Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bustok-N Trojan XP Home Edition SP3


  • This topic is locked This topic is locked
13 replies to this topic

#1 RTMallon

RTMallon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 05 July 2009 - 08:38 PM

Good afternoon,
I picked up the Bustok-N trojan by downloading what was supposed to be an updated version of Flash video player. Norton 360 has been no help and Norton's support site didn't show any entries for this trojan. After the trojan was identified Norton started malfunctioning. I tried a comprehensive scan and got nothing but tracking cookies. The "SONAR Advanced Protection" has been disabled and Norton won't automatically update. I'm getting redirects when I click on links in Google, Bing, Ask, Yahoo, etc. and the web searches return no entries when I search for information on this trojan. I have backed up and removed all non-essential programs and files from the computer in preparation for having to wipe the computer and start over. This is my last hope of not having to reload everything. Please help.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Choo at 17:32:00.65 on Sun 07/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2014.1553 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\PROGRA~1\IOMEGA~1\RETROS~1\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Iomega StorCenter\sohoclient.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Choo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.0.0.135\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\iomega~1.lnk - c:\program files\iomega storcenter\sohoclient.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 85.255.112.99,85.255.112.228
TCP: {5609A6DB-83CA-4158-A949-4C36EF41270C} = 85.255.112.99
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-7-4 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-7-4 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-7-4 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090625.003\IDSXpx86.sys [2009-7-4 276344]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-7-4 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-27 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090705.020\NAVENG.SYS [2009-7-5 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090705.020\NAVEX15.SYS [2009-7-5 876144]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-6-27 115560]
S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys --> c:\windows\system32\drivers\actccid.sys [?]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2007-10-17 56448]

=============== Created Last 30 ================

2009-07-05 17:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-04 17:45 <DIR> --d--r-- c:\program files\Norton Support
2009-07-04 17:27 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-04 17:27 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-04 17:27 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-04 17:27 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-04 17:27 <DIR> --d----- c:\program files\Symantec
2009-07-04 17:26 <DIR> --d----- c:\windows\system32\drivers\N360
2009-07-04 15:55 <DIR> --d----- c:\program files\PlayMYDVD
2009-07-02 20:38 <DIR> --d-h--- c:\windows\PIF
2009-06-28 16:37 <DIR> --d----- c:\docume~1\choo\applic~1\Windows Search
2009-06-28 16:21 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-06-28 16:21 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-28 16:21 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-06-28 16:21 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-06-28 16:21 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-06-27 17:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-27 17:23 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-06-27 17:23 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-27 17:22 <DIR> --d----- c:\program files\Norton 360
2009-06-27 17:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-06-27 17:11 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files

==================== Find3M ====================

2009-07-05 17:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-11 20:48 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 17:32:26.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:42 PM

Posted 12 July 2009 - 10:53 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 RTMallon

RTMallon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 12 July 2009 - 01:43 PM

As requested here is a updated DDS log.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Choo at 11:38:38.32 on Sun 07/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2014.1600 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\PROGRA~1\IOMEGA~1\RETROS~1\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Iomega StorCenter\sohoclient.exe
C:\Documents and Settings\Choo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.0.0.135\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\iomega~1.lnk - c:\program files\iomega storcenter\sohoclient.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 85.255.112.99,85.255.112.228
TCP: {5609A6DB-83CA-4158-A949-4C36EF41270C} = 85.255.112.99
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-7-4 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-7-4 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-7-4 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090709.001\IDSXpx86.sys [2009-7-10 276344]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-7-4 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-27 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090712.003\NAVENG.SYS [2009-7-12 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090712.003\NAVEX15.SYS [2009-7-12 876144]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-6-27 115560]
S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys --> c:\windows\system32\drivers\actccid.sys [?]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2007-10-17 56448]

=============== Created Last 30 ================

2009-07-05 17:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-04 17:45 <DIR> --d--r-- c:\program files\Norton Support
2009-07-04 17:27 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-04 17:27 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-04 17:27 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-04 17:27 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-04 17:27 <DIR> --d----- c:\program files\Symantec
2009-07-04 17:26 <DIR> --d----- c:\windows\system32\drivers\N360
2009-07-04 15:55 <DIR> --d----- c:\program files\PlayMYDVD
2009-07-02 20:38 <DIR> --d-h--- c:\windows\PIF
2009-06-28 16:37 <DIR> --d----- c:\docume~1\choo\applic~1\Windows Search
2009-06-28 16:21 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-06-28 16:21 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-28 16:21 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-06-28 16:21 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-06-28 16:21 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-06-27 17:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-27 17:23 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-06-27 17:23 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-27 17:22 <DIR> --d----- c:\program files\Norton 360
2009-06-27 17:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-06-27 17:11 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files

==================== Find3M ====================

2009-07-05 17:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 11:39:02.18 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 12 July 2009 - 09:13 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 RTMallon

RTMallon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 13 July 2009 - 10:48 PM

Good evening,
Combofix doesn't load. The "are you sure you want to run this software?" notification box pops up and I click run and nothing happens. I let it sit for 20 minutes after I clicked run (I had nothing going besides combofix) and still nothing. I went as far as uninstalling Norton 360 (it has been malfunctioning since my computer picked up this trojan) and still couldn't get this to work. What do I do next? Thanks for the help and have a good night.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 14 July 2009 - 08:24 AM

Hello.

Delete your current copy of ComboFix. Download a new copy. In the Save as window, save it as ComboFix123.exe and try running it again.

With Regards,
The Panda

#7 RTMallon

RTMallon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 15 July 2009 - 07:47 AM

Good morning,
Combofix and GMER ran last night. The logs are below. The only changes I have made to my computer since I started this thread is uninstalling and reinstalling Norton 360. Thanks for your help and have a good day.


ComboFix 09-07-14.07 - Choo 07/14/2009 21:03.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2014.1586 [GMT -7:00]
Running from: c:\documents and settings\Choo\Desktop\ComboFix123.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 03:28 . 2009-07-14 03:50 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\NAVENG32.DLL
2009-07-15 03:28 . 2009-07-14 03:50 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\NAVEX32A.DLL
2009-07-15 03:28 . 2009-07-13 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\NAVENG.SYS
2009-07-15 03:28 . 2009-07-13 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\NAVEX15.SYS
2009-07-15 03:28 . 2009-07-14 03:50 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\EECTRL.SYS
2009-07-15 03:28 . 2009-07-14 03:50 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\ERASER.SYS
2009-07-15 03:28 . 2009-07-14 03:50 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\ECMSVR32.DLL
2009-07-15 03:28 . 2009-07-14 03:50 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090714.039\CCERASER.DLL
2009-07-15 03:28 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSXpx86.sys
2009-07-15 03:28 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSvix86.sys
2009-07-15 03:28 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\Scxpx86.dll
2009-07-15 03:28 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSxpx86.dll
2009-07-15 03:28 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSviA64.sys
2009-07-14 03:54 . 2009-07-14 03:50 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSviA64.sys
2009-07-14 03:54 . 2009-07-14 03:50 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSvix86.sys
2009-07-14 03:54 . 2009-07-14 03:50 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSXpx86.sys
2009-07-14 03:54 . 2009-07-14 03:50 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSxpx86.dll
2009-07-14 03:54 . 2009-06-22 22:51 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\Scxpx86.dll
2009-07-14 03:51 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-14 03:50 . 2009-07-14 03:50 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-07-14 03:50 . 2009-07-14 03:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-14 03:50 . 2009-07-14 03:50 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-14 03:50 . 2009-07-14 03:50 -------- d-----w- c:\program files\Symantec
2009-07-14 03:50 . 2009-07-14 03:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-14 03:50 . 2009-07-14 03:50 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-07-14 03:50 . 2009-07-14 03:50 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-07-14 03:50 . 2009-07-14 03:50 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-07-14 03:50 . 2009-07-14 03:50 -------- d-----w- c:\windows\system32\drivers\N360
2009-07-14 03:50 . 2009-07-14 03:50 -------- d-----w- c:\program files\Windows Sidebar
2009-07-14 03:49 . 2009-07-14 03:49 -------- d-----w- c:\program files\NortonInstaller
2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-07-05 00:45 . 2009-07-05 00:45 -------- d-----w- c:\documents and settings\Choo\Local Settings\Application Data\Symantec
2009-07-03 03:38 . 2009-07-03 03:38 -------- d--h--w- c:\windows\PIF
2009-06-28 23:37 . 2009-06-28 23:37 -------- d-----w- c:\documents and settings\Choo\Application Data\Windows Search
2009-06-28 23:23 . 2009-06-29 00:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-28 23:21 . 2009-07-04 23:56 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-28 23:21 . 2009-06-28 23:21 -------- d-----w- c:\windows\system32\GroupPolicy
2009-06-28 23:21 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-06-28 23:21 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-06-28 23:21 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-06-28 00:23 . 2009-07-14 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-28 00:23 . 2009-06-28 00:23 -------- d-----w- c:\documents and settings\Choo\Local Settings\Application Data\Downloaded Installations
2009-06-28 00:22 . 2009-07-14 03:50 -------- d-----w- c:\program files\Norton 360
2009-06-28 00:19 . 2009-06-28 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-06-28 00:11 . 2009-06-28 00:11 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 03:50 . 2009-07-14 03:50 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-14 03:50 . 2009-07-14 03:50 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-14 03:50 . 2009-02-22 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-14 03:50 . 2009-02-22 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-14 03:49 . 2009-02-22 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-06 00:04 . 2009-02-22 05:52 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-06 00:04 . 2009-02-22 02:23 -------- d-----w- c:\program files\Java
2009-07-05 20:38 . 2009-02-22 02:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 20:37 . 2009-02-24 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-05 20:28 . 2009-02-22 06:31 -------- d-----w- c:\program files\DivX
2009-07-05 20:24 . 2009-02-22 18:06 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2009-07-05 20:14 . 2009-02-22 16:51 -------- d-----w- c:\program files\ACE Mega CoDecS Pack
2009-06-28 00:52 . 2009-02-22 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2009-05-12 22:12 . 2009-02-22 02:35 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2009-02-22 05:25 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 01:48 . 2009-04-22 01:48 152576 ----a-w- c:\documents and settings\Choo\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2009-02-22 05:25 1847168 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-15_03.51.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-15 04:01 . 2009-07-15 04:01 16384 c:\windows\Temp\Perflib_Perfdata_2c8.dat
+ 2009-07-15 04:00 . 2009-07-15 04:00 16384 c:\windows\Temp\Perflib_Perfdata_298.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-06 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Iomega StorCenter.lnk - c:\program files\Iomega StorCenter\sohoclient.exe [2009-2-21 902480]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Iomega StorCenter\\retrospect\\Retrospect.exe"=
"c:\\Program Files\\Iomega StorCenter\\retrospect\\retrorun.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Iomega StorCenter\\sohoclient.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [7/13/2009 8:50 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [7/13/2009 8:50 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [7/13/2009 8:50 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSXpx86.sys [7/14/2009 8:28 PM 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [7/13/2009 8:50 PM 115560]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [6/27/2009 5:23 PM 115560]
S3 actccid;ActivCard USB Reader V2;c:\windows\system32\DRIVERS\actccid.sys --> c:\windows\system32\DRIVERS\actccid.sys [?]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [10/17/2007 11:11 PM 56448]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4048)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
Completion time: 2009-07-15 21:09
ComboFix-quarantined-files.txt 2009-07-15 04:09
ComboFix2.txt 2009-07-15 03:55

Pre-Run: 146,661,711,872 bytes free
Post-Run: 146,643,886,080 bytes free

151 --- E O F --- 2009-06-30 22:02


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-15 05:42:20
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Choo\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

---- EOF - GMER 1.0.15 ----

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 15 July 2009 - 08:21 AM

Hello.

Are you still getting the redirects?

Download and Run Scan with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open RootRepeal.exe on your desktop. If you are using Windows Vista, right click RootRepeal.exe and select Run As Administrator.
  • Click the Report tab.
  • Click the Scan button.
  • Check all six boxes.
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

With Regards,
The Panda

#9 RTMallon

RTMallon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 15 July 2009 - 11:10 PM

Good evening,
I ran the RootRepeal scan and the log is below. I didn't notice any redirects today but yesterday after I ran combofix and gmer i did have a couple, but they might have been self-induced as the touch pad on this laptop is rather touchy sometimes. I'll keep watching for more redirects but I tried google and it worked fine.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 20:44
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0B4A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAFAC0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7421000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a2312d0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a429f20

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a222440

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8a34a178

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a3c22b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb0ee0040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8a4f7de0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x8a267300

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a449260

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a49e170

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb0ee02c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb0ee0820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8a2216c8

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a30a1d0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a4f4cb0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a103880

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a440e48

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a56e820

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a5cb7d0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8a22e180

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a3b3f88

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a4f0c80

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8a32ad30

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a240160

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a31b128

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a4c4170

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a30f8b8

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8a5b2170

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb0ee0a70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a574548

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a4df1b0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a4e5d18

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a4e7f88

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a4dc178

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a5caaf0

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a504ae8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8a4cf4f0

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x8a22c180

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8a2672c8

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x897a1508

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x897590d0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x898250d0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x898620d0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x897513c0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x898621c8

==EOF==

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 16 July 2009 - 09:18 AM

Hello.

That is strange. Looked like an infection tried to stop ComboFix from running, but there is nothing there.

Perhaps just a random occuracne

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Take a new DDS log after.

Any problems at the moment?

With Regards,
The Panda

#11 RTMallon

RTMallon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 18 July 2009 - 05:33 PM

The Kaspersky and DDS logs are below. Haven't had any problems lately. Seems when combofix did finally run it took care of the problem.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 18, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 18, 2009 16:45:25
Records in database: 2489134
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
Y:\
Z:\

Scan statistics:
Files scanned: 171344
Threat name: 22
Infected objects: 44
Suspicious objects: 0
Duration of the scan: 06:34:24


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\PlayMYDVD\Uninstall.exe.vir Infected: Trojan.Win32.TDSS.aioq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\MSIVXrakaerdbqperkqsnmlmgwwkolksoqiyv.sys.vir Infected: Rootkit.Win32.Agent.mig 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXdcjttptphfdnnwlgcxrqupifpxqwyoim.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXfcxxfqyhnnchsupmqxlweegxslmrmqbh.dll.vir Infected: Packed.Win32.Tdss.w 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\059C0ADF.exe Infected: not-a-virus:AdWare.Win32.180Solutions.am 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\603F2D5A.wmf Infected: Exploit.Win32.IMG-WMF.u 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A192AD4.wmf Infected: Exploit.Win32.IMG-WMF.u 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A49333A.wmf Infected: Exploit.Win32.IMG-WMF.u 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63E526A4.exe Infected: not-a-virus:Porn-Dialer.Win32.Intexdial 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A96747F.htm Infected: Trojan-Downloader.HTML.Agent.aa 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3PSSAVR.SCR Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\MWSBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3WPHOOK.DLL Infected: not-a-virus:Monitor.Win32.Agent.c 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3RESTUB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\M3PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\M3HTML.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\M3OUTLCN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3BROVLY.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3HTMLMU.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3SHLLVW.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aq 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\NPMYWEBS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\MWSOESTB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\M3MSG.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3SCHMON.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3IMSTUB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3POPSWT.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\MWSOEPLG.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\M3SLSRCH.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3SCRCTR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3DTACTL.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3REPROX.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\M3IDLE.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3HTTPCT.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\4.bin\F3HISTSW.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\3.bin\MWSBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bd 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\3.bin\F3BROVLY.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\3.bin\F3HTMLMU.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\3.bin\MWSOESTB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWay\bar\3.bin\MWSOEMON.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
Z:\Retrospect Copies\Babykins © on SASSYKINS\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
Z:\Retrospect Copies\Choodalums (F) on CHOOSCOMP\My Documents\Shareaza Downloads\beach boys dance do wanna you 320k bitrate quality.snd Infected: Trojan-Downloader.WMA.GetCodec.s 1

The selected area was scanned.




DDS (Ver_09-06-26.01) - NTFSx86
Run by Choo at 15:28:29.98 on Sat 07/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2014.1472 [GMT -7:00]

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\PROGRA~1\IOMEGA~1\RETROS~1\retrorun.exe
C:\Program Files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Iomega StorCenter\sohoclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Choo\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.0.0.135\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\iomega~1.lnk - c:\program files\iomega storcenter\sohoclient.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-7-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-7-13 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-7-13 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090715.003\IDSXpx86.sys [2009-7-17 276344]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-7-13 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-14 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090718.003\NAVENG.SYS [2009-7-18 87888]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090718.003\NAVEX15.SYS [2009-7-18 875728]
S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys --> c:\windows\system32\drivers\actccid.sys [?]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2007-10-17 56448]

=============== Created Last 30 ================

2009-07-14 20:53 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-14 20:33 <DIR> a-dshr-- C:\cmdcons
2009-07-14 20:31 219,648 a------- c:\windows\PEV.exe
2009-07-14 20:31 161,792 a------- c:\windows\SWREG.exe
2009-07-14 20:31 98,816 a------- c:\windows\sed.exe
2009-07-13 20:51 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-07-13 20:50 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-07-13 20:50 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-13 20:50 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-13 20:50 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-13 20:50 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-13 20:50 <DIR> --d----- c:\program files\Symantec
2009-07-13 20:50 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-07-13 20:50 <DIR> --d----- c:\windows\system32\drivers\N360
2009-07-13 20:49 <DIR> --d----- c:\program files\NortonInstaller
2009-07-05 17:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-02 20:38 <DIR> --d-h--- c:\windows\PIF
2009-06-28 16:37 <DIR> --d----- c:\docume~1\choo\applic~1\Windows Search
2009-06-28 16:21 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-06-28 16:21 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-28 16:21 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-06-28 16:21 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-06-28 16:21 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-06-27 17:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-27 17:22 <DIR> --d----- c:\program files\Norton 360
2009-06-27 17:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-06-27 17:11 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files

==================== Find3M ====================

2009-07-05 17:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll

============= FINISH: 15:28:45.90 ===============

Attached Files



#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 18 July 2009 - 05:46 PM

Hello RTMallon.

Those logs look clean. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 20 July 2009 - 12:06 PM

Hello.

PP is away as said in his signature so I will continue to help you here.

Please follow his instructions in his last reply to cleanup and remove Combofix.

Let me know how it goes in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 23 July 2009 - 08:33 AM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users