Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AhnRpta.exe and olhrwef.exe


  • This topic is locked This topic is locked
17 replies to this topic

#1 jwdell

jwdell

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 17 June 2009 - 09:31 PM

Hi, I've been reading around these forums for a while and I hope that you can help me. I've recently noticed a rogue process (AhnRpta.exe) on my computer and after careful research this led me to olhrwef.exe, c.exe, and ahnsbsb.exe. There hasn't been any discernible damage done to the computer, just that hidden files can't be shown (everytime I change the setting to show hidden files it changes back - same thing as if I try it in regedit). I've managed to isolate the exe files by replacing them with empty, read only copies that share their name, but I think my portable hard drive is infected also (I recently reformatted and got the virus again after I plugged in my portable HD to restore some data). Please help, thanks!

Here is my DDS log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Jerry W at 22:25:30.21 on Wed 06/17/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1520 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerry W\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: IEHlprObj Class: {af4da69b-e1d6-469a-855b-6445294857d4} - c:\windows\system32\ahnxsds1.dll
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
SEH: {BB4C402F-882A-4526-8C08-51278EA437C1} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerryw~1\applic~1\mozilla\firefox\profiles\o56k17ek.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-6-17 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-6-17 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-6-17 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090610.006\IDSXpx86.sys [2009-6-17 276344]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-6-17 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-17 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090617.025\NAVENG.SYS [2009-6-17 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090617.025\NAVEX15.SYS [2009-6-17 876144]
S0 cerc6;cerc6; [x]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-8-17 18688]

=============== Created Last 30 ================

2009-06-17 22:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-06-17 22:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-17 22:00 <DIR> --d----- c:\program files\DellTPad
2009-06-17 22:00 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-06-17 22:00 1,419,232 a------- c:\windows\system32\WdfCoInstaller01005.dll
2009-06-17 22:00 155,136 a------- c:\windows\system32\drivers\Apfiltr.sys
2009-06-17 22:00 100,418 a------- c:\windows\system32\Vxdif.dll
2009-06-17 21:25 0 a----r-- c:\windows\system32\c.exe
2009-06-17 21:14 <DIR> --d-h--- c:\windows\PIF
2009-06-17 20:56 0 a----r-- c:\windows\AhnRpta.exe
2009-06-17 20:47 <DIR> --d----- c:\windows\pss
2009-06-17 20:36 61 ---shr-- C:\autorun.inf
2009-06-17 20:30 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-06-17 20:30 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-17 20:30 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-17 20:30 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-17 20:30 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-17 20:30 <DIR> --d----- c:\program files\Symantec
2009-06-17 20:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-17 20:29 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-06-17 20:29 <DIR> --d----- c:\program files\Norton AntiVirus
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-06-17 20:29 <DIR> --d----- c:\program files\NortonInstaller
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-06-17 20:29 97,280 ---shr-- c:\windows\system32\nmdfgds1.dll
2009-06-17 20:29 0 ---shr-- C:\gbm6n.exe
2009-06-17 20:28 0 a----r-- c:\windows\system32\olhrwef.exe
2009-06-17 20:28 97,280 ---shr-- c:\windows\system32\nmdfgds0.dll
2009-06-17 20:28 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-06-17 20:23 101,120 ac------ c:\windows\system32\dllcache\bthpan.sys
2009-06-17 20:23 101,120 a------- c:\windows\system32\drivers\bthpan.sys
2009-06-17 20:17 4,952,064 a------- c:\windows\system32\stacgui.cpl
2009-06-17 20:17 <DIR> --d----- c:\program files\SigmaTel
2009-06-17 20:15 28,029 a------- c:\windows\system32\nvModes.001
2009-06-17 20:15 28,029 a------- c:\windows\system32\nvModes.dat
2009-06-17 20:15 134,756 a------- c:\windows\system32\nvapps.xml
2009-06-17 20:15 18,019 a------- c:\windows\system32\nvwsapps.xml
2009-06-17 20:15 356,352 a------- c:\windows\system32\nvudisp.exe
2009-06-17 20:15 17,527 a------- c:\windows\system32\nvdisp.nvu
2009-06-17 20:15 <DIR> --d----- c:\windows\nview
2009-06-17 20:09 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\Intel
2009-06-17 20:08 3,632,384 a------- c:\windows\system32\drivers\NETw5x32.sys
2009-06-17 20:08 2,756,608 a------- c:\windows\system32\NETw5r32.dll
2009-06-17 20:08 663,552 a------- c:\windows\system32\NETw5c32.dll
2009-06-17 20:08 <DIR> --d----- c:\program files\common files\Intel
2009-06-17 20:07 <DIR> --d----- c:\program files\Dell
2009-06-17 20:06 <DIR> --d----- c:\windows\Downloaded Installations
2009-06-17 20:06 0 ---shr-- C:\dbss3nk.exe
2009-06-17 20:06 <DIR> --d----- c:\program files\Broadcom
2009-06-17 20:05 0 a----r-- c:\windows\system32\ahnsbsb.exe
2009-06-17 20:05 103,424 ---shr-- c:\windows\system32\ahnfgss0.dll
2009-06-17 20:05 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-06-17 20:03 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-17 20:02 <DIR> --d----- c:\documents and settings\Jerry W
2009-06-17 20:01 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-17 20:01 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-17 19:59 482,304 ac------ c:\windows\system32\dllcache\pintlgnt.ime
2009-06-17 19:58 1,677,824 ac------ c:\windows\system32\dllcache\chsbrkr.dll
2009-06-17 19:57 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-17 19:57 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-06-17 19:57 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-06-17 19:57 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-06-17 19:57 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-06-17 19:57 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-06-17 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-17 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-17 19:54 <DIR> --d----- c:\program files\Online Services
2009-06-17 19:54 <DIR> --d----- c:\program files\Messenger
2009-06-17 19:54 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-17 19:53 <DIR> --d----- c:\program files\Windows NT
2009-06-17 15:49 <DIR> --d----- c:\program files\common files\ODBC
2009-06-17 15:49 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-17 15:48 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-06-17 20:07 103,424 ---shr-- c:\windows\system32\ahnfgss1.dll
2009-06-17 19:57 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-17 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 22:25:45.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:29 PM

Posted 23 June 2009 - 03:53 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 jwdell

jwdell
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 23 June 2009 - 11:11 PM

Hi, I'm not exactly sure whether or not the issue has been resolved, I don't seem to be suffering from any known problems as of right now but I haven't been able to get rid of the virus, sort of just lock it up. I was hoping someone could take a look and possibly clean out the virus altogether so that there aren't any nasty surprises later on (such as something that opens a backdoor for other trojans, a keylogger I haven't noticed yet).

I think that my portable hard drive is infected with this, which is why the virus showed up again after I reformatted my pc.

Here is my DDS log and attachment:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Jerry W at 0:10:17.04 on Wed 06/24/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1435 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerry W\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: IEHlprObj Class: {af4da69b-e1d6-469a-855b-6445294857d4} - c:\windows\system32\ahnxsds1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
SEH: {BB4C402F-882A-4526-8C08-51278EA437C1} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerryw~1\applic~1\mozilla\firefox\profiles\o56k17ek.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-6-17 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-6-17 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-6-17 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090623.001\IDSXpx86.sys [2009-6-23 276344]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-6-17 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-17 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090623.025\NAVENG.SYS [2009-6-23 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090623.025\NAVEX15.SYS [2009-6-23 876144]
S0 cerc6;cerc6; [x]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-8-17 18688]

=============== Created Last 30 ================

2009-06-24 00:05 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-06-24 00:05 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-06-24 00:05 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-06-24 00:05 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-06-21 02:00 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\LimeWire
2009-06-21 01:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-21 01:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-21 01:59 <DIR> --d----- c:\program files\LimeWire
2009-06-21 01:58 <DIR> --d----- c:\program files\VideoLAN
2009-06-21 01:57 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-21 01:57 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-21 01:57 <DIR> --d----- c:\program files\iPod
2009-06-21 01:57 <DIR> --d----- c:\program files\iTunes
2009-06-21 01:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 01:57 <DIR> --d----- c:\program files\Bonjour
2009-06-21 01:56 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-21 01:56 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-21 01:35 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\Windows Search
2009-06-21 01:21 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-21 01:21 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-21 01:21 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-21 01:21 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-21 01:21 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-21 01:21 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-21 01:21 <DIR> --d----- C:\39057309124d8213f5fd
2009-06-21 01:21 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-21 01:21 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-21 01:18 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\Windows Desktop Search
2009-06-21 01:17 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-21 01:15 <DIR> --d----- c:\windows\system32\URTTemp
2009-06-21 01:13 <DIR> --ds---- c:\documents and settings\jerry w\UserData
2009-06-17 22:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-06-17 22:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-17 22:00 <DIR> --d----- c:\program files\DellTPad
2009-06-17 22:00 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-06-17 22:00 1,419,232 a------- c:\windows\system32\WdfCoInstaller01005.dll
2009-06-17 22:00 155,136 a------- c:\windows\system32\drivers\Apfiltr.sys
2009-06-17 22:00 100,418 a------- c:\windows\system32\Vxdif.dll
2009-06-17 21:25 0 a----r-- c:\windows\system32\c.exe
2009-06-17 21:14 <DIR> --d-h--- c:\windows\PIF
2009-06-17 20:56 0 a----r-- c:\windows\AhnRpta.exe
2009-06-17 20:47 <DIR> --d----- c:\windows\pss
2009-06-17 20:36 61 ---shr-- C:\autorun.inf
2009-06-17 20:30 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-06-17 20:30 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-17 20:30 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-17 20:30 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-17 20:30 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-17 20:30 <DIR> --d----- c:\program files\Symantec
2009-06-17 20:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-17 20:29 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-06-17 20:29 <DIR> --d----- c:\program files\Norton AntiVirus
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-06-17 20:29 <DIR> --d----- c:\program files\NortonInstaller
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-06-17 20:29 97,280 ---shr-- c:\windows\system32\nmdfgds1.dll
2009-06-17 20:29 0 ---shr-- C:\gbm6n.exe
2009-06-17 20:28 0 a----r-- c:\windows\system32\olhrwef.exe
2009-06-17 20:28 97,280 ---shr-- c:\windows\system32\nmdfgds0.dll
2009-06-17 20:28 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-06-17 20:23 101,120 ac------ c:\windows\system32\dllcache\bthpan.sys
2009-06-17 20:23 101,120 a------- c:\windows\system32\drivers\bthpan.sys
2009-06-17 20:21 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-17 20:17 4,952,064 a------- c:\windows\system32\stacgui.cpl
2009-06-17 20:17 <DIR> --d----- c:\program files\SigmaTel
2009-06-17 20:15 28,029 a------- c:\windows\system32\nvModes.001
2009-06-17 20:15 28,029 a------- c:\windows\system32\nvModes.dat
2009-06-17 20:15 134,756 a------- c:\windows\system32\nvapps.xml
2009-06-17 20:15 18,019 a------- c:\windows\system32\nvwsapps.xml
2009-06-17 20:15 356,352 a------- c:\windows\system32\nvudisp.exe
2009-06-17 20:15 17,527 a------- c:\windows\system32\nvdisp.nvu
2009-06-17 20:15 <DIR> --d----- c:\windows\nview
2009-06-17 20:09 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\Intel
2009-06-17 20:08 3,632,384 a------- c:\windows\system32\drivers\NETw5x32.sys
2009-06-17 20:08 2,756,608 a------- c:\windows\system32\NETw5r32.dll
2009-06-17 20:08 663,552 a------- c:\windows\system32\NETw5c32.dll
2009-06-17 20:08 <DIR> --d----- c:\program files\common files\Intel
2009-06-17 20:07 <DIR> --d----- c:\program files\Dell
2009-06-17 20:06 <DIR> --d----- c:\windows\Downloaded Installations
2009-06-17 20:06 0 ---shr-- C:\dbss3nk.exe
2009-06-17 20:06 <DIR> --d----- c:\program files\Broadcom
2009-06-17 20:05 0 a----r-- c:\windows\system32\ahnsbsb.exe
2009-06-17 20:05 103,424 ---shr-- c:\windows\system32\ahnfgss0.dll
2009-06-17 20:05 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-06-17 20:03 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-17 20:02 <DIR> --d----- c:\documents and settings\Jerry W
2009-06-17 20:01 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-17 20:01 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-17 19:59 482,304 ac------ c:\windows\system32\dllcache\pintlgnt.ime
2009-06-17 19:58 1,677,824 ac------ c:\windows\system32\dllcache\chsbrkr.dll
2009-06-17 19:57 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-17 19:57 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-06-17 19:57 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-06-17 19:57 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-06-17 19:57 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-06-17 19:57 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-06-17 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-17 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-17 19:54 <DIR> --d----- c:\program files\Online Services
2009-06-17 19:54 <DIR> --d----- c:\program files\Messenger
2009-06-17 19:54 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-17 19:53 <DIR> --d----- c:\program files\Windows NT
2009-06-17 15:49 <DIR> --d----- c:\program files\common files\ODBC
2009-06-17 15:49 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-17 15:48 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-06-21 02:38 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-17 20:07 103,424 ---shr-- c:\windows\system32\ahnfgss1.dll
2009-06-17 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 0:10:33.93 ===============

I understand you guys are very busy and I want to thank you for taking the time to look this over and advise me on a suitable course of action. Thanks again!

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 24 June 2009 - 06:28 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 jwdell

jwdell
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 24 June 2009 - 07:57 PM

Hi, here are the logs from combofix and GMER. Since I believe that I was infected with a keydrive program before, I have had my portable HD plugged in as I ran combofix and asked GMER to also look in that portable drive. It doesn't seem like combofix deleted anything off of it except for the autorun configuration and it didnt' seem like GMER found anything in there also. If you would like for me to rerun the scans without the portable plugged in please tell me.

Anyways, here are the logs, please advise on future action. Thanks

combofix log:

ComboFix 09-06-23.01 - Jerry W 06/24/2009 20:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1385 [GMT -4:00]
Running from: c:\documents and settings\Jerry W\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\dbss3nk.exe
C:\gbm6n.exe
c:\windows\AhnRpta.exe
c:\windows\system32\ahnfgss0.dll
c:\windows\system32\ahnsbsb.exe
c:\windows\system32\c.exe
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVPsys


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 00:38 . 2009-06-18 00:30 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-24 18:49 . 2009-06-18 00:30 89104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVENG.SYS
2009-06-24 18:49 . 2009-06-18 00:30 876144 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVEX15.SYS
2009-06-24 18:49 . 2009-06-18 00:30 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\EECTRL.SYS
2009-06-24 18:49 . 2009-06-18 00:30 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\ERASER.SYS
2009-06-24 18:49 . 2009-06-18 00:30 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\ECMSVR32.DLL
2009-06-24 18:49 . 2009-06-18 00:30 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVENG32.DLL
2009-06-24 18:49 . 2009-06-18 00:30 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVEX32A.DLL
2009-06-24 18:49 . 2009-06-18 00:30 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\CCERASER.DLL
2009-06-24 04:05 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-24 04:05 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-24 04:05 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-24 04:05 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-24 01:40 . 2009-06-18 00:30 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSviA64.sys
2009-06-24 01:40 . 2009-06-18 00:30 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSvix86.sys
2009-06-24 01:40 . 2009-06-18 00:30 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys
2009-06-24 01:40 . 2009-06-18 00:30 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSxpx86.dll
2009-06-24 01:40 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\Scxpx86.dll
2009-06-21 17:20 . 2009-06-21 17:20 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\ApplicationHistory
2009-06-21 17:19 . 2009-06-21 17:19 12328 ----a-w- c:\documents and settings\Jerry W\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 06:00 . 2009-06-21 06:10 -------- d-----w- c:\documents and settings\Jerry W\Application Data\LimeWire
2009-06-21 05:59 . 2009-06-21 05:59 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-21 05:59 . 2009-06-21 05:59 -------- d-----w- c:\program files\Java
2009-06-21 05:59 . 2009-06-21 05:59 152576 ----a-w- c:\documents and settings\Jerry W\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-06-21 05:59 . 2009-06-21 05:59 -------- d-----w- c:\program files\LimeWire
2009-06-21 05:58 . 2009-06-21 05:58 -------- d-----w- c:\program files\VideoLAN
2009-06-21 05:57 . 2009-06-21 17:18 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Apple Computer
2009-06-21 05:57 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-21 05:57 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\iPod
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\iTunes
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\Bonjour
2009-06-21 05:56 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-21 05:56 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-21 05:56 . 2009-06-21 05:57 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 05:35 . 2009-06-21 05:35 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Windows Search
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\program files\MSBuild
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\program files\Reference Assemblies
2009-06-21 05:21 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-21 05:21 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- C:\39057309124d8213f5fd
2009-06-21 05:21 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-21 05:21 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-21 05:21 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-21 05:21 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-21 05:21 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-21 05:18 . 2009-06-21 05:18 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Identities
2009-06-21 05:18 . 2009-06-21 05:18 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Windows Desktop Search
2009-06-21 05:17 . 2009-06-21 17:32 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-21 05:15 . 2009-06-21 05:16 -------- d-----w- c:\windows\system32\URTTemp
2009-06-21 05:13 . 2009-06-21 05:13 -------- d-s---w- c:\documents and settings\Jerry W\UserData
2009-06-18 04:26 . 2009-06-18 04:26 -------- d-----w- c:\program files\QuickTime
2009-06-18 04:26 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-18 04:25 . 2009-06-18 04:25 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Apple
2009-06-18 04:25 . 2009-06-21 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-18 04:25 . 2009-06-18 04:25 -------- d-----w- c:\program files\Apple Software Update
2009-06-18 04:25 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Apple Computer
2009-06-18 02:00 . 2009-06-18 02:00 -------- d-----w- c:\program files\DellTPad
2009-06-18 02:00 . 2007-06-25 23:51 100418 ----a-w- c:\windows\system32\Vxdif.dll
2009-06-18 02:00 . 2007-06-25 22:53 155136 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2009-06-18 02:00 . 2006-11-02 12:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2009-06-18 01:14 . 2009-06-18 01:14 -------- d--h--w- c:\windows\PIF
2009-06-18 00:30 . 2009-06-18 00:30 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-06-18 00:30 . 2009-06-18 00:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\program files\Windows Sidebar
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\program files\NortonInstaller
2009-06-18 00:28 . 2009-06-18 00:28 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-06-18 00:23 . 2008-04-14 04:21 101120 -c--a-w- c:\windows\system32\dllcache\bthpan.sys
2009-06-18 00:23 . 2008-04-14 04:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys
2009-06-18 00:21 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-18 00:17 . 2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe
2009-06-18 00:17 . 2007-04-10 21:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2009-06-18 00:17 . 2008-04-14 09:41 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-06-18 00:17 . 2008-04-14 09:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-06-18 00:17 . 2008-04-14 04:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2009-06-18 00:17 . 2008-04-14 04:49 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-06-18 00:17 . 2008-04-14 04:15 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2009-06-18 00:17 . 2008-04-14 04:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-06-18 00:17 . 2009-06-18 00:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-18 00:17 . 2009-06-18 00:17 -------- d-----w- c:\program files\SigmaTel
2009-06-18 00:17 . 2007-08-21 13:58 146944 ----a-w- c:\windows\system32\st325602.dll
2009-06-18 00:17 . 2007-05-10 14:24 1222840 ----a-w- c:\windows\system32\drivers\sthda.sys
2009-06-18 00:17 . 2007-05-10 14:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2009-06-18 00:15 . 2009-06-18 00:15 28029 ----a-w- c:\windows\system32\nvModes.dat
2009-06-18 00:15 . 2009-06-18 00:15 -------- d-----w- c:\windows\nview
2009-06-18 00:15 . 2007-11-17 07:03 356352 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-06-18 00:08 . 2009-06-21 05:57 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-18 00:08 . 2008-08-29 03:34 3632384 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-06-18 00:08 . 2008-06-20 14:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-06-18 00:08 . 2008-06-20 14:32 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\program files\Intel
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\program files\Common Files\Intel
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-06-18 00:06 . 2009-06-18 00:06 -------- d-----w- c:\windows\Downloaded Installations
2009-06-18 00:06 . 2009-06-18 00:06 -------- d-----w- c:\program files\Broadcom
2009-06-18 00:05 . 2008-04-14 04:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-18 00:03 . 2009-06-18 00:03 -------- d--h--w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 06:38 . 2009-06-17 23:57 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-18 23:46 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 02:01 . 2009-06-18 02:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-06-18 02:01 . 2009-06-18 02:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-18 00:14 . 2009-06-18 00:14 0 ----a-w- c:\windows\nsreg.dat
2009-06-18 00:07 . 2009-06-18 00:07 -------- d-----w- c:\program files\Dell
2009-06-18 00:07 . 2009-06-18 00:07 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-18 00:07 . 2009-06-18 00:07 103424 --sh--r- c:\windows\system32\ahnfgss1.dll
2009-06-17 23:58 . 2009-06-17 23:58 -------- d-----w- c:\program files\microsoft frontpage
2009-06-17 23:55 . 2009-06-17 23:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 19:12 . 2009-06-18 00:18 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2008-04-13 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2008-04-13 23:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2008-04-13 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2008-04-13 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-13 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 136600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-11-17 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-13 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [6/17/2009 8:30 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [6/17/2009 8:30 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [6/17/2009 8:30 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys [6/23/2009 9:40 PM 276344]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [10/18/2005 5:11 PM 61440]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [6/17/2009 8:30 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/17/2009 8:31 PM 101936]
S0 cerc6;cerc6; [x]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 20:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1268)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2104)
c:\windows\system32\netprovcredman.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\WLKEEPER.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-25 20:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 00:39

Pre-Run: 92,484,247,552 bytes free
Post-Run: 92,460,986,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

259 --- E O F --- 2009-06-23 03:32









____________________________________________________________________________

GMER log:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 20:54:36
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 89C22528 ZwAlertResumeThread
SSDT 89C1BE50 ZwAlertThread
SSDT 89BF3A48 ZwAllocateVirtualMemory
SSDT 89B7E3D0 ZwAssignProcessToJobObject
SSDT 89C52A90 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB7630040]
SSDT 883E7008 ZwCreateMutant
SSDT 884017F8 ZwCreateSymbolicLinkObject
SSDT 89A16278 ZwCreateThread
SSDT 89B87E50 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB76302C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB7630820]
SSDT 89B96478 ZwDuplicateObject
SSDT 89C40520 ZwFreeVirtualMemory
SSDT 89C02468 ZwImpersonateAnonymousToken
SSDT 89C21A90 ZwImpersonateThread
SSDT 88423CC8 ZwLoadDriver
SSDT 88336288 ZwMapViewOfSection
SSDT 89BA01E8 ZwOpenEvent
SSDT 89B59490 ZwOpenProcess
SSDT 89C17198 ZwOpenProcessToken
SSDT 89BE4750 ZwOpenSection
SSDT 89B965C0 ZwOpenThread
SSDT 882D51D8 ZwProtectVirtualMemory
SSDT 89AF95E8 ZwResumeThread
SSDT 89B64558 ZwSetContextThread
SSDT 89B615E0 ZwSetInformationProcess
SSDT 89B782F8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB7630A70]
SSDT 89BE2C90 ZwSuspendProcess
SSDT 89C2A8E8 ZwSuspendThread
SSDT 89B566C8 ZwTerminateProcess
SSDT 89C155A8 ZwTerminateThread
SSDT 89B65AB0 ZwUnmapViewOfSection
SSDT 89B8A818 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\JERRYW~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D8C 80504628 4 Bytes CALL DCDA002E
.text ntkrnlpa.exe!ZwCallbackReturn + 2EFC 80504798 4 Bytes CALL E4D9F732
? SYMEFA.SYS The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\JERRYW~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2472] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3944] kernel32.dll!VirtualProtect + 1C 7C801AF0 7 Bytes JMP 01170034

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00164196149c
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00164196149c

---- EOF - GMER 1.0.15 ----





Hope to be hearing from you soon, thanks Panda!

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 24 June 2009 - 09:05 PM

Hello jwdell.

Looks like the active infection has been disabled.

However, some malicous files may have been dropped in place of program uninstallers. Please do not attempt to uninstall any programs until I ask otherwise, as it may cause reinfection.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/234732/ahnrptaexe-and-olhrwefexe/
    
    Collect::[59]
    c:\windows\system32\ahnfgss1.dll
    
    DirLook::
    c:\program files\Common Files\InstallShield
    c:\program files\Dell
    
    FileLook::
    c:\program files\Common Files\InstallShield\pc.exe
    c:\program files\Common Files\InstallShield\agent.exe
    c:\program files\Common Files\InstallShield\uninstall.exe
    c:\program files\Dell\pc.exe
    c:\program files\Dell\agent.exe
    c:\program files\Dell\uninstall.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log. There is a chance that the log will be quite large this time. If it does not fit into the post, attach it.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

The script above included directive to upload file samples. Usually, ComboFix can upload the file without any user input. However, if this does not happen, you will be prompted to manually upload files.

With Regards,
The Panda

#7 jwdell

jwdell
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 24 June 2009 - 11:32 PM

Hey Panda, here is the combofix log using that script, I'm not sure if it worked since combofix looked like it reacted the same way it did before, but I dragged and dropped the .txt onto combofix like it said in the picture and the CFScript.txt file was gone afterwards so I think it worked. Anyways, here's the log, thanks.

Also, at the end it said it needed to upload malware for inspection...was it supposed to do that?

Combofix Log:

ComboFix 09-06-23.01 - Jerry W 06/25/2009 0:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1521 [GMT -4:00]
Running from: c:\documents and settings\Jerry W\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jerry W\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

file zipped: c:\windows\system32\ahnfgss1.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ahnfgss1.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 00:39 . 2009-06-25 00:39 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-25 00:38 . 2009-06-18 00:30 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-24 18:49 . 2009-06-18 00:30 89104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVENG.SYS
2009-06-24 18:49 . 2009-06-18 00:30 876144 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVEX15.SYS
2009-06-24 18:49 . 2009-06-18 00:30 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\EECTRL.SYS
2009-06-24 18:49 . 2009-06-18 00:30 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\ERASER.SYS
2009-06-24 18:49 . 2009-06-18 00:30 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\ECMSVR32.DLL
2009-06-24 18:49 . 2009-06-18 00:30 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVENG32.DLL
2009-06-24 18:49 . 2009-06-18 00:30 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\NAVEX32A.DLL
2009-06-24 18:49 . 2009-06-18 00:30 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.003\CCERASER.DLL
2009-06-24 04:05 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-24 04:05 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-24 04:05 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-24 04:05 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-24 01:40 . 2009-06-18 00:30 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSviA64.sys
2009-06-24 01:40 . 2009-06-18 00:30 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSvix86.sys
2009-06-24 01:40 . 2009-06-18 00:30 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys
2009-06-24 01:40 . 2009-06-18 00:30 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSxpx86.dll
2009-06-24 01:40 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\Scxpx86.dll
2009-06-21 17:20 . 2009-06-21 17:20 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\ApplicationHistory
2009-06-21 17:19 . 2009-06-21 17:19 12328 ----a-w- c:\documents and settings\Jerry W\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 06:00 . 2009-06-21 06:10 -------- d-----w- c:\documents and settings\Jerry W\Application Data\LimeWire
2009-06-21 05:59 . 2009-06-21 05:59 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-21 05:59 . 2009-06-21 05:59 -------- d-----w- c:\program files\Java
2009-06-21 05:59 . 2009-06-21 05:59 152576 ----a-w- c:\documents and settings\Jerry W\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-06-21 05:59 . 2009-06-21 05:59 -------- d-----w- c:\program files\LimeWire
2009-06-21 05:58 . 2009-06-21 05:58 -------- d-----w- c:\program files\VideoLAN
2009-06-21 05:57 . 2009-06-21 17:18 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Apple Computer
2009-06-21 05:57 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-21 05:57 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\iPod
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\iTunes
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\Bonjour
2009-06-21 05:56 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-21 05:56 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-21 05:56 . 2009-06-21 05:57 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 05:35 . 2009-06-21 05:35 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Windows Search
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\program files\MSBuild
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\program files\Reference Assemblies
2009-06-21 05:21 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-21 05:21 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- C:\39057309124d8213f5fd
2009-06-21 05:21 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-21 05:21 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-21 05:21 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-21 05:21 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-21 05:21 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-21 05:18 . 2009-06-21 05:18 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Identities
2009-06-21 05:18 . 2009-06-21 05:18 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Windows Desktop Search
2009-06-21 05:17 . 2009-06-21 17:32 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-21 05:15 . 2009-06-21 05:16 -------- d-----w- c:\windows\system32\URTTemp
2009-06-21 05:13 . 2009-06-21 05:13 -------- d-s---w- c:\documents and settings\Jerry W\UserData
2009-06-18 04:26 . 2009-06-18 04:26 -------- d-----w- c:\program files\QuickTime
2009-06-18 04:26 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-18 04:25 . 2009-06-18 04:25 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Apple
2009-06-18 04:25 . 2009-06-21 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-18 04:25 . 2009-06-18 04:25 -------- d-----w- c:\program files\Apple Software Update
2009-06-18 04:25 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Apple Computer
2009-06-18 02:00 . 2009-06-18 02:00 -------- d-----w- c:\program files\DellTPad
2009-06-18 02:00 . 2007-06-25 23:51 100418 ----a-w- c:\windows\system32\Vxdif.dll
2009-06-18 02:00 . 2007-06-25 22:53 155136 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2009-06-18 02:00 . 2006-11-02 12:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2009-06-18 01:14 . 2009-06-18 01:14 -------- d--h--w- c:\windows\PIF
2009-06-18 00:30 . 2009-06-18 00:30 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-06-18 00:30 . 2009-06-18 00:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\program files\Windows Sidebar
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\program files\NortonInstaller
2009-06-18 00:28 . 2009-06-18 00:28 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-06-18 00:23 . 2008-04-14 04:21 101120 -c--a-w- c:\windows\system32\dllcache\bthpan.sys
2009-06-18 00:23 . 2008-04-14 04:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys
2009-06-18 00:21 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-18 00:17 . 2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe
2009-06-18 00:17 . 2007-04-10 21:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2009-06-18 00:17 . 2008-04-14 09:41 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-06-18 00:17 . 2008-04-14 09:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-06-18 00:17 . 2008-04-14 04:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2009-06-18 00:17 . 2008-04-14 04:49 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-06-18 00:17 . 2008-04-14 04:15 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2009-06-18 00:17 . 2008-04-14 04:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-06-18 00:17 . 2009-06-18 00:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-18 00:17 . 2009-06-18 00:17 -------- d-----w- c:\program files\SigmaTel
2009-06-18 00:17 . 2007-08-21 13:58 146944 ----a-w- c:\windows\system32\st325602.dll
2009-06-18 00:17 . 2007-05-10 14:24 1222840 ----a-w- c:\windows\system32\drivers\sthda.sys
2009-06-18 00:17 . 2007-05-10 14:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2009-06-18 00:15 . 2009-06-18 00:15 28029 ----a-w- c:\windows\system32\nvModes.dat
2009-06-18 00:15 . 2009-06-18 00:15 -------- d-----w- c:\windows\nview
2009-06-18 00:15 . 2007-11-17 07:03 356352 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-06-18 00:08 . 2009-06-21 05:57 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-18 00:08 . 2008-08-29 03:34 3632384 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-06-18 00:08 . 2008-06-20 14:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-06-18 00:08 . 2008-06-20 14:32 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\program files\Intel
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\program files\Common Files\Intel
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-06-18 00:06 . 2009-06-18 00:06 -------- d-----w- c:\windows\Downloaded Installations
2009-06-18 00:06 . 2009-06-18 00:06 -------- d-----w- c:\program files\Broadcom
2009-06-18 00:05 . 2008-04-14 04:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-18 00:03 . 2009-06-18 00:03 -------- d--h--w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 06:38 . 2009-06-17 23:57 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-18 23:46 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 02:01 . 2009-06-18 02:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-06-18 02:01 . 2009-06-18 02:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-18 00:14 . 2009-06-18 00:14 0 ----a-w- c:\windows\nsreg.dat
2009-06-18 00:07 . 2009-06-18 00:07 -------- d-----w- c:\program files\Dell
2009-06-18 00:07 . 2009-06-18 00:07 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-17 23:58 . 2009-06-17 23:58 -------- d-----w- c:\program files\microsoft frontpage
2009-06-17 23:55 . 2009-06-17 23:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 19:12 . 2009-06-18 00:18 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2008-04-13 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2008-04-13 23:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2008-04-13 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2008-04-13 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-13 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\Common Files\InstallShield ----

2009-06-18 00:14 . 2003-11-10 22:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2009-06-18 00:14 . 2003-11-10 22:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2009-06-18 00:14 . 2003-11-10 22:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2009-06-18 00:14 . 2003-11-10 22:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2009-06-18 00:14 . 2003-11-10 22:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2009-06-18 00:14 . 2009-06-18 00:14 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2009-06-18 00:14 . 2009-06-18 00:14 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2009-06-18 00:07 . 2001-09-05 08:18 225280 ----a-w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
2009-06-18 00:07 . 2001-09-05 08:14 176128 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2009-06-18 00:07 . 2001-09-05 08:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2009-06-18 00:07 . 2001-09-05 08:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2009-06-18 00:07 . 2003-05-07 19:09 28529 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\corecomp.ini
2009-06-18 00:07 . 2007-03-16 22:10 610436 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2009-06-18 00:07 . 2004-10-22 06:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2009-06-18 00:07 . 2003-11-10 22:11 29762 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\iKernel.rgs
2009-06-18 00:07 . 2004-10-22 06:15 113420 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb
2009-06-18 00:07 . 2004-10-22 06:16 180224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll
2009-06-18 00:07 . 2004-10-22 06:17 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll
2009-06-18 00:07 . 2004-10-22 06:17 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll
2009-06-18 00:07 . 2004-10-22 06:16 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe
2009-06-18 00:07 . 2004-10-22 06:18 749568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll
2009-06-18 00:07 . 2009-06-18 00:07 192644 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll
2009-06-18 00:07 . 2009-06-18 00:07 323716 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll

---- Directory of c:\program files\Dell ----

2009-06-18 00:07 . 2007-03-16 22:10 174084 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\bcmwls.ini
2009-06-18 00:07 . 2007-03-16 22:10 131072 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\bcmwls32.exe
2009-06-18 00:07 . 2007-03-16 22:10 253952 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe
2009-06-18 00:07 . 2007-03-20 14:18 143998 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\Readme.rtf
2009-06-18 00:07 . 2007-03-16 22:10 655670 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\Driver\bcmwl5.inf
2009-06-18 00:07 . 2007-03-16 22:10 604928 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\Driver\BCMWL5.SYS
2009-06-18 00:07 . 2007-03-16 22:10 10636 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\Driver\BCM43XX64.CAT
2009-06-18 00:07 . 2007-03-16 22:10 10636 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\Driver\BCM43XX.CAT
2009-06-18 00:07 . 2009-06-18 00:07 3257 ----a-w- c:\program files\Dell\Dell Wireless WLAN Card\uninstall.log


((((((((((((((((((((((((((((( SnapShot@2009-06-25_00.38.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 00:39 . 2008-10-16 18:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 00:39 . 2008-04-13 23:00 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 00:39 . 2008-04-13 23:00 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 00:39 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 00:39 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 00:39 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 00:39 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 00:39 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 00:39 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 136600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-11-17 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-13 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [6/17/2009 8:30 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [6/17/2009 8:30 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [6/17/2009 8:30 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys [6/23/2009 9:40 PM 276344]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [10/18/2005 5:11 PM 61440]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [6/17/2009 8:30 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/17/2009 8:31 PM 101936]
S0 cerc6;cerc6; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 00:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1268)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-06-25 0:27
ComboFix-quarantined-files.txt 2009-06-25 04:27
ComboFix2.txt 2009-06-25 00:40

Pre-Run: 92,509,306,880 bytes free
Post-Run: 92,499,464,192 bytes free

277 --- E O F --- 2009-06-23 03:32
Upload was successful

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 25 June 2009 - 07:26 AM

Hello.

Just want to take a closer look at several files. THey are suspicious because they were modified at the same time as a piece of malware was.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/234732/ahnrptaexe-and-olhrwefexe/
    
    Suspect::[59]
    c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
    c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    c:\program files\Dell\Dell Wireless WLAN Card\bcmwls32.exe
    c:\program files\Dell\Dell Wireless WLAN Card\Driver\BCMWL5.SYS
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
The Panda

#9 jwdell

jwdell
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 25 June 2009 - 07:44 AM

Hi Panda, here's the log you requested, thanks.

ComboFix Log:

ComboFix 09-06-23.01 - Jerry W 06/25/2009 8:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1515 [GMT -4:00]
Running from: c:\documents and settings\Jerry W\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jerry W\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

file zipped: c:\program files\Common Files\InstallShield\Engine\6\Intel 32\Suspect_IKernel.exe.vir
file zipped: c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\Suspect_setup.dll.vir
file zipped: c:\program files\Dell\Dell Wireless WLAN Card\Suspect_bcmwls32.exe.vir
file zipped: c:\program files\Dell\Dell Wireless WLAN Card\Driver\Suspect_BCMWL5.SYS.vir
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 12:37 . 2009-06-18 00:30 89104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\NAVENG.SYS
2009-06-25 12:37 . 2009-06-18 00:30 876144 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\NAVEX15.SYS
2009-06-25 12:37 . 2009-06-18 00:30 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\NAVENG32.DLL
2009-06-25 12:37 . 2009-06-18 00:30 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\NAVEX32A.DLL
2009-06-25 12:37 . 2009-06-18 00:30 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\EECTRL.SYS
2009-06-25 12:37 . 2009-06-18 00:30 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\ERASER.SYS
2009-06-25 12:37 . 2009-06-18 00:30 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\ECMSVR32.DLL
2009-06-25 12:37 . 2009-06-18 00:30 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090624.037\CCERASER.DLL
2009-06-25 12:34 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-25 12:34 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-25 12:34 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-06-25 12:34 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-06-25 12:27 . 2009-06-18 00:30 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-25 00:39 . 2009-06-25 00:39 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-24 04:05 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-24 04:05 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-24 04:05 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-24 04:05 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-24 01:40 . 2009-06-18 00:30 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSviA64.sys
2009-06-24 01:40 . 2009-06-18 00:30 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSvix86.sys
2009-06-24 01:40 . 2009-06-18 00:30 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys
2009-06-24 01:40 . 2009-06-18 00:30 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSxpx86.dll
2009-06-24 01:40 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\Scxpx86.dll
2009-06-21 17:20 . 2009-06-21 17:20 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\ApplicationHistory
2009-06-21 17:19 . 2009-06-21 17:19 12328 ----a-w- c:\documents and settings\Jerry W\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 06:00 . 2009-06-21 06:10 -------- d-----w- c:\documents and settings\Jerry W\Application Data\LimeWire
2009-06-21 05:59 . 2009-06-21 05:59 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-21 05:59 . 2009-06-21 05:59 -------- d-----w- c:\program files\Java
2009-06-21 05:59 . 2009-06-21 05:59 152576 ----a-w- c:\documents and settings\Jerry W\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-06-21 05:59 . 2009-06-21 05:59 -------- d-----w- c:\program files\LimeWire
2009-06-21 05:58 . 2009-06-21 05:58 -------- d-----w- c:\program files\VideoLAN
2009-06-21 05:57 . 2009-06-21 17:18 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Apple Computer
2009-06-21 05:57 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-21 05:57 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\iPod
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\iTunes
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 05:57 . 2009-06-21 05:57 -------- d-----w- c:\program files\Bonjour
2009-06-21 05:56 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-21 05:56 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-21 05:56 . 2009-06-21 05:57 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 05:35 . 2009-06-21 05:35 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Windows Search
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\program files\MSBuild
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- c:\program files\Reference Assemblies
2009-06-21 05:21 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-21 05:21 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-21 05:21 . 2009-06-21 05:21 -------- d-----w- C:\39057309124d8213f5fd
2009-06-21 05:21 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-21 05:21 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-21 05:21 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-21 05:21 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-21 05:21 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-21 05:18 . 2009-06-21 05:18 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Identities
2009-06-21 05:18 . 2009-06-21 05:18 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Windows Desktop Search
2009-06-21 05:17 . 2009-06-21 17:32 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-21 05:15 . 2009-06-21 05:16 -------- d-----w- c:\windows\system32\URTTemp
2009-06-21 05:13 . 2009-06-21 05:13 -------- d-s---w- c:\documents and settings\Jerry W\UserData
2009-06-18 04:26 . 2009-06-18 04:26 -------- d-----w- c:\program files\QuickTime
2009-06-18 04:26 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-18 04:25 . 2009-06-18 04:25 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Apple
2009-06-18 04:25 . 2009-06-21 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-18 04:25 . 2009-06-18 04:25 -------- d-----w- c:\program files\Apple Software Update
2009-06-18 04:25 . 2009-06-21 05:57 -------- d-----w- c:\documents and settings\Jerry W\Local Settings\Application Data\Apple Computer
2009-06-18 02:00 . 2009-06-18 02:00 -------- d-----w- c:\program files\DellTPad
2009-06-18 02:00 . 2007-06-25 23:51 100418 ----a-w- c:\windows\system32\Vxdif.dll
2009-06-18 02:00 . 2007-06-25 22:53 155136 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2009-06-18 02:00 . 2006-11-02 12:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2009-06-18 01:14 . 2009-06-18 01:14 -------- d--h--w- c:\windows\PIF
2009-06-18 00:30 . 2009-06-18 00:30 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-06-18 00:30 . 2009-06-18 00:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\program files\Windows Sidebar
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-18 00:29 . 2009-06-18 00:29 -------- d-----w- c:\program files\NortonInstaller
2009-06-18 00:28 . 2009-06-18 00:28 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-06-18 00:23 . 2008-04-14 04:21 101120 -c--a-w- c:\windows\system32\dllcache\bthpan.sys
2009-06-18 00:23 . 2008-04-14 04:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys
2009-06-18 00:21 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-18 00:17 . 2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe
2009-06-18 00:17 . 2007-04-10 21:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2009-06-18 00:17 . 2008-04-14 09:41 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-06-18 00:17 . 2008-04-14 09:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-06-18 00:17 . 2008-04-14 04:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2009-06-18 00:17 . 2008-04-14 04:49 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-06-18 00:17 . 2008-04-14 04:15 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2009-06-18 00:17 . 2008-04-14 04:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-06-18 00:17 . 2009-06-18 00:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-18 00:17 . 2009-06-18 00:17 -------- d-----w- c:\program files\SigmaTel
2009-06-18 00:17 . 2007-08-21 13:58 146944 ----a-w- c:\windows\system32\st325602.dll
2009-06-18 00:17 . 2007-05-10 14:24 1222840 ----a-w- c:\windows\system32\drivers\sthda.sys
2009-06-18 00:17 . 2007-05-10 14:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2009-06-18 00:15 . 2009-06-18 00:15 28029 ----a-w- c:\windows\system32\nvModes.dat
2009-06-18 00:15 . 2009-06-18 00:15 -------- d-----w- c:\windows\nview
2009-06-18 00:15 . 2007-11-17 07:03 356352 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\Jerry W\Application Data\Intel
2009-06-18 00:09 . 2009-06-18 00:09 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-06-18 00:08 . 2009-06-21 05:57 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-18 00:08 . 2008-08-29 03:34 3632384 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-06-18 00:08 . 2008-06-20 14:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-06-18 00:08 . 2008-06-20 14:32 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\program files\Intel
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\program files\Common Files\Intel
2009-06-18 00:08 . 2009-06-18 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-06-18 00:06 . 2009-06-18 00:06 -------- d-----w- c:\windows\Downloaded Installations
2009-06-18 00:06 . 2009-06-18 00:06 -------- d-----w- c:\program files\Broadcom
2009-06-18 00:05 . 2008-04-14 04:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-18 00:03 . 2009-06-18 00:03 -------- d--h--w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 06:38 . 2009-06-17 23:57 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-18 23:46 . 2009-06-18 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 02:01 . 2009-06-18 02:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-06-18 02:01 . 2009-06-18 02:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-18 00:14 . 2009-06-18 00:14 0 ----a-w- c:\windows\nsreg.dat
2009-06-18 00:07 . 2009-06-18 00:07 -------- d-----w- c:\program files\Dell
2009-06-18 00:07 . 2009-06-18 00:07 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-17 23:58 . 2009-06-17 23:58 -------- d-----w- c:\program files\microsoft frontpage
2009-06-17 23:55 . 2009-06-17 23:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 19:12 . 2009-06-18 00:18 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2008-04-13 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2008-04-13 23:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2008-04-13 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2008-04-13 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-13 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-25_00.38.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 12:27 . 2009-06-25 12:27 16384 c:\windows\Temp\Perflib_Perfdata_b8.dat
+ 2009-06-25 12:27 . 2009-06-25 12:27 16384 c:\windows\Temp\Perflib_Perfdata_720.dat
+ 2009-06-25 00:39 . 2008-10-16 18:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 00:39 . 2008-04-13 23:00 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 00:39 . 2008-04-13 23:00 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 00:39 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 00:39 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 00:39 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 00:39 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-25 00:39 . 2008-04-13 23:00 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 00:39 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 00:39 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 00:39 . 2008-04-13 23:00 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 136600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-11-17 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-13 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [6/17/2009 8:30 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [6/17/2009 8:30 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [6/17/2009 8:30 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090623.001\IDSXpx86.sys [6/23/2009 9:40 PM 276344]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [10/18/2005 5:11 PM 61440]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [6/17/2009 8:30 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/17/2009 8:31 PM 101936]
S0 cerc6;cerc6; [x]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 08:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1268)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-06-25 8:42
ComboFix-quarantined-files.txt 2009-06-25 12:42
ComboFix2.txt 2009-06-25 04:27
ComboFix3.txt 2009-06-25 00:40

Pre-Run: 92,486,942,720 bytes free
Post-Run: 92,474,204,160 bytes free

244 --- E O F --- 2009-06-23 03:32
Upload was successful

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 25 June 2009 - 07:51 AM

Hello jwdell.

Luckily, those files are clean.

Let's run an online scan to find anything we've missed.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Take a new DDS.txt log after.

With Regards,
The Panda

#11 jwdell

jwdell
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 25 June 2009 - 03:06 PM

if I don't use IE do i have to run the last scan? Thanks.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 25 June 2009 - 04:24 PM

Hello.

The scan is optional.

Please still update your Java though.

Take a new DDS.txt log after.

With Regards,
The Panda

#13 jwdell

jwdell
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 25 June 2009 - 06:39 PM

Hi Panda, here's the DDS log and attach you requested.

Log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Jerry W at 19:37:29.35 on Thu 06/25/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1509 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerry W\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerryw~1\applic~1\mozilla\firefox\profiles\o56k17ek.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-6-17 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-6-17 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-6-17 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090623.001\IDSXpx86.sys [2009-6-23 276344]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-6-17 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-17 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090625.007\NAVENG.SYS [2009-6-25 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090625.007\NAVEX15.SYS [2009-6-25 876144]
S0 cerc6;cerc6; [x]

=============== Created Last 30 ================

2009-06-25 19:35 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-25 19:30 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-25 08:34 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-25 08:34 159,232 a------- c:\windows\system32\ptpusd.dll
2009-06-25 08:34 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-06-25 08:34 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-06-24 20:39 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-24 20:34 <DIR> a-dshr-- C:\cmdcons
2009-06-24 20:33 161,792 a------- c:\windows\SWREG.exe
2009-06-24 20:33 155,136 a------- c:\windows\PEV.exe
2009-06-24 20:33 98,816 a------- c:\windows\sed.exe
2009-06-24 00:05 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-06-24 00:05 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-06-24 00:05 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-06-24 00:05 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-06-21 02:00 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\LimeWire
2009-06-21 01:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-21 01:59 <DIR> --d----- c:\program files\LimeWire
2009-06-21 01:58 <DIR> --d----- c:\program files\VideoLAN
2009-06-21 01:57 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-21 01:57 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-21 01:57 <DIR> --d----- c:\program files\iPod
2009-06-21 01:57 <DIR> --d----- c:\program files\iTunes
2009-06-21 01:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 01:57 <DIR> --d----- c:\program files\Bonjour
2009-06-21 01:56 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-21 01:56 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-21 01:35 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\Windows Search
2009-06-21 01:21 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-21 01:21 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-21 01:21 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-21 01:21 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-21 01:21 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-21 01:21 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-21 01:21 <DIR> --d----- C:\39057309124d8213f5fd
2009-06-21 01:21 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-21 01:21 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-21 01:18 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\Windows Desktop Search
2009-06-21 01:17 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-21 01:15 <DIR> --d----- c:\windows\system32\URTTemp
2009-06-21 01:13 <DIR> --ds---- c:\documents and settings\jerry w\UserData
2009-06-17 22:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-06-17 22:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-17 22:00 <DIR> --d----- c:\program files\DellTPad
2009-06-17 22:00 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-06-17 22:00 1,419,232 a------- c:\windows\system32\WdfCoInstaller01005.dll
2009-06-17 22:00 155,136 a------- c:\windows\system32\drivers\Apfiltr.sys
2009-06-17 22:00 100,418 a------- c:\windows\system32\Vxdif.dll
2009-06-17 21:14 <DIR> --d-h--- c:\windows\PIF
2009-06-17 20:47 <DIR> --d----- c:\windows\pss
2009-06-17 20:30 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-06-17 20:30 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-17 20:30 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-17 20:30 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-17 20:30 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-17 20:30 <DIR> --d----- c:\program files\Symantec
2009-06-17 20:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-17 20:29 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-06-17 20:29 <DIR> --d----- c:\program files\Norton AntiVirus
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-06-17 20:29 <DIR> --d----- c:\program files\NortonInstaller
2009-06-17 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-06-17 20:28 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-06-17 20:23 101,120 ac------ c:\windows\system32\dllcache\bthpan.sys
2009-06-17 20:23 101,120 a------- c:\windows\system32\drivers\bthpan.sys
2009-06-17 20:21 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-17 20:17 4,952,064 a------- c:\windows\system32\stacgui.cpl
2009-06-17 20:17 <DIR> --d----- c:\program files\SigmaTel
2009-06-17 20:15 28,029 a------- c:\windows\system32\nvModes.001
2009-06-17 20:15 28,029 a------- c:\windows\system32\nvModes.dat
2009-06-17 20:15 134,756 a------- c:\windows\system32\nvapps.xml
2009-06-17 20:15 18,019 a------- c:\windows\system32\nvwsapps.xml
2009-06-17 20:15 356,352 a------- c:\windows\system32\nvudisp.exe
2009-06-17 20:15 17,527 a------- c:\windows\system32\nvdisp.nvu
2009-06-17 20:15 <DIR> --d----- c:\windows\nview
2009-06-17 20:09 <DIR> --d----- c:\docume~1\jerryw~1\applic~1\Intel
2009-06-17 20:08 3,632,384 a------- c:\windows\system32\drivers\NETw5x32.sys
2009-06-17 20:08 2,756,608 a------- c:\windows\system32\NETw5r32.dll
2009-06-17 20:08 663,552 a------- c:\windows\system32\NETw5c32.dll
2009-06-17 20:08 <DIR> --d----- c:\program files\common files\Intel
2009-06-17 20:07 <DIR> --d----- c:\program files\Dell
2009-06-17 20:06 <DIR> --d----- c:\windows\Downloaded Installations
2009-06-17 20:06 <DIR> --d----- c:\program files\Broadcom
2009-06-17 20:05 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-06-17 20:03 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-17 20:02 <DIR> --d----- c:\documents and settings\Jerry W
2009-06-17 20:01 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-17 20:01 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-17 19:59 482,304 ac------ c:\windows\system32\dllcache\pintlgnt.ime
2009-06-17 19:58 1,677,824 ac------ c:\windows\system32\dllcache\chsbrkr.dll
2009-06-17 19:57 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-17 19:57 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-06-17 19:57 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-06-17 19:57 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-06-17 19:57 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-06-17 19:57 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-06-17 19:57 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-06-17 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-17 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-17 19:54 <DIR> --d----- c:\program files\Online Services
2009-06-17 19:54 <DIR> --d----- c:\program files\Messenger
2009-06-17 19:54 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-17 19:53 <DIR> --d----- c:\program files\Windows NT
2009-06-17 15:49 <DIR> --d----- c:\program files\common files\ODBC
2009-06-17 15:49 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-17 15:48 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-06-21 02:38 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-17 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 19:37:54.39 ===============


Please see attached for attach.txt

Thanks!

Attached Files



#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 25 June 2009 - 06:52 PM

Hello jwdell.

That looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#15 jwdell

jwdell
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 25 June 2009 - 08:15 PM

Thanks for all your help Panda. I however do have a question, is it possible for me to use combofix later on by myself if I happen to run into more problems? What are some programs that I may use on my own in order to fix some malware problems that my current antivirus maybe doesn't address? Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users