09 10635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-29 20:29 . 2008-03-14 23:46 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-29 20:29 . 2008-03-14 23:46 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign\VisualStyle\INSTALLFIRST!!!\Fonts
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign\VisualStyle\INSTALLFIRST!!!
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign\VisualStyle
2009-03-17 02:57 . 2009-03-17 02:57 -------- d-----w c:\windows\Fonts\soulfur.by.somnign
2009-03-15 01:38 . 2009-03-15 01:38 -------- d-----w c:\program files\WinSCP
2009-03-15 01:36 . 2009-03-15 01:35 -------- d-----w c:\program files\iPhone Tunnel Suite
2009-03-15 01:04 . 2008-02-21 19:48 38472 ----a-w c:\documents and settings\Carpenter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-14 23:49 . 2008-04-05 21:58 -------- d-----w c:\program files\Bonjour
2009-03-14 23:48 . 2009-03-14 23:48 -------- d-----w c:\program files\QuickTime
2009-03-08 17:14 . 2009-02-04 20:08 -------- d-----w c:\program files\MagicISO
2009-03-08 17:09 . 2008-07-11 00:35 -------- d-----w c:\program files\NeoTheme
2009-03-08 17:06 . 2008-07-18 00:35 -------- d-----w c:\program files\Billy 4.1
2009-03-08 17:05 . 2008-07-03 05:51 -------- d-----w c:\program files\Yahoo!
2009-03-07 16:51 . 2009-02-11 20:47 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-07 01:18 . 2009-03-07 01:18 -------- d-----w c:\program files\Bethesda Softworks
2009-03-06 03:59 . 2008-09-10 19:47 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-02-23 18:50 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-02 04:32 . 2009-03-02 04:32 1665122 --sh--w c:\windows\system32\upapudep.tmp
2009-02-20 20:30 . 2009-02-20 20:28 967 ----a-w c:\windows\ScUnin.pif
2009-02-20 20:30 . 2009-02-20 20:28 94208 ----a-w c:\windows\ScUnin.exe
2009-02-20 20:30 . 2009-02-20 20:28 35190 ----a-w c:\windows\scunin.dat
2009-02-17 04:17 . 2008-02-25 22:03 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-11 20:33 . 2009-02-11 20:33 132 ----a-w c:\documents and settings\Carpenter\Local Settings\Application Data\fusioncache.dat
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-01 03:22 . 2009-02-01 03:22 69120 --sha-w c:\windows\system32\kimejiru.dll.tmp
2009-02-01 03:22 . 2009-02-01 03:22 69120 --sha-w c:\windows\system32\vaveseyi.dll.tmp
2009-02-01 03:22 . 2009-02-01 03:22 69120 --sha-w c:\windows\system32\yibamaka.dll.tmp
.

------- Sigcheck -------

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 10:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2008-12-07 16:27 361600 7EE936A57B5901D6B1C4AF9A9E6C500A c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-12-07 16:27 361600 7EE936A57B5901D6B1C4AF9A9E6C500A c:\windows\system32\drivers\TCPIP.SYS

[7] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2003-03-31 12:00 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\system32\USERINIT.EXE
[7] 2008-04-14 09:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"\\BRIAN-1\EPSON Stylus CX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 179200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-04-27 1836032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Diamondback"="c:\program files\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-03-14 84640]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-03-14 26248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ClientManager3.lnk - c:\program files\BUFFALO\Client Manager3\cm3_tray.exe [2008-2-23 466944]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Carpenter\\Application Data\\Mozilla\\Firefox\\Profiles\\y374ps1y.default\\extensions\\SolidStateION@solidstatenetworks.com\\plugins\\solidnm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"34191:TCP"= 34191:TCP:SolidNetworkManager
"34191:UDP"= 34191:UDP:SolidNetworkManager

R2 mbamservice;mbamservice;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/24/2009 11:40 PM 179856]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/23/2008 2:42 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/1/2009 4:51 PM 101936]
R3 mbamprotector;mbamprotector;c:\windows\system32\drivers\mbam.sys [1/24/2009 11:40 PM 15504]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [3/1/2008 3:55 PM 13225]
R3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;c:\windows\system32\drivers\usb8023.sys [8/4/2004 6:00 AM 12800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\Suppress_AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Suppress_AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afbf1e20-e0e3-11dd-bc57-0016019b47bd}]
\Shell\AutoRun\command - L:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afbf1e31-e0e3-11dd-bc57-0016019b47bd}]
\Shell\AutoRun\command - M:\RunGame.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-03-02 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Carpenter.job
- c:\progra~1\NORTON~1\Navw32.exe [2008-03-14 23:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.warez.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
FF - ProfilePath - c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT649865&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - component: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\y374ps1y.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\Carpenter\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Carpenter\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 18:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\BUFFALO\Client Manager3\bwsvc\Bwsvc.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\Razer\Diamondback 3G\razertra.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Razer\Diamondback 3G\razerofa.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchfilterhost.exe
c:\progra~1\COMMON~1\SYMANT~1\PIF\{B8E1D~1\pifCrawl.exe
.
**************************************************************************
.
Completion time: 2009-05-05 18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 22:20
ComboFix2.txt 2009-05-05 20:57

Pre-Run: 16,305,602,560 bytes free
Post-Run: 16,269,934,592 bytes free

283 --- E O F --- 2008-05-16 07:01

Edited by JethroTull, 05 May 2009 - 05:25 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:27 PM

Posted 05 May 2009 - 06:05 PM

Hi JethroTull,

sadly my Norton subscription ran out within a couple days of this incident


That is probably why you got infected. :thumbup2:


Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 05 May 2009 - 06:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 JethroTull

JethroTull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 05 May 2009 - 08:45 PM

Heh, by within a few days I was meaning after the initial incident. Needless to say, that didn't help things much...
But I have AntiVir installed and ran the scan, here's the report:



Avira AntiVir Personal
Report file date: Tuesday, May 05, 2009 19:30

Scanning for 1379404 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CARPENTER-1

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 13:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.3.137 1810944 Bytes 4/30/2009 23:29:28
ANTIVIR3.VDF : 7.1.3.157 99840 Bytes 5/5/2009 23:29:30
Engineversion : 8.2.0.160
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/5/2009 23:29:57
AESCRIPT.DLL : 8.1.1.79 385403 Bytes 5/5/2009 23:29:54
AESCN.DLL : 8.1.1.10 127348 Bytes 5/5/2009 23:29:51
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.14 397685 Bytes 5/5/2009 23:29:49
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.122 1737080 Bytes 5/5/2009 23:29:46
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.39 348532 Bytes 5/5/2009 23:29:38
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 5/5/2009 23:29:34
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, May 05, 2009 19:30

Starting search for hidden objects.
'67388' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'searchfilterhost.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'aspell.exe' - '1' Module(s) have been scanned
Scan process 'digsby-app.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'LUCOMS~1.EXE' - '1' Module(s) have been scanned
Scan process 'cm3_tray.exe' - '1' Module(s) have been scanned
Scan process 'CurseClient.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'mbamgui.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'ccApp.exe' - '1' Module(s) have been scanned
Scan process 'razerofa.exe' - '1' Module(s) have been scanned
Scan process 'razertra.exe' - '1' Module(s) have been scanned
Scan process 'razerhid.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'searchprotocolhost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ZuneNss.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'ZuneBusEnum.exe' - '1' Module(s) have been scanned
Scan process 'searchindexer.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'E_S40RP7.EXE' - '1' Module(s) have been scanned
Scan process 'Bwsvc.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'AppSvc32.exe' - '1' Module(s) have been scanned
Scan process 'ccSvcHst.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
54 processes with 54 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '55' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\58fccd0c.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\58fccd0c.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a66ea4e.qua'!


End of the scan: Tuesday, May 05, 2009 21:38
Used time: 1:51:01 Hour(s)

The scan has been done completely.

15276 Scanned directories
348674 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
348672 Files not concerned
2023 Archives were scanned
1 Warnings
2 Notes
67388 Objects were scanned with rootkit scan
0 Hidden objects were found



And the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:48 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.warez.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [\\BRIAN-1\EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\DOCUME~1\CARPEN~1\LOCALS~1\Temp\E_S17C6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [DL32] DL32
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203623500508
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: mbamservice - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9170 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:27 PM

Posted 05 May 2009 - 09:37 PM

Hi JethroTull,

Running two antivirus programs will slow your computer so you should get rid of Norton.

To fully remove Norton AntiVirus or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.
Please read the instructions first before you use it.

For older versions of Norton (2000, 2001, 2002), choose this link.

Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton:  http://basconotw.mvps.org/SymRem.htm


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 3
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player





Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Vista only:
Try right-clicking the HijackThis icon and select "Run As Administrator".

Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.warez.com/
O4 - HKCU\..\Run: [DL32] DL32


Close all browsers and other windows except for HijackThis, and click "Fix checked"


Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 JethroTull

JethroTull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 07 May 2009 - 06:28 PM

Eh, would've replied earlier if I had the time. :thumbup2: Good news is that everything seems to check out from what I can tell, haven't had any noticeable problems. But yknow, I'm no expert. HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:32 PM, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPhone Tunnel Suite\iTunnel\iTunnel.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Pandora\Pandora.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [\\BRIAN-1\EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\DOCUME~1\CARPEN~1\LOCALS~1\Temp\E_S17C6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203623500508
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mbamservice - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7284 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users