Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Maleware preventing ip name resolution


  • This topic is locked This topic is locked
10 replies to this topic

#1 boratt1599

boratt1599

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 08 May 2009 - 01:56 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/218054/ie-wont-open-web-pages/ ~ OB

I was instructed to post here with the DDS Logs below. I can ping IP's but not names and IE wont open pages. The following is the details from the previous posts followed by the DDS logs:

I am running Win XP Home service pack 2, and I am connected to the internet via an external USB wireless adapter (2wire 802.11g). In my task panel, I am connected fine and I can even ping ip addresses from the command line. But I did notice that I can NOT ping domain names. For example, I can ping 68.180.206.184 fine (yahoo), but not www.yahoo.com or http://www.yahoo.com

When I bring up IE 7, it will say that it cant display the web page, or when I manually type in a web address it will say that the address is invalid. I have also uninstalled and reinstalled the drivers for the 2wire wireless adapter, and reset all values/defaults (and cleared cookies, ect.) in IE 7.

Thanks,

Bo



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/19/2003 8:20:07 PM
System Uptime: 5/8/2009 2:42:23 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4B-LX
Processor: IntelŪ PentiumŪ 4 CPU 1700MHz | mPGA 478 | 1693/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 16 GiB total, 2.87 GiB free.
D: is FIXED (NTFS) - 59 GiB total, 41.057 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\F79A5B8004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\F79A5B8004603
Service: NIC1394

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2WIRE Wireless LAN - USB Driver
Active Disk
Adobe Acrobat 5.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements
Adobe Reader 7.1.0
AnswerWorks Runtime
ArcSoft PhotoBase
ArcSoft PhotoStudio 2000
CA eTrust PestPatrol
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon i470D
Canon PhotoRecord
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CardRd81
CCScore
CheckIt Diagnostics
CheckIt Diagnostics
Cobian Backup 9
Corel Applications
CR2
Creative Jukebox Driver
Creative MediaSource
Creative System Information
Creative Zen Touch
CyberView X - SF v1.01
DigitalPrint 1.0
DVC5.1 Driver
DVDExpress
DVgate
Easy-WebPrint
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Memories Disc
HP Photo and Imaging 2.2 - Scanjet 3970 Series
Java 2 SDK, SE v1.4.2_04
Kodak EasyShare software
KSU
Lyra Personal Audio Player (RD1021/1071/1075)
Malwarebytes' Anti-Malware
Media Bar 3.2.11
Memory Card Utility
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 5.0
Microsoft IntelliType Pro 5.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Sounds
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Motion JPEG Software Decoder
MovieShaker 3.2
Mozilla Firefox (3.0.8)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Music Visualizer Library 1.4.00
Notifier
NVIDIA Windows 2000/XP Display Drivers
Office Animation Runtime
OfotoXMI
OmniPage Pro 9.0
OpenMG Limited Patch 4.0-04-11-28-01
OpenMG Secure Module 4.0.05
OTtBP
OTtBPSDK
Palm Desktop
PhotoPrinter 2000 Pro
PhotoStitch
PicoPlayer
PictureGear 5.1
PKZIP Command Line for Windows 8.10.0047
PKZIP for Windows 8.00.0018
Presto! ImageFolio 4.2
Presto! Mr. Photo
Print Server
QuickTime
RD1021/1071 Lyra Personal Audio Player Applications
RealJukebox
RealPlayer Basic
RealProducer Basic 8.5
Remove Hidden Data Tool
Retrospect 6.5
Samsung DVC Media 5.1
Scan Manager 5.2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SFR
SFR2
ShareIns
SHASTA
SKIN0001
SKINXSDK
Smart Capture
Sonic MyDVD SlideShow
Sonic Update Manager
SonicStage 2.3.00
Sony Certificate PCH
Sony DV Shared Library
Sony on Yahoo!
SUPERAntiSpyware Free Edition
Support Actions Win2K,WinXP
Sustaining Release Candidate
Ulead Photo Express 4.0 SE
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VAIO Action Setup
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Registration
VAIO Support
VAIOWorld
VisualFlow 2.1
VPRINTOL
WebFldrs XP
Window Washer 5
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 3
WIRELESS

==== Event Viewer Messages From Past Week ========

5/7/2009 4:27:27 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/7/2009 12:27:09 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/6/2009 8:39:17 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/6/2009 8:09:16 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/6/2009 10:27:00 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/2/2009 6:27:51 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
5/1/2009 3:01:57 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================





DDS (Ver_09-03-16.01) - FAT32x86
Run by Helen D. Pratt at 14:45:28.17 on Fri 05/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.693 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Helen D. Pratt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.msn.com
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyServer = 168.94.74.68:8080
uInternet Settings,ProxyOverride =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
mRun: [WD Button Manager] "c:\windows\system32\WDBtnMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://www.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37730.7341203704
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\helend~1.pra\applic~1\mozilla\firefox\profiles\5xf4thbb.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SonyFanC;FAN Control Device Service;c:\windows\system32\drivers\SonyFanC.sys [2001-9-9 68116]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-1-17 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-1-17 3904]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [2003-4-19 7196]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [2001-9-8 54271]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\SDVC05.sys [2005-6-30 18088]
S3 thmsn21r;Thomson Inc. RD1021/1071 Lyra Personal Audio Player Control Driver;c:\windows\system32\drivers\thmsn21r.sys [2004-2-4 30617]

=============== Created Last 30 ================

2009-05-06 19:57 --d----- c:\program files\Cobian Backup 9

==================== Find3M ====================

2009-04-06 15:32 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 -------- c:\windows\system32\drivers\mbam.sys
2005-09-25 17:43 63,896 -------- c:\docume~1\helend~1.pra\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 14:46:06.40 ===============

Edited by Orange Blossom, 08 May 2009 - 07:47 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 11 May 2009 - 12:03 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 boratt1599

boratt1599
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 12 May 2009 - 09:58 AM

Cool, just ran ComboFix. The first time it said that it ran without the Windows recovery console installed, so I ran it again with it installed as per the instructions. I am posting both logs...


Here is the one WITHOUT Windows recovery console:


ComboFix 09-05-11.01 - Helen D. Pratt 05/12/2009 9:43.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.694 [GMT -4:00]
Running from: c:\documents and settings\Helen D. Pratt\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patch.exe
c:\windows\system32\_003563_.tmp.dll
c:\windows\system32\_003564_.tmp.dll
c:\windows\system32\_003565_.tmp.dll
c:\windows\system32\_003566_.tmp.dll
c:\windows\system32\_003572_.tmp.dll
c:\windows\system32\_003573_.tmp.dll
c:\windows\system32\_003574_.tmp.dll
c:\windows\system32\_003575_.tmp.dll
c:\windows\system32\_003576_.tmp.dll
c:\windows\system32\_003577_.tmp.dll
c:\windows\system32\_003578_.tmp.dll
c:\windows\system32\_003579_.tmp.dll
c:\windows\system32\_003580_.tmp.dll
c:\windows\system32\_003581_.tmp.dll
c:\windows\system32\_003582_.tmp.dll
c:\windows\system32\_003584_.tmp.dll
c:\windows\system32\_003585_.tmp.dll
c:\windows\system32\_003586_.tmp.dll
c:\windows\system32\_003588_.tmp.dll
c:\windows\system32\_003591_.tmp.dll
c:\windows\system32\_003592_.tmp.dll
c:\windows\system32\_003595_.tmp.dll
c:\windows\system32\_003596_.tmp.dll
c:\windows\system32\_003597_.tmp.dll
c:\windows\system32\_003598_.tmp.dll
c:\windows\system32\_003599_.tmp.dll
c:\windows\system32\_003600_.tmp.dll
c:\windows\system32\_003602_.tmp.dll
c:\windows\system32\_003603_.tmp.dll
c:\windows\system32\_003604_.tmp.dll
c:\windows\system32\_003605_.tmp.dll
c:\windows\system32\_003606_.tmp.dll
c:\windows\system32\_003607_.tmp.dll
c:\windows\system32\_003608_.tmp.dll
c:\windows\system32\_003610_.tmp.dll
c:\windows\system32\_003611_.tmp.dll
c:\windows\system32\_003612_.tmp.dll
c:\windows\system32\_003613_.tmp.dll
c:\windows\system32\_003614_.tmp.dll
c:\windows\system32\_003616_.tmp.dll
c:\windows\system32\_003617_.tmp.dll
c:\windows\system32\_003619_.tmp.dll
c:\windows\system32\_003620_.tmp.dll
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003622_.tmp.dll
c:\windows\system32\_003623_.tmp.dll
c:\windows\system32\_003625_.tmp.dll
c:\windows\system32\_003628_.tmp.dll
c:\windows\system32\_003629_.tmp.dll
c:\windows\system32\_003633_.tmp.dll
c:\windows\system32\_003634_.tmp.dll
c:\windows\system32\_003636_.tmp.dll
c:\windows\system32\_003639_.tmp.dll
c:\windows\system32\_003641_.tmp.dll
c:\windows\system32\_003642_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003644_.tmp.dll
c:\windows\system32\_003647_.tmp.dll
c:\windows\system32\_003648_.tmp.dll
c:\windows\system32\_003649_.tmp.dll
c:\windows\system32\_003650_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003656_.tmp.dll
c:\windows\system32\_003658_.tmp.dll
c:\windows\system32\_006221_.tmp.dll
c:\windows\system32\_006222_.tmp.dll
c:\windows\system32\_006223_.tmp.dll
c:\windows\system32\_006224_.tmp.dll
c:\windows\system32\_006231_.tmp.dll
c:\windows\system32\_006232_.tmp.dll
c:\windows\system32\_006233_.tmp.dll
c:\windows\system32\_006234_.tmp.dll
c:\windows\system32\_006236_.tmp.dll
c:\windows\system32\_006237_.tmp.dll
c:\windows\system32\_006240_.tmp.dll
c:\windows\system32\_006241_.tmp.dll
c:\windows\system32\_006243_.tmp.dll
c:\windows\system32\_006244_.tmp.dll
c:\windows\system32\_006245_.tmp.dll
c:\windows\system32\_006247_.tmp.dll
c:\windows\system32\_006250_.tmp.dll
c:\windows\system32\_006251_.tmp.dll
c:\windows\system32\_006255_.tmp.dll
c:\windows\system32\_006256_.tmp.dll
c:\windows\system32\_006258_.tmp.dll
c:\windows\system32\_006261_.tmp.dll
c:\windows\system32\_006263_.tmp.dll
c:\windows\system32\_006264_.tmp.dll
c:\windows\system32\_006265_.tmp.dll
c:\windows\system32\_006266_.tmp.dll
c:\windows\system32\_006267_.tmp.dll
c:\windows\system32\_006270_.tmp.dll
c:\windows\system32\_006271_.tmp.dll
c:\windows\system32\_006272_.tmp.dll
c:\windows\system32\_006273_.tmp.dll
c:\windows\system32\_006274_.tmp.dll
c:\windows\system32\_006279_.tmp.dll
c:\windows\system32\_006281_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-06 23:57 . 2009-05-06 23:57 -------- d-----w c:\program files\Cobian Backup 9
2009-04-16 14:01 . 2009-04-16 14:01 0 ------w c:\windows\nsreg.dat
2009-04-16 14:01 . 2009-04-16 14:01 -------- d-----w c:\documents and settings\Helen D. Pratt\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 14:24 . 2009-04-08 14:24 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-08 14:24 . 2009-04-08 14:24 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-08 14:24 . 2009-04-08 14:24 -------- d-----w c:\documents and settings\Helen D. Pratt\Application Data\SUPERAntiSpyware.com
2009-04-08 14:17 . 2009-04-08 14:17 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-07 14:28 . 2009-04-07 14:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-04-07 14:28 38496 ------w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-07 14:28 15504 ------w c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD Button Manager"="c:\windows\system32\WDBtnMgr.exe" [2005-11-08 331776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-01 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-1 176128]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ------w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=c:\windows\pss\PKZIP Attachments Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=c:\windows\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R1 SonyFanC;FAN Control Device Service;c:\windows\system32\drivers\SonyFanC.sys [9/9/2001 1:57 PM 68116]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [1/17/2005 5:34 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [1/17/2005 5:34 PM 3904]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [4/19/2003 8:23 PM 7196]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [9/8/2001 2:22 PM 54271]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\SDVC05.sys [6/30/2005 10:30 PM 18088]
S3 thmsn21r;Thomson Inc. RD1021/1071 Lyra Personal Audio Player Control Driver;c:\windows\system32\drivers\thmsn21r.sys [2/4/2004 4:45 PM 30617]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Norton SystemWorks - c:\program files\Norton SystemWorks\cfgwiz.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://www.hpphoto.com/downloads/DownloadPhotos.cab
FF - ProfilePath - c:\documents and settings\Helen D. Pratt\Application Data\Mozilla\Firefox\Profiles\5xf4thbb.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 09:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CANON\BJCARD\BJMCMNG.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\IOMEGA\SYSTEM32\APPSERVICES.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\DANTZ\RETROSPECT\WDSVC.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\IOMEGA\AUTODISK\ADSERVICE.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-05-12 9:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-12 13:52

Pre-Run: 3,043,463,168 bytes free
Post-Run: 3,081,076,736 bytes free

241 --- E O F --- 2009-03-11 17:50



...and here is WITH the recovery console:


ComboFix 09-05-11.01 - Helen D. Pratt 05/12/2009 10:01.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.692 [GMT -4:00]
Running from: c:\documents and settings\Helen D. Pratt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Helen D. Pratt\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-06 23:57 . 2009-05-06 23:57 -------- d-----w c:\program files\Cobian Backup 9
2009-04-16 14:01 . 2009-04-16 14:01 0 ------w c:\windows\nsreg.dat
2009-04-16 14:01 . 2009-04-16 14:01 -------- d-----w c:\documents and settings\Helen D. Pratt\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 14:24 . 2009-04-08 14:24 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-08 14:24 . 2009-04-08 14:24 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-08 14:24 . 2009-04-08 14:24 -------- d-----w c:\documents and settings\Helen D. Pratt\Application Data\SUPERAntiSpyware.com
2009-04-08 14:17 . 2009-04-08 14:17 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-07 14:28 . 2009-04-07 14:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-04-07 14:28 38496 ------w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-07 14:28 15504 ------w c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD Button Manager"="c:\windows\system32\WDBtnMgr.exe" [2005-11-08 331776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-01 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-1 176128]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ------w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=c:\windows\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=c:\windows\pss\PKZIP Attachments Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=c:\windows\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R1 SonyFanC;FAN Control Device Service;c:\windows\system32\drivers\SonyFanC.sys [9/9/2001 1:57 PM 68116]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [1/17/2005 5:34 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [1/17/2005 5:34 PM 3904]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [4/19/2003 8:23 PM 7196]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [9/8/2001 2:22 PM 54271]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\SDVC05.sys [6/30/2005 10:30 PM 18088]
S3 thmsn21r;Thomson Inc. RD1021/1071 Lyra Personal Audio Player Control Driver;c:\windows\system32\drivers\thmsn21r.sys [2/4/2004 4:45 PM 30617]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://www.hpphoto.com/downloads/DownloadPhotos.cab
FF - ProfilePath - c:\documents and settings\Helen D. Pratt\Application Data\Mozilla\Firefox\Profiles\5xf4thbb.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 10:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-12 10:05
ComboFix-quarantined-files.txt 2009-05-12 14:05
ComboFix2.txt 2009-05-12 13:52

Pre-Run: 3,077,414,912 bytes free
Post-Run: 3,063,017,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

132 --- E O F --- 2009-03-11 17:50

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 12 May 2009 - 10:16 AM

Any change in IE?

#5 boratt1599

boratt1599
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 12 May 2009 - 11:41 AM

Nothing yet, in both IE and Firefox :-(

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 12 May 2009 - 04:35 PM

From a command prompt can you ping www.google.com?

#7 boratt1599

boratt1599
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 12 May 2009 - 06:05 PM

Nothing yet...tried www.google.com and www.yahoo.com

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 13 May 2009 - 05:47 PM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop. Then open the log file and post it as a reply to this topic.


#9 boratt1599

boratt1599
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 13 May 2009 - 05:52 PM

K, Im out of town until the weekend, but Ill respond as soon as I get back, and thanks :-)

Bo

#10 boratt1599

boratt1599
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 16 May 2009 - 05:02 PM

I ran the scan and after a few minutes it popped up a message saying "the scan was stopped", with an 'ok' button. Not sure if that meant something stopped it, or it actually completed, so I ran it again in safe mode. Bellow are logs from both runs:

1st run:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-16 17:36:31
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:8] 806A12FA
Thread System [4:104] F76B2B85
Thread System [4:112] F78F4090
Thread System [4:116] F78F4090
Thread System [4:132] F7A8B654
Thread System [4:136] F7A8B654
Thread System [4:140] F793E92D
Thread System [4:144] F793F133
Thread System [4:244] F745A086
Thread System [4:272] F745A086
Thread System [4:276] F745A086
Thread System [4:280] F745A086
Thread System [4:304] F7CCF038
Thread System [4:308] F3E43517
Thread System [4:316] F3E43517
Thread System [4:320] F3E2C8B1
Thread System [4:456] F3C741E0

---- EOF - GMER 1.0.15 ----






2nd run:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-16 17:54:33
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 18 May 2009 - 10:05 AM

Not seeing anything here. Going to close this topic

First do this:

Let's uninstall ComboFix

Please navigate to, and delete the following:
  • Click on : Start >> Run...
  • Type: Combofix /u and hit Enter
See you back in the other topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users