Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Metajuan


  • This topic is locked This topic is locked
23 replies to this topic

#1 Carol needs help

Carol needs help

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 04 May 2009 - 09:25 PM

Hello,

When I boot my PC, Norton Internet Security 2009 tells me that I have Trojan Metajuan virus and it is located at global\systemroot\system32\uaceamuuanr.dll. If I select the Norton rescan option it still is unable to fix it. I have run Norton Live update and I am current on my Windows updates. I have wasted hours trying to find it myself and do not know what else to do. I would greatly appreciate any help or guidence you could give me. Here is my DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Carol at 21:39:34.50 on Mon 05/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.107 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\NO3347~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NO3347~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton SystemWorks Basic Edition\Process Viewer\PrcView.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Carol\Local Settings\Temporary Internet Files\Content.IE5\PO02UWGC\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NswUiTray] c:\program files\norton systemworks basic edition\NswUiTray.exe
mRun: [NSWosCheck] "c:\program files\norton systemworks basic edition\osCheck.exe"
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238556156265
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-15 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-15 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-15 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090501.001\IDSXpx86.sys [2009-5-1 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-15 115560]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\no3347~1\norton~1\NPROTECT.EXE [2008-9-25 95600]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090504.023\NAVENG.SYS [2009-5-4 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090504.023\NAVEX15.SYS [2009-5-4 876144]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2003-11-14 15104]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-05-04 16:25 18,944 a------- C:\process viewer - Baseline.xls
2009-05-04 16:22 19,456 a------- C:\process viewer with trojan error open.xls
2009-05-04 11:12 <DIR> --d----- c:\docume~1\carol\applic~1\Symantec
2009-05-04 10:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonSystemWorks
2009-05-04 10:32 <DIR> --d----- c:\program files\Norton SystemWorks Basic Edition
2009-05-04 10:19 <DIR> --d----- c:\docume~1\carol\applic~1\Uniblue
2009-04-29 11:23 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 11:22 812,344 a------- C:\HJTInstall.exe
2009-04-29 10:43 <DIR> a-dshr-- C:\cmdcons
2009-04-29 10:40 161,792 a------- c:\windows\SWREG.exe
2009-04-29 10:40 98,816 a------- c:\windows\sed.exe
2009-04-29 10:37 3,010,824 a----r-- C:\ComboFix.exe
2009-04-29 08:23 <DIR> --d--r-- c:\program files\Norton Support
2009-04-29 07:51 111,092,902 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-20 23:15 <DIR> --d-h--- c:\program files\Zenographics
2009-04-15 22:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-04-15 20:04 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-04-15 16:04 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-15 16:04 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-15 16:04 <DIR> --d----- c:\program files\Symantec
2009-04-15 16:03 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-04-15 16:03 <DIR> --d----- c:\program files\Norton Internet Security
2009-04-15 15:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-04-15 15:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-04-15 15:42 <DIR> --d----- c:\program files\NortonInstaller
2009-04-15 15:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-15 03:06 118 a------- c:\windows\system32\MRT.INI
2009-04-15 00:33 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 00:33 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 00:33 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 00:33 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 00:33 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 00:33 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 00:33 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 00:33 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 00:33 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 00:33 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 00:32 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 00:32 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 00:32 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-05-04 10:32 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-04 10:32 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-20 17:42 66,864 a------- c:\docume~1\carol\applic~1\GDIPFONTCACHEV1.DAT
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2006-04-30 11:11 284 a------- c:\docume~1\carol\applic~1\ViewerApp.dat
2006-04-22 15:40 32 a----r-- c:\documents and settings\all users\hash.dat
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2009-01-08 10:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010820090109\index.dat

============= FINISH: 21:40:29.90 ===============


Thank you in advance for your help,
Carol

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:38 PM

Posted 17 May 2009 - 04:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Carol needs help

Carol needs help
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 18 May 2009 - 08:34 AM

Hello,

I am still having the Trojan Metajuan errors on my computer and my Norton Internet Security 2009 is still unable to resolve the issue. Norton shows the virus to be located at globalroot\systemroot\system32\uaceamuuanr.dll

As requested, I ran the DDS log again and here it is:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Carol at 9:02:07.25 on Mon 05/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.137 [GMT -4:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\PROGRA~1\NO3347~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NO3347~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NswUiTray] c:\program files\norton systemworks basic edition\NswUiTray.exe
mRun: [NSWosCheck] "c:\program files\norton systemworks basic edition\osCheck.exe"
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks basic edition\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238556156265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1241731305735&h=ab6c962ec5e610325c714d8207792e9c/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-15 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-15 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-15 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090508.002\IDSXpx86.sys [2009-5-8 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-15 115560]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\no3347~1\norton~1\NPROTECT.EXE [2008-9-25 95600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-8 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090517.021\NAVENG.SYS [2009-5-17 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090517.021\NAVEX15.SYS [2009-5-17 876144]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2003-11-14 15104]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-05-18 08:58 359,883 a------- C:\dds.scr
2009-05-11 16:12 <DIR> --d----- c:\program files\iPod
2009-05-11 16:12 <DIR> --d----- c:\program files\iTunes
2009-05-11 16:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-11 16:02 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-05-11 16:02 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 17:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-07 16:21 <DIR> --d----- c:\docume~1\carol\applic~1\AdobeAUM
2009-05-04 16:25 18,944 a------- C:\process viewer - Baseline.xls
2009-05-04 16:22 19,456 a------- C:\process viewer with trojan error open.xls
2009-05-04 11:12 <DIR> --d----- c:\docume~1\carol\applic~1\Symantec
2009-05-04 10:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonSystemWorks
2009-05-04 10:32 <DIR> --d----- c:\program files\Norton SystemWorks Basic Edition
2009-05-04 10:19 <DIR> --d----- c:\docume~1\carol\applic~1\Uniblue
2009-04-29 11:23 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 11:22 812,344 a------- C:\HJTInstall.exe
2009-04-29 10:43 <DIR> a-dshr-- C:\cmdcons
2009-04-29 10:40 161,792 a------- c:\windows\SWREG.exe
2009-04-29 10:40 98,816 a------- c:\windows\sed.exe
2009-04-29 10:37 3,010,824 a----r-- C:\ComboFix.exe
2009-04-29 08:23 <DIR> --d--r-- c:\program files\Norton Support
2009-04-29 07:51 111,092,902 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-20 23:15 <DIR> --d-h--- c:\program files\Zenographics

==================== Find3M ====================

2009-05-07 17:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-04 10:32 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-04 10:32 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-04 10:32 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-04 10:32 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-20 17:42 66,864 a------- c:\docume~1\carol\applic~1\GDIPFONTCACHEV1.DAT
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2006-04-30 11:11 284 a------- c:\docume~1\carol\applic~1\ViewerApp.dat
2006-04-22 15:40 32 a----r-- c:\documents and settings\all users\hash.dat
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2009-01-08 10:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010820090109\index.dat

============= FINISH: 9:02:41.23 ===============

I'd appreciate any help you can give me!!
Carol

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:38 AM

Posted 20 May 2009 - 04:07 PM

Hi Carol needs help,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please download Malwarebytes' Anti-Malware from MajorGeeks
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#5 Carol needs help

Carol needs help
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 23 May 2009 - 09:29 AM

Hey farbar,

Thanks for taking my case! I followed your instructions and Malwarebytes' Anti-Malware found 2 bad registry entries and cleaned those up but the trojan.metajuan virus survived!

Per your instructions, I ran the Malwarebytes' Quick Scan, it found those problems and fixed them. I rebooted and the Norton message about trojan.metajuan virus came up again. I then ran a Malwarebytes' Full Scan hoping it scanned deeper than the Quick scan but the full scan found nothing. (Both scan text files are below) I then rebooted just to make sure and the Norton message came up again.

These are the details of that message:

Trojan.Metajuan - remove failed
Affected Area - 1 File
- 1 Browwer cache

Details - globalroot\systemroot\system32\uaceamuuanr.dll

*******************************************************************************
Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 3

5/21/2009 6:56:43 PM
mbam-log-2009-05-21 (18-56-43).txt

Scan type: Quick Scan
Objects scanned: 134240
Time elapsed: 53 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*************************************************************************
Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 3

5/22/2009 11:33:00 AM
mbam-log-2009-05-22 (11-33-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 223416
Time elapsed: 3 hour(s), 23 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

**********************************************************************

Any other tricks up your sleeves we could try?

Thanks again for your help!
Carol

P.S. My Norton is setup to run Live Update - do you want me to turn that off?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:38 AM

Posted 23 May 2009 - 05:23 PM

Hi Carol,

Thanks for the feedback.

Any other tricks up your sleeves we could try?

You may count on it.

P.S. My Norton is setup to run Live Update - do you want me to turn that off?


When you run Combofix make sure the Norton auto-protection is temporarily turned off until ComboFix reboots. Other times we need Norton up and running to protect the system.

If you have already installed the Recovery Console ComboFix will skip that part, otherwise let it download and install the Recovery console.
  • I see you have already run ComboFix. I need to see its log.

    Please go to start -> Run.
    • Copy and paste the bold line in the run-box and click OK: C:\ComboFix.txt
    • A text file opens up, copy and paste the content to your reply.
  • Please delete your copy of ComboFix if you still have it and download the latest copy of ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


#7 Carol needs help

Carol needs help
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 23 May 2009 - 09:57 PM

Here is a copy of my old\first ComboFix.txt
************************************
ComboFix 09-04-28.05 - Carol 04/29/2009 10:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.252 [GMT -4:00]
Running from: C:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Carol\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\screensavers.com
c:\program files\screensavers.com\Wallpaper\Chihuahua with Glasses.jpg
c:\program files\screensavers.com\Wallpaper\Dolphins.jpg
c:\program files\screensavers.com\Wallpaper\Sea Turtle Baby.jpg
c:\program files\screensavers.com\Wallpaper\swpstart.exe
c:\program files\screensavers.com\Wallpaper\Tiger in Water - Jim Crotty.jpg
c:\program files\screensavers.com\Wallpaper\Tiny Emperor Penguin.jpg
c:\windows\IE4 Error Log.txt
c:\windows\system32\kazaabackupfiles
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\UACpfujdapk.dat
c:\windows\system32\UACwimpulgu.log

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 14:37 . 2009-04-29 14:37 3010824 ----a-r C:\ComboFix.exe
2009-04-29 12:23 . 2009-04-29 12:24 -------- d-----r c:\program files\Norton Support
2009-04-29 11:51 . 2009-04-29 11:52 111092902 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2009-04-21 03:15 . 2006-01-30 09:00 143360 ----a-r c:\windows\apptune1020.exe
2009-04-21 03:15 . 2006-01-30 09:00 86016 ----a-r c:\windows\system32\ZSPOOL.DLL
2009-04-21 03:15 . 2006-01-30 09:00 24576 ----a-r c:\windows\system32\ZTAG32.DLL
2009-04-21 03:15 . 2006-01-30 09:00 28672 ----a-r c:\windows\system32\IMF32.DLL
2009-04-21 03:15 . 2006-01-30 09:00 102400 ----a-r c:\windows\system32\ZLhp1020.dll
2009-04-21 03:15 . 2006-01-30 09:00 28672 ----a-r c:\windows\system32\zlm.dll
2009-04-21 03:15 . 2006-01-30 09:00 106496 ----a-r c:\windows\system32\vshp1020.dll
2009-04-21 03:15 . 2006-01-30 09:00 442368 ----a-r c:\windows\system32\zshp1020.exe
2009-04-21 03:15 . 2009-04-22 18:55 -------- d-----w c:\program files\Hewlett-Packard
2009-04-21 03:15 . 2009-04-21 03:15 -------- d--h--w c:\program files\Zenographics
2009-04-16 02:06 . 2009-04-16 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-16 00:04 . 2009-03-12 08:42 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-04-15 20:18 . 2009-04-15 20:18 -------- d-----w c:\documents and settings\Carol\Local Settings\Application Data\Symantec
2009-04-15 20:04 . 2009-04-15 23:11 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-15 20:04 . 2009-04-15 23:11 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-15 20:04 . 2009-04-29 12:25 -------- d-----w c:\program files\Symantec
2009-04-15 20:03 . 2009-04-17 13:28 -------- d-----w c:\windows\system32\drivers\NIS
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\program files\Norton Internet Security
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\program files\Windows Sidebar
2009-04-15 19:44 . 2009-04-15 19:44 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-04-15 19:44 . 2009-04-15 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-15 19:42 . 2009-04-15 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-15 19:42 . 2009-04-15 19:42 -------- d-----w c:\program files\NortonInstaller
2009-04-15 04:33 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 04:33 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 04:33 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 04:33 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 04:33 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 04:33 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 04:33 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 04:33 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 04:33 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 04:33 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 04:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 04:32 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-01 07:14 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-01 03:56 . 2009-04-01 03:56 -------- d-----w c:\windows\system32\XPSViewer
2009-04-01 03:55 . 2009-04-01 03:55 -------- d-----w c:\program files\MSBuild
2009-04-01 03:55 . 2009-04-01 03:55 -------- d-----w c:\program files\Reference Assemblies
2009-04-01 03:54 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-01 03:54 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 03:54 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 03:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 03:54 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-01 03:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 03:54 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-01 03:54 . 2009-04-01 03:54 -------- d-----w C:\c48de38c5284ff5fe9da7c7f2b

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 15:27 . 2003-09-23 12:44 66864 ----a-w c:\documents and settings\Mitchell\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 01:25 . 2004-05-12 23:51 66864 ----a-w c:\documents and settings\Mitchell\Application Data\GDIPFONTCACHEV1.DAT
2009-04-20 21:42 . 2003-02-13 02:11 66864 ----a-w c:\documents and settings\Carol\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 23:11 . 2007-03-02 19:06 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-15 23:11 . 2007-03-02 19:06 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-15 20:29 . 2002-07-31 12:51 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-01 14:46 . 2003-09-10 01:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 15:27 . 2008-09-25 12:45 -------- d-----w c:\program files\Java
2009-03-28 15:07 . 2009-03-28 15:07 -------- d-----w c:\program files\THQ
2009-03-28 15:07 . 2002-07-31 12:43 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 15:06 . 2003-01-25 00:41 -------- d-----w c:\program files\Microsoft Games
2009-03-06 14:22 . 2001-08-18 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 02:16 . 2009-03-05 02:15 -------- d-----w c:\program files\iTunes
2009-03-05 02:15 . 2009-03-05 02:15 -------- d-----w c:\program files\iPod
2009-03-05 02:15 . 2008-03-13 22:18 -------- d-----w c:\program files\Common Files\Apple
2009-03-05 02:14 . 2007-06-29 14:49 -------- d-----w c:\program files\QuickTime
2009-03-05 01:22 . 2008-03-13 22:18 -------- d-----w c:\program files\Apple Software Update
2009-03-05 01:03 . 2009-03-05 01:03 -------- d-----w c:\program files\Bonjour
2009-03-03 00:18 . 2004-01-08 19:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-19 01:57 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-02-20 23:46 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 1980-01-01 05:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2001-08-18 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2001-06-20 20:19 . 2001-06-19 20:34 40960 ----a-w c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Dell|Alert"="c:\program files\Dell\Support\Alert\bin\DAMon.exe" [2002-07-11 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LTWinModem1"="ltmsg.exe" - c:\windows\SYSTEM32\ltmsg.exe [2001-04-03 38912]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-10-06 741376]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll
"aux1"= ctwdm32.dll
"aux2"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2008-04-13 15104]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-03-12 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-04-15 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090420.001\IDSxpx86.sys [2009-01-29 276344]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-12 115560]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-15 101936]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Command - c:\windows\SYSTEM32\gotit.gnu
HKCU-RunServices-Command - c:\windows\SYSTEM32\gotit.gnu
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-Run-MSConfig - VUQDXBSKOV.EXE
HKLM-Run-Print Spooler - spoolsvc32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {68B632F6-FB2C-11D2-9AEA-DC27E1000000} - hxxp://p2kmovie.warnerbros.com/game/downloads/P2K4AD9.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Dell|Alert = c:\program files\Dell\Support\Alert\bin\DAMon.exe?p?o?r?t?\?A?l?e?r?t?\?b?i?n?\?D?A?M?o?n?.?e?x?e???????????x:??????x??? ???X??? ??????? ???P????(?w'(?w????????????(???u??????w????????????0????$?w7(?w?o?wS??w???w????????????X*@?????????X????????%@?e?????
MSConfig = VUQDXBSKOV.EXE?fear?#fear#?r0x??????MSConfig????????lala1ala?woot woot??????????woot woot????pA??pA?????????????rpA?????ipA?dpA
Print Spooler = spoolsvc32.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3825228898-1850456698-4159782051-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-04-29 11:04
ComboFix-quarantined-files.txt 2009-04-29 15:03

Pre-Run: 48,297,598,976 bytes free
Post-Run: 51,254,677,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

229 --- E O F --- 2009-04-15 07:08







Here is the ComboFix.txt from tonight:
********************************

ComboFix 09-05-23.04 - Carol 05/23/2009 21:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.152 [GMT -4:00]
Running from: C:\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 01:46 . 2009-05-24 01:46 2979632 ----a-r C:\ComboFix.exe
2009-05-23 23:03 . 2009-04-15 08:00 89104 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVENG.SYS
2009-05-23 23:03 . 2009-04-15 08:00 876144 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVEX15.SYS
2009-05-23 23:03 . 2009-04-15 08:00 177520 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVENG32.DLL
2009-05-23 23:03 . 2009-04-15 08:00 1181040 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVEX32A.DLL
2009-05-23 23:03 . 2009-04-15 08:00 371248 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\EECTRL.SYS
2009-05-23 23:03 . 2009-04-15 08:00 259368 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\ECMSVR32.DLL
2009-05-23 23:03 . 2009-04-15 08:00 2414128 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\CCERASER.DLL
2009-05-23 23:03 . 2009-04-15 08:00 101936 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\ERASER.SYS
2009-05-21 21:05 . 2009-05-21 21:05 -------- d-----w c:\documents and settings\Carol\Application Data\Malwarebytes
2009-05-21 21:04 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-21 21:04 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 21:04 . 2009-05-21 21:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 21:04 . 2009-05-21 21:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-21 21:03 . 2009-05-21 21:03 2967800 ----a-w C:\mbam-setup.exe
2009-05-19 18:55 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\Scxpx86.dll
2009-05-19 18:55 . 2009-01-29 21:50 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys
2009-05-19 18:55 . 2009-01-29 21:50 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys
2009-05-19 18:55 . 2009-01-29 21:50 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSxpx86.dll
2009-05-19 18:55 . 2009-01-29 21:50 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSviA64.sys
2009-05-18 12:58 . 2009-05-18 12:58 359883 ----a-w C:\dds.scr
2009-05-11 20:12 . 2009-05-11 20:12 -------- d-----w c:\program files\iPod
2009-05-11 20:12 . 2009-05-11 20:14 -------- d-----w c:\program files\iTunes
2009-05-11 20:12 . 2009-05-11 20:14 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-11 20:10 . 2009-05-11 20:10 -------- d-----w c:\documents and settings\TEMP\Application Data\Apple Computer
2009-05-11 20:06 . 2009-05-11 20:10 -------- d-----w c:\documents and settings\TEMP\Local Settings\Application Data\Apple Computer
2009-05-11 20:02 . 2009-03-26 19:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-05-11 20:02 . 2009-03-26 19:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-05-11 19:57 . 2009-05-11 19:57 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-09 11:48 . 2009-05-09 11:48 57344 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-340f348d-n\Decora-SSE.dll
2009-05-09 11:48 . 2009-05-09 11:48 24064 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-56114598-n\Decora-D3D.dll
2009-05-09 11:48 . 2009-05-09 11:48 315392 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-1da0871b-n\jogl.dll
2009-05-09 11:48 . 2009-05-09 11:48 20480 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-1da0871b-n\jogl_awt.dll
2009-05-09 11:48 . 2009-05-09 11:48 114688 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-1da0871b-n\jogl_cg.dll
2009-05-09 11:48 . 2009-05-09 11:48 499712 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-67b43ba5-n\msvcp71.dll
2009-05-09 11:48 . 2009-05-09 11:48 499712 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-67b43ba5-n\jmc.dll
2009-05-09 11:48 . 2009-05-09 11:48 348160 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-67b43ba5-n\msvcr71.dll
2009-05-09 11:48 . 2009-05-09 11:48 20480 ----a-w c:\documents and settings\TEMP\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-31bdcd5e-n\gluegen-rt.dll
2009-05-09 01:32 . 2009-05-09 01:33 66864 ----a-w c:\documents and settings\TEMP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-08 22:10 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\Scxpx86.dll
2009-05-08 22:10 . 2009-01-29 21:50 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSXpx86.sys
2009-05-08 22:10 . 2009-01-29 21:50 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSvix86.sys
2009-05-08 22:10 . 2009-01-29 21:50 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSxpx86.dll
2009-05-08 22:10 . 2009-01-29 21:50 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSviA64.sys
2009-05-07 21:26 . 2009-05-07 21:26 57344 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-6cb76b7e-n\Decora-SSE.dll
2009-05-07 21:26 . 2009-05-07 21:26 24064 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-54c0e09b-n\Decora-D3D.dll
2009-05-07 21:26 . 2009-05-07 21:26 315392 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-3a742d2d-n\jogl.dll
2009-05-07 21:26 . 2009-05-07 21:26 20480 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-3a742d2d-n\jogl_awt.dll
2009-05-07 21:26 . 2009-05-07 21:26 114688 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-3a742d2d-n\jogl_cg.dll
2009-05-07 21:26 . 2009-05-07 21:26 20480 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-2eabab4c-n\gluegen-rt.dll
2009-05-07 21:26 . 2009-05-07 21:26 499712 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-27e0326d-n\msvcp71.dll
2009-05-07 21:26 . 2009-05-07 21:26 499712 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-27e0326d-n\jmc.dll
2009-05-07 21:26 . 2009-05-07 21:26 348160 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-27e0326d-n\msvcr71.dll
2009-05-07 21:20 . 2009-05-07 21:20 152576 ----a-w c:\documents and settings\Carol\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-07 20:21 . 2009-05-07 20:21 -------- d-----w c:\documents and settings\Carol\Application Data\AdobeAUM
2009-05-07 20:21 . 2009-05-07 20:21 -------- d-----w c:\documents and settings\Carol\Application Data\Leadertech
2009-05-04 20:51 . 2009-05-04 20:51 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-04 15:12 . 2009-05-04 15:19 -------- d-----w c:\documents and settings\Carol\Application Data\Symantec
2009-05-04 14:34 . 2009-05-04 14:34 -------- d-----w c:\documents and settings\All Users\Application Data\NortonSystemWorks
2009-05-04 14:32 . 2009-05-19 01:14 -------- d-----w c:\program files\Norton SystemWorks Basic Edition
2009-05-04 14:19 . 2009-05-04 14:19 -------- d-----w c:\documents and settings\Carol\Application Data\Uniblue
2009-04-29 15:23 . 2009-04-29 15:23 -------- d-----w c:\program files\Trend Micro
2009-04-29 15:22 . 2009-04-29 15:22 812344 ----a-w C:\HJTInstall.exe
2009-04-29 12:23 . 2009-04-29 12:24 -------- d-----r c:\program files\Norton Support
2009-04-29 11:51 . 2009-04-29 11:52 111092902 ----a-w C:\SYM_REGISTRY_BACKUP.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 16:32 . 2008-09-24 01:43 -------- d-----w c:\documents and settings\Carol\Application Data\Image Zone Express
2009-05-11 20:12 . 2008-03-13 22:18 -------- d-----w c:\program files\Common Files\Apple
2009-05-07 21:23 . 2009-01-07 23:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-04 15:11 . 2009-04-16 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-04 14:48 . 2005-03-09 13:16 -------- d-----w c:\program files\Google
2009-05-04 14:36 . 2003-10-02 00:38 66864 ----a-w c:\documents and settings\Carol\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 14:34 . 2002-07-31 12:51 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-04 14:32 . 2009-04-15 20:04 -------- d-----w c:\program files\Symantec
2009-05-04 14:32 . 2009-04-15 20:04 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-04 14:32 . 2009-04-15 20:04 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-04 14:32 . 2007-03-02 19:06 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-04 14:32 . 2007-03-02 19:06 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-26 15:27 . 2003-09-23 12:44 66864 ----a-w c:\documents and settings\Mitchell\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-22 18:55 . 2009-04-21 03:15 -------- d-----w c:\program files\Hewlett-Packard
2009-04-21 03:15 . 2009-04-21 03:15 -------- d--h--w c:\program files\Zenographics
2009-04-15 20:04 . 2009-04-15 20:04 1294680 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-04-15 20:04 . 2009-04-15 20:04 136840 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-04-15 20:04 . 2009-04-15 20:04 796016 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\program files\Windows Sidebar
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\program files\Norton Internet Security
2009-04-15 20:03 . 2009-04-15 19:44 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-15 20:03 . 2009-04-15 19:42 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-15 19:44 . 2009-04-15 19:44 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-04-15 19:42 . 2009-04-15 19:42 -------- d-----w c:\program files\NortonInstaller
2009-04-12 16:05 . 2003-09-10 01:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-01 14:46 . 2003-09-10 01:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-01 03:55 . 2009-04-01 03:55 -------- d-----w c:\program files\MSBuild
2009-04-01 03:55 . 2009-04-01 03:55 -------- d-----w c:\program files\Reference Assemblies
2009-03-29 15:27 . 2008-09-25 12:45 -------- d-----w c:\program files\Java
2009-03-28 15:07 . 2009-03-28 15:07 -------- d-----w c:\program files\THQ
2009-03-28 15:07 . 2002-07-31 12:43 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 15:06 . 2003-01-25 00:41 -------- d-----w c:\program files\Microsoft Games
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2009-03-05 02:17 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-03-12 08:42 . 2009-04-16 00:04 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-03-06 14:22 . 2001-08-18 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-01-08 19:23 826368 ----a-w c:\windows\system32\wininet.dll
2001-06-20 20:19 . 2001-06-19 20:34 40960 ----a-w c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_15.00.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 04:46 . 2006-12-02 04:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 04:08 . 2006-12-02 04:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 04:26 . 2006-12-02 04:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 04:25 . 2006-12-02 04:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 02:56 . 2006-12-02 02:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2009-05-22 15:38 . 2009-05-22 15:38 16384 c:\windows\Temp\Perflib_Perfdata_408.dat
+ 2009-05-24 02:14 . 2009-05-24 02:14 16384 c:\windows\Temp\Perflib_Perfdata_3c8.dat
+ 2009-05-24 02:12 . 2009-05-24 02:12 16384 c:\windows\Temp\Perflib_Perfdata_3a0.dat
+ 2009-05-11 20:02 . 2009-03-26 19:23 36864 c:\windows\SYSTEM32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaapl.sys
+ 2009-05-11 20:14 . 2009-03-19 20:32 23400 c:\windows\SYSTEM32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys
+ 2008-09-25 18:53 . 2008-09-25 18:53 95760 c:\windows\SYSTEM32\DRIVERS\SdDriver.SYS
+ 2008-09-25 18:53 . 2008-09-25 18:53 87272 c:\windows\SYSTEM32\DRIVERS\NPDRIVER.SYS
+ 2009-05-04 14:34 . 2009-05-04 14:34 40960 c:\windows\Installer\{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}\IconD950CF9C.exe
+ 2009-05-04 14:34 . 2009-05-04 14:34 11776 c:\windows\Installer\{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}\Icon6A7867BA1.exe
+ 2009-05-04 14:32 . 2009-05-04 14:32 7406 c:\windows\Installer\{E80F62FF-5D3C-4A19-8409-9721F2928206}\IconE80F62FF.exe
+ 2009-05-07 21:24 . 2009-05-07 21:23 148888 c:\windows\SYSTEM32\javaws.exe
+ 2009-05-07 21:24 . 2009-05-07 21:23 144792 c:\windows\SYSTEM32\javaw.exe
+ 2009-05-07 21:24 . 2009-05-07 21:23 144792 c:\windows\SYSTEM32\java.exe
- 2009-03-05 02:17 . 2008-04-17 18:12 107368 c:\windows\SYSTEM32\GEARAspi.dll
+ 2009-03-05 02:17 . 2008-04-17 16:12 107368 c:\windows\SYSTEM32\GEARAspi.dll
+ 2009-05-11 20:14 . 2008-04-17 16:12 107368 c:\windows\SYSTEM32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll
+ 2007-04-11 18:11 . 2007-04-11 18:11 511328 c:\windows\SYSTEM32\capicom.dll
+ 2009-05-11 20:17 . 2009-05-11 20:17 102400 c:\windows\Installer\{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}\iTunesIco.exe
+ 2006-12-02 04:25 . 2006-12-02 04:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 04:25 . 2006-12-02 04:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2009-05-11 20:02 . 2009-03-26 19:23 1900544 c:\windows\SYSTEM32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaaplrc.dll
+ 2005-05-13 13:05 . 2009-05-07 07:16 24699336 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"NswUiTray"="c:\program files\Norton SystemWorks Basic Edition\NswUiTray.exe" [2008-09-25 85360]
"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2008-09-25 160112]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-07 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"LTWinModem1"="ltmsg.exe" - c:\windows\SYSTEM32\ltmsg.exe [2001-04-03 38912]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-10-06 741376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll
"aux1"= ctwdm32.dll
"aux2"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\SymEFA.sys [4/15/2009 7:10 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\BHDrvx86.sys [4/15/2009 7:10 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\cchpx86.sys [4/15/2009 7:07 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys [5/19/2009 2:55 PM 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [4/15/2009 7:08 PM 115560]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NO3347~1\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/8/2009 11:16 AM 101936]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [11/14/2003 10:34 PM 15104]
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-05-19 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2008-09-25 18:52]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 22:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Carol\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3825228898-1850456698-4159782051-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\progra~1\NO3347~1\NORTON~1\SPEEDD~1\NOPDB.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-24 22:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 02:25

Pre-Run: 47,861,579,776 bytes free
Post-Run: 48,259,379,200 bytes free

289 --- E O F --- 2009-05-13 07:03



Hey - it is a holiday weekend and I understand that you do this on your free time so I understand if you want to slide me into next week. Again - your help is appreciated! - Carol

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:38 AM

Posted 24 May 2009 - 06:12 AM

Thanks for the understanding. It is Sunday and the holiday weekend look over already. :thumbup2:
The file Norton is mentioning should be a rootkit not yet detected by CF. Let see there is something protecting it from removing.

Download RootRepeal.zip and save it to your desktop:
  • Unzip the zip archive.
  • Double-click RootRepeal.exe on your desktop.
  • Click the Report tab.
  • Press the Scan button.
  • Check all six boxes:
    • drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services.
  • Click Ok.
  • Check the box for your main system drive (Usually C:) and click Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, press the Save Report button. Save the log to your desktop as RootRepeal.txt and post it to your reply.


#9 Carol needs help

Carol needs help
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 24 May 2009 - 10:52 AM

Hey - I am unable to run RootRepeal.exe. I get a Crash report:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00406e46
Attempt to read from address: 0x25cd0240


What am I doing wrong?

Thanks,
Carol

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:38 AM

Posted 24 May 2009 - 11:38 AM

Lets try this one:

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Disconnect from the Internet and close all running programs.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#11 Carol needs help

Carol needs help
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 24 May 2009 - 01:22 PM

Hey farbar,

I noticed AFTER I ran the scan that the Show All box was not checked - Do I need to run it again? Otherwise, I did follow your instructions and unchecked Sections and IAT/EAT.

Log file attached also.

Scan results:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-24 14:14:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 82AA4F48 ZwAlertResumeThread
SSDT 82AA5AA8 ZwAlertThread
SSDT 82AA6B50 ZwAllocateVirtualMemory
SSDT 82AA3DC0 ZwAssignProcessToJobObject
SSDT 82E1B3C8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF6077040]
SSDT 82AA4CF8 ZwCreateMutant
SSDT 82AA3C20 ZwCreateSymbolicLinkObject
SSDT 82AB4F70 ZwCreateThread
SSDT 82AA3E80 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF60772C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF6077820]
SSDT 82AA6CA8 ZwDuplicateObject
SSDT 82AA5F38 ZwFreeVirtualMemory
SSDT 82AA4DC8 ZwImpersonateAnonymousToken
SSDT 82AA4E88 ZwImpersonateThread
SSDT 82D9C090 ZwLoadDriver
SSDT 82AA5E58 ZwMapViewOfSection
SSDT 82AA4C38 ZwOpenEvent
SSDT 82AA7AF0 ZwOpenProcess
SSDT 82B7FA78 ZwOpenProcessToken
SSDT 82AA4AB8 ZwOpenSection
SSDT 82AA6D78 ZwOpenThread
SSDT 82AA3CF0 ZwProtectVirtualMemory
SSDT 82B90A78 ZwResumeThread
SSDT 82AB1A78 ZwSetContextThread
SSDT 82AA5D00 ZwSetInformationProcess
SSDT 82AA3F40 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF6077A70]
SSDT 82AA4B78 ZwSuspendProcess
SSDT 82AAFA78 ZwSuspendThread
SSDT 82B81A78 ZwTerminateProcess
SSDT 82AB0A78 ZwTerminateThread
SSDT 82AB3A78 ZwUnmapViewOfSection
SSDT 82AA6A80 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\Carol\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\InprocServer32@ C:\WINDOWS\System32\quartz.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{AB59D433-6594-C4AC-E6CE-D27460041AAB}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{AB59D433-6594-C4AC-E6CE-D27460041AAB}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{AB59D433-6594-C4AC-E6CE-D27460041AAB}\LocalServer32@LocalServer32 *r=^Vn-}f(YR]eAR6.jiOUTLOOKFiles>'K2Qps't@=3LoeW%lTmK?
Reg HKLM\SOFTWARE\Classes\CLSID\{ABE3FDD0-A25C-1E63-6FE9-B705347DD117}\InProcServer32@ %SystemRoot%\System32\browseui.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{ABE3FDD0-A25C-1E63-6FE9-B705347DD117}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\Verb@
Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\Verb\0
Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\Verb\0@ &Edit,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\Verb\1
Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\Verb\1@ &Open,0,2

---- EOF - GMER 1.0.15 ----


Thanks,
Carol

Attached Files



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:38 AM

Posted 24 May 2009 - 02:33 PM

Well done. You did it as it was needed. But the log looks good, no rootkit.

Let see if there is a file you mentioned Norton couldn't remove.

Go to start > run and copy and paste or type next command in the field then hit enter:

cmd /c vfind -ltf "%systemdrive%\uaceamuuanr.*" > log.txt&log.txt& del log.txt

The command window opens and after a while a text file opens. Post the content of it to your reply.

#13 Carol needs help

Carol needs help
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 24 May 2009 - 09:42 PM

ok so I did Start>Run and I copied and pasted exactly :

cmd /c vfind -ltf "%systemdrive%\uaceamuuanr.*" > log.txt&log.txt& del log.txt

and got:

'vfind' is not recognized as an internal or external command, operable program or batch file.

the log notepad is completely blank and I am assuming that this did not run properly.

Just tell me what I did wrong and will correct.

Just for giggles - it is raining cats and dogs right now so I am glad to be safely home working on this Bleeping Computer!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:38 AM

Posted 25 May 2009 - 12:56 AM

It has indeed not worked , the only probability I can think of is that the small application is not there.

You may download vfind.exe and save in C:\Windows folder. Then run the command again.

#15 Carol needs help

Carol needs help
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 25 May 2009 - 06:16 AM

this virus has hidden itself well.....

results:

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users