Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Email Proxy Pop-ups


  • Please log in to reply
16 replies to this topic

#1 kevinroche

kevinroche

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 27 May 2009 - 10:56 PM

A few days ago, Symantec Antivirus alerted me to three threats. It said quarantine failed but the files were deleted successfully. From the Threat History, I can see the three threats were Infostealer.Banker.C, W32.Koobface.A and Trojan.Brisv.A and all have a status of deleted.

Since then, more often than not, my PC hangs at the Windows XP login screen. Once I do successfully start-up and login, I occasionally get pop-ups with the title "Symantec Email Proxy" that contain messages something like:
Your email message to bbildman@hiwaay.net
with the subject of
Blue pill !!!
was unable to be sent because the connection to your mail
server was interrupted. Please open your email client and
re-send the message from the Sent Messages folder.


Then there's a link that says "Click here to go to Symantec Technical Support Knowledge Base..." (which I have not clicked on).

I'm concerned my PC is being used to send spam now. I only use webmail (gmail). Outlook is installed but not setup with any accounts.

Below is the DDS log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Kevin at 23:36:52.62 on Wed 05/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1249 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Kevin\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.pandora.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\kevin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [F.lux] "c:\documents and settings\kevin\local settings\apps\f.lux\flux.exe" /noshow
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [nwiz] nwiz.exe /install
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 4.0\SetHook.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\flashs~1\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09EA1F80-F40A-11D1-B792-444553540001} - c:\progra~1\flashs~1\save.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.winkflash.com/photo/loaders/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\o1qijkz9.default\
FF - prefs.js: browser.search.selectedEngine - Merriam-Webster Dictionary
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\kevin\application data\mozilla\firefox\profiles\o1qijkz9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\kevin\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppl3260.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-7-11 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-7-11 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-7-11 242808]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-7-11 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-7-11 1258712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-12-26 24521]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090527.003\naveng.sys [2009-5-27 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090527.003\navex15.sys [2009-5-27 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-7-11 87160]
S3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys --> c:\windows\system32\drivers\ikfileflt.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-4-10 42376]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-4-10 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-4-10 81288]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-12-26 155184]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-7-11 169192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-3-24 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-3-24 1073544]
S3 Tomcat6;Apache Tomcat;c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe [2008-7-21 57344]
UnknownUnknown gptdhrunachveo;gptdhrunachveo; [x]

=============== Created Last 30 ================

2009-05-27 21:39 <DIR> --d----- c:\program files\Trend Micro
2009-05-27 21:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-27 21:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-27 21:33 <DIR> --d----- c:\docume~1\kevin\applic~1\SUPERAntiSpyware.com
2009-05-27 21:32 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-26 07:54 213,024 a------- c:\windows\system32\drivers\str.sys
2009-05-18 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digsby
2009-05-18 22:23 <DIR> --d----- c:\docume~1\kevin\applic~1\Digsby
2009-05-18 22:22 <DIR> --d----- c:\program files\Digsby
2009-05-03 23:59 <DIR> --d----- c:\docume~1\kevin\applic~1\.purple
2009-05-03 23:57 <DIR> --d----- c:\program files\common files\GTK

==================== Find3M ====================

2009-05-25 21:12 0 ac------ c:\windows\system32\drivers\lvuvc.hs
2009-05-25 21:11 0 ac------ c:\windows\system32\drivers\logiflt.iad
2009-05-21 22:43 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-04-30 01:11 256 a------- c:\documents and settings\kevin\pool.bin
2009-04-08 22:04 106,496 a------- c:\windows\system32\ATL71.DLL
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2008-02-27 22:16 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-12-10 00:38 12,132,024 ac------ c:\program files\Install_AIM.exe
2007-04-12 23:28 86,016 a------- c:\documents and settings\kevin\IDHWTSS1.dll
2007-04-12 23:28 81,920 a------- c:\documents and settings\kevin\hobjni.dll
2006-12-26 16:39 36,868 a------- c:\documents and settings\kevin\PrtDLL.dll
2008-08-24 20:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 23:37:29.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:17 AM

Posted 03 June 2009 - 05:52 PM

hi,

sorry for delay, no shortage of posters. If you still need help, reply to my post and we will see what we can do.

How Can I Reduce My Risk to Malware?


#3 kevinroche

kevinroche
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 03 June 2009 - 06:02 PM

Yes, my PC is still exhibiting the behavior described above. In addition, yesterday Symantec Antivirus found a new threat in a file called "f.exe" that it has labelled a Trojan Horse. I'm not sure if this was really a new threat or a result of it updating its Virus Definitions File. It succeeded in quarantining the file, then I proceeded to have it deleted.

Thanks for the help.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:17 AM

Posted 03 June 2009 - 09:01 PM

hi kevinroche,

ok we will get a download to get a closer look for any on board malware. You have Superantispyware and Spyware Doctor, are they updated and coming up clean after a scan?

did you install this yourself? You know what it is?

C:\Documents and Settings\Kevin\Local Settings\Apps\F.lux\flux.exe

We will use combofix. there is a guide to read first. read the guide, download combofix to your desktop. disable any AV etc as explained in the guide, double click the combofix icon and follow the prompts. post the log in your reply.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#5 kevinroche

kevinroche
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 09 June 2009 - 08:03 AM

Yes, my spyware scans are clean now and flux.exe was installed by me, I trust it. At this point I am unable to start my PC in normal mode -- it freezes at the login screen. I can only use Safe Mode. Should I run combofix in Safe Mode?

#6 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:17 AM

Posted 09 June 2009 - 04:39 PM

no hold off on running combofix for now. We will get another download to use instead. link and directions below, if you have to run it in safe mode;

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:


http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

How Can I Reduce My Risk to Malware?


#7 kevinroche

kevinroche
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 09 June 2009 - 07:28 PM

Thanks! Running MBAM found several infections which I removed. Now I am able to start in Normal Mode without a problem. I've pasted the log below. Should I run the combofix to be safe, now that I can start in normal mode?

Malwarebytes' Anti-Malware 1.37
Database version: 2256
Windows 5.1.2600 Service Pack 3

6/9/2009 8:01:59 PM
mbam-log-2009-06-09 (20-01-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 316320
Time elapsed: 1 hour(s), 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gptdhrunachveo (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gptdhrunachveo (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gptdhrunachveo (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\eyuvjdabkjp.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#8 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:17 AM

Posted 10 June 2009 - 07:32 PM

ok good. go ahead and run combofix. Remember to disable any running AV and anti-malware first. double click the icon and follow the prompts. Post the combofix log in reply.

How Can I Reduce My Risk to Malware?


#9 kevinroche

kevinroche
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 13 June 2009 - 06:15 PM

I seem to be unable to disable Symantec (I didn't have success following the guide in the link from the combofix instructions). Its icon is not in my system tray, and when I open it from the Start menu, it doesn't appear to be loaded (I see the option "Load Service" in the File menu). However, when I try to fun combofix I get a warning that "Symantec Antivirus Corporate Edition" is still active and that proceeding may cause damage to my machine.

#10 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:17 AM

Posted 13 June 2009 - 06:28 PM

ok, you can do one of two things:
forget the combofix warning and run it anyway.
at the most it may interfere with combofix or detect one of its processes as a threat.
or we can attempt to disable the norton service using the services.msc panel, then re-enable it after combofix is finished running.
up to you

How Can I Reduce My Risk to Malware?


#11 kevinroche

kevinroche
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 13 June 2009 - 07:04 PM

Let's do the second option, disable it. Please let me know how.

#12 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:17 AM

Posted 14 June 2009 - 07:03 PM

hi,

ok we will attempt disable the service in services.msc
to bring it up you can go to start>run and type in:
services.msc
click ok or enter

The windows service panel will open up.
under the name column look for:
Symantec
right click on it and select>properties
under the properties tab, make a note of of what the options are:
startup type and service status.

We will change those two;
in the startup type: change it to manual
the service status: click the stop button
reboot computer
see if that works.

How Can I Reduce My Risk to Malware?


#13 kevinroche

kevinroche
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 15 June 2009 - 12:16 AM

I disabled all Symantec services and combofix still gave me the warning. I proceeded to run it anyways. Below is the log:

ComboFix 09-06-14.02 - Kevin 06/14/2009 20:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1449 [GMT -4:00]
Running from: c:\program files\Install Files\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-10 02:54 . 2009-06-10 02:54 -------- d-----w- c:\program files\iPod
2009-06-10 00:36 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-10 00:36 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-10 00:36 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-10 00:36 . 2009-06-10 00:36 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-10 00:36 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-09 22:38 . 2009-06-09 22:38 -------- d-----w- c:\documents and settings\Kevin\Application Data\Malwarebytes
2009-06-09 22:38 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 22:38 . 2009-06-09 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 22:38 . 2009-06-09 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 22:38 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 07:05 . 2009-06-04 07:05 -------- d-----r- c:\program files\Skype
2009-05-28 01:39 . 2009-05-28 01:39 -------- d-----w- c:\program files\Trend Micro
2009-05-28 01:33 . 2009-06-15 00:31 117760 ----a-w- c:\documents and settings\Kevin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-28 01:33 . 2009-05-28 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-28 01:33 . 2009-06-08 12:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-28 01:33 . 2009-05-28 01:33 -------- d-----w- c:\documents and settings\Kevin\Application Data\SUPERAntiSpyware.com
2009-05-28 01:32 . 2009-05-28 01:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-27 02:47 . 2009-05-27 02:47 -------- d-----w- c:\documents and settings\Kevin\Application Data\InstallShield
2009-05-19 02:44 . 2009-05-19 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2009-05-19 02:23 . 2009-05-19 02:44 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Digsby
2009-05-19 02:23 . 2009-05-19 02:44 -------- d-----w- c:\documents and settings\Kevin\Application Data\Digsby
2009-05-19 02:22 . 2009-05-19 02:38 -------- d-----w- c:\program files\Digsby

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 00:33 . 2007-09-03 06:05 -------- d-----w- c:\documents and settings\Kevin\Application Data\Skype
2009-06-15 00:30 . 2007-11-02 02:50 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-15 00:30 . 2007-11-02 02:50 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-15 00:15 . 2006-09-28 17:45 -------- d-----w- c:\program files\Install Files
2009-06-14 04:41 . 2006-10-07 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-10 07:14 . 2007-04-10 16:22 -------- d-----w- c:\program files\Spyware Doctor
2009-06-10 04:27 . 2007-07-17 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-10 04:20 . 2009-04-09 02:05 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-06-10 02:54 . 2006-10-07 19:01 -------- d-----w- c:\program files\iTunes
2009-06-10 02:54 . 2007-07-20 12:24 -------- d-----w- c:\program files\Common Files\Apple
2009-06-10 02:51 . 2006-11-10 02:50 -------- d-----w- c:\program files\QuickTime
2009-06-10 00:53 . 2007-04-10 16:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-09 13:24 . 2007-04-10 16:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-06-09 13:24 . 2007-04-10 16:22 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-06-09 13:24 . 2007-04-10 16:22 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-06-09 02:20 . 2006-09-27 15:18 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-05 15:42 . 2008-09-10 01:10 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2007-11-08 00:17 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-04 07:05 . 2007-09-03 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-27 04:18 . 2008-02-28 02:16 -------- d-----w- c:\documents and settings\Kevin\Application Data\skypePM
2009-05-26 12:52 . 2006-10-07 19:23 -------- d-----w- c:\documents and settings\Kevin\Application Data\Azureus
2009-05-26 00:34 . 2007-11-17 04:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-19 02:58 . 2009-05-04 03:59 -------- d-----w- c:\documents and settings\Kevin\Application Data\.purple
2009-05-09 19:47 . 2009-05-09 19:47 1065 ----a-w- c:\documents and settings\Kevin\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2009-05-07 15:32 . 2004-08-20 19:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 04:06 . 2006-09-29 05:36 -------- d-----w- c:\program files\AIM
2009-05-04 04:04 . 2007-01-05 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-04 04:04 . 2007-01-05 00:26 -------- d-----w- c:\program files\Common Files\AOL
2009-05-04 03:59 . 2009-05-04 03:58 -------- d-----w- c:\program files\Aspell
2009-05-04 03:57 . 2009-05-04 03:57 -------- d-----w- c:\program files\Common Files\GTK
2009-05-02 23:45 . 2007-12-15 19:06 -------- d-----w- c:\program files\Minefield
2009-04-30 12:49 . 2008-02-27 02:31 256 ----a-w- c:\windows\system32\pool.bin
2009-04-30 05:11 . 2008-05-05 23:44 256 ----a-w- c:\documents and settings\Kevin\pool.bin
2009-04-29 04:56 . 2004-08-20 19:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-20 19:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-20 19:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 02:14 . 2009-04-09 02:12 -------- d-----w- c:\documents and settings\Kevin\Application Data\Nikon
2009-04-17 02:14 . 2009-04-09 02:06 -------- d-----w- c:\program files\Common Files\Nikon
2009-04-15 14:51 . 2004-08-20 19:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 02:07 . 2009-04-09 02:07 49152 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-04-09 02:04 . 2003-03-18 17:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2007-12-10 04:38 . 2007-12-10 04:37 12132024 -c--a-w- c:\program files\Install_AIM.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-11 24095528]
"Google Update"="c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-16 133104]
"F.lux"="c:\documents and settings\Kevin\Local Settings\Apps\F.lux\flux.exe" [2009-02-25 962560]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-02-23 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-08 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-08 86016]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 761945]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2005-12-07 17920]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-07-11 66680]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-09-17 53248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-20 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-08 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-7-3 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2006-10-7 161776]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Kevin\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"c:\\Program Files\\IDM Computer Solutions\\UltraEdit-32\\uedit32.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44495:UDP"= 44495:UDP:Azureus Decentralised Tracking
"44495:TCP"= 44495:TCP:Azureus

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/9/2009 8:36 PM 130936]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:43 PM 24652]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/26/2006 3:54 PM 24521]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/26/2006 3:54 PM 155184]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [7/11/2005 9:18 AM 169192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/24/2008 6:18 AM 348752]
S3 Tomcat6;Apache Tomcat;c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [7/21/2008 8:01 PM 57344]
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-02 08:13]

2009-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3942346628-564513671-3625800817-1004.job
- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-16 01:01]

2009-06-14 c:\windows\Tasks\User_Feed_Synchronization-{F0F1807C-E7C7-4C45-B4CA-A28BAB7BA4FF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pandora.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(352)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(6824)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\nview.dll
c:\program files\Fellowes\MediaFACE 4.0\MFHookManager.dll
c:\program files\Fellowes\MediaFACE 4.0\MFSimpleCDHook.dll
c:\program files\Fellowes\MediaFACE 4.0\MFExtRes.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\CF5250.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\ACEngSvr.exe
c:\windows\system32\rundll32.exe
c:\windows\ATK0100\ATKOSD.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2009-06-15 20:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 00:38

Pre-Run: 12,695,622,656 bytes free
Post-Run: 14,681,424,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

323 --- E O F --- 2009-06-10 07:04

#14 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:17 AM

Posted 15 June 2009 - 05:23 PM

hi,

thanks for all the info. looks ok to me. you can remove combofix like this:
start>run and type in:
combofix /u
click ok or enter
Note: a space after the / and before the u

keep malwarebytes and always check for updates before a scan.

RE:Azureus, there is plenty of malware distributed via p2p networks that one can download and install to a machine.

You had a rootkit which can hide from traditional antivirus, hopefully it was just sending out spam. You should as a precaution change all your passwords and monitor any financial transactions you may have done on the computer.
if all is good we can do a clean out system restore and finish it up.

How Can I Reduce My Risk to Malware?


#15 kevinroche

kevinroche
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 15 June 2009 - 10:15 PM

I am ready for the next step. Can you explain the "clean out system restore"?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users