Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS logs after root infection deleted with combofix


  • This topic is locked This topic is locked
12 replies to this topic

#1 jtsx

jtsx

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 11 July 2009 - 12:58 PM

Hello,
My teenage daughter's PC had a very bad rootkit infection.
It took over Norton Internet Security 2009 and caused many problems on her machine:
disabled cd/dvd writers and misdirected links on the internet.

After trying malwarebytes and superantispyware the computer was still infected.

I ran Combofix and it seems to be working now.

The Combofix, Malwarebytes, Superantispyware and DDS attach logs are attached.
Malwarebytes was run first. When that didn't work, Superantispyware was run in
Safe Mode. As a last resort, Combofix was run. Since one Norton file was not
removed by Combofix, I was wondering if I should uninstall Norton and reinstall
from the CD again. Thank you for your help.

I ran DDS as instructed and the log follows:


DDS (Ver_09-06-26.01) - NTFSx86
Run by holly at 13:22:32.87 on Sat 07/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.164 [GMT -4:00]


============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\System32\Drivers\WTSRV.EXE
F:\WINDOWS\system32\wwSecure.exe
F:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\WINDOWS\system32\WTClient.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\WISPTIS.EXE
F:\Program Files\QuickTime\QTTask.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Last.fm\LastFMHelper.exe
F:\Program Files\PrintKey2000\Printkey2000.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
F:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\explorer.exe
F:\Documents and Settings\holly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - f:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - f:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: FlpLauncher Class: {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - f:\program files\e-book systems\flipalbum 5 pro\FpLaunch.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - f:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - f:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - f:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Ask Toolbar BHO: {f4d76f01-7896-458a-890f-e1f05c46069f} - f:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - f:\program files\canon\easy-webprint\Toolband.dll
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} - f:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - f:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [Adobe Version Cue CS2] "f:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "f:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [WTClient] WTClient.exe
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [StxTrayMenu] "f:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] f:\windows\UpdReg.EXE
mRun: [Jet Detection] "f:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - f:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\lastfm~1.lnk - f:\program files\last.fm\LastFMHelper.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - f:\program files\printkey2000\Printkey2000.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - f:\program files\ralink\common\RaUI.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - f:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
mPolicies-explorer: <NO NAME> = 3
IE: Convert link target to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - f:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - f:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\holly\applic~1\mozilla\firefox\profiles\gyk88ysn.default\
FF - component: f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: f:\documents and settings\holly\application data\mozilla\firefox\profiles\gyk88ysn.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: f:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: f:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\nis\1000000.07d\SymEFA.sys [2009-6-12 309296]
R1 BHDrvx86;Symantec Heuristics Driver;f:\windows\system32\drivers\nis\1000000.07d\BHDrvx86.sys [2009-6-12 254512]
R1 ccHP;Symantec Hash Provider;f:\windows\system32\drivers\nis\1000000.07d\ccHPx86.sys [2009-6-12 362544]
R1 IDSxpx86;IDSxpx86;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090709.001\IDSXpx86.sys [2009-7-10 276344]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 Norton Internet Security;Norton Internet Security;f:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2009-6-12 115560]
R2 Seagate Sync Service;Seagate Sync Service;f:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-12 101936]
R3 NAVENG;NAVENG;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090710.067\naveng.sys [2009-7-11 89104]
R3 NAVEX15;NAVEX15;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090710.067\navex15.sys [2009-7-11 876144]
R3 PTSimBus;PenTablet Bus Enumerator;f:\windows\system32\drivers\PTSimBus.sys [2007-6-7 18944]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;f:\windows\system32\drivers\PTSimHid.sys [2007-4-23 10752]
S3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-11 09:15 <DIR> -cd----- f:\windows\system32\dllcache\cache
2009-07-11 08:25 <DIR> a-dshr-- F:\cmdcons
2009-07-10 21:43 161,792 a------- f:\windows\SWREG.exe
2009-07-10 21:43 98,816 a------- f:\windows\sed.exe
2009-07-10 13:46 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-10 13:46 <DIR> --d----- f:\program files\SUPERAntiSpyware
2009-07-10 13:46 <DIR> --d----- f:\docume~1\holly\applic~1\SUPERAntiSpyware.com
2009-07-10 13:45 <DIR> --d----- f:\program files\common files\Wise Installation Wizard
2009-07-09 22:08 <DIR> --d----- f:\docume~1\holly\applic~1\Malwarebytes
2009-07-09 22:07 38,160 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 22:07 19,096 a------- f:\windows\system32\drivers\mbam.sys
2009-07-09 22:07 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-07-09 22:07 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-07 15:22 <DIR> --d--r-- f:\program files\Norton Support
2009-06-24 21:36 21,504 ac------ f:\windows\system32\dllcache\hidserv.dll
2009-06-24 21:36 21,504 a------- f:\windows\system32\hidserv.dll
2009-06-24 21:36 14,848 ac------ f:\windows\system32\dllcache\kbdhid.sys
2009-06-24 21:36 14,848 a------- f:\windows\system32\drivers\kbdhid.sys
2009-06-12 19:29 <DIR> --dsh--- f:\documents and settings\holly\PrivacIE
2009-06-12 19:25 <DIR> --dsh--- f:\documents and settings\holly\IETldCache
2009-06-12 18:56 <DIR> --d----- f:\windows\system32\XPSViewer
2009-06-12 18:54 597,504 -c------ f:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-12 18:54 575,488 -c------ f:\windows\system32\dllcache\xpsshhdr.dll
2009-06-12 18:54 89,088 -c------ f:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-12 18:54 575,488 -------- f:\windows\system32\xpsshhdr.dll
2009-06-12 18:54 117,760 -------- f:\windows\system32\prntvpt.dll
2009-06-12 18:54 1,676,288 -c------ f:\windows\system32\dllcache\xpssvcs.dll
2009-06-12 18:54 1,676,288 -------- f:\windows\system32\xpssvcs.dll
2009-06-12 18:45 <DIR> --d----- f:\program files\MSXML 6.0
2009-06-12 18:41 <DIR> --d----- f:\windows\ie8updates
2009-06-12 18:41 102,912 -c------ f:\windows\system32\dllcache\iecompat.dll
2009-06-12 18:37 <DIR> -cd-h--- f:\windows\ie8
2009-06-12 17:41 35,888 a----r-- f:\windows\system32\drivers\SymIM.sys
2009-06-12 17:41 124,464 a------- f:\windows\system32\drivers\SYMEVENT.SYS
2009-06-12 17:41 60,808 a------- f:\windows\system32\S32EVNT1.DLL
2009-06-12 17:41 10,635 a------- f:\windows\system32\drivers\SYMEVENT.CAT
2009-06-12 17:41 806 a------- f:\windows\system32\drivers\SYMEVENT.INF
2009-06-12 17:41 <DIR> --d----- f:\program files\Symantec
2009-06-12 17:40 <DIR> --d----- f:\windows\system32\drivers\NIS
2009-06-12 17:40 <DIR> --d----- f:\program files\Norton Internet Security
2009-06-12 17:40 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Norton
2009-06-12 17:36 <DIR> --d----- f:\program files\NortonInstaller
2009-06-12 17:36 <DIR> --d----- f:\docume~1\alluse~1\applic~1\NortonInstaller

==================== Find3M ====================

2009-05-07 11:44 344,064 a------- f:\windows\system32\localspl.dll
2009-04-29 00:55 78,336 -------- f:\windows\system32\ieencode.dll
2009-04-17 05:58 1,846,656 a------- f:\windows\system32\win32k.sys
2009-04-15 11:11 584,192 a------- f:\windows\system32\rpcrt4.dll
2008-06-26 21:58 47,360 a------- f:\docume~1\holly\applic~1\pcouffin.sys
2007-11-04 15:24 33,810,889 a------- f:\program files\FretsOnFire-1.2.512-win32.exe
2007-10-01 21:50 9,024,472 a------- f:\program files\trillian-v3[1].1.7.0.exe

============= FINISH: 13:23:34.23 ===============

Attached Files


Edited by jtsx, 11 July 2009 - 01:30 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 PM

Posted 19 July 2009 - 08:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 jtsx

jtsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 21 July 2009 - 04:10 PM

I had previously run the DDS.scr and the log is in my original post with the other logs of the scans I ran including
combofix. The computer seems to be working now. I just want to make sure there is nothing left in the logs I need
to remove. Thank you for your help.

Mary Ann

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:18 AM

Posted 23 July 2009 - 05:37 PM

Hi jtsx,

Fireman4it has requested new DDS logs because there is an eleven day gap between the original post and the last one. This is a long enough time for things to change quite a lot on a computer - especially if there is still malware operating on it.

Combofix should not be run without supervision as it is an extremely powerful malware removal tool. Please post the Combofix log if you still have it so I can see what it has removed.

Please also post the new DDS logs also.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 jtsx

jtsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 23 July 2009 - 10:29 PM

Hello,
Here are the new logs and the combofix. Thanks for the help.


DDS (Ver_09-06-26.01) - NTFSx86
Run by holly at 23:13:04.81 on Thu 07/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.193 [GMT -4:00]


============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\System32\Drivers\WTSRV.EXE
F:\WINDOWS\system32\wwSecure.exe
F:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\WINDOWS\system32\WTClient.exe
F:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
F:\WINDOWS\system32\WISPTIS.EXE
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\QuickTime\QTTask.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Last.fm\LastFMHelper.exe
F:\Program Files\PrintKey2000\Printkey2000.exe
F:\Program Files\RALINK\Common\RaUI.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
F:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Documents and Settings\holly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - f:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - f:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: FlpLauncher Class: {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - f:\program files\e-book systems\flipalbum 5 pro\FpLaunch.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - f:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - f:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - f:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f4d76f01-7896-458a-890f-e1f05c46069f} - f:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - f:\program files\canon\easy-webprint\Toolband.dll
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} - f:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - f:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [Adobe Version Cue CS2] "f:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "f:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [WTClient] WTClient.exe
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [StxTrayMenu] "f:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] f:\windows\UpdReg.EXE
mRun: [Jet Detection] "f:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - f:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\lastfm~1.lnk - f:\program files\last.fm\LastFMHelper.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - f:\program files\printkey2000\Printkey2000.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - f:\program files\ralink\common\RaUI.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - f:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
mPolicies-explorer: <NO NAME> = 3
IE: Convert link target to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - f:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - f:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - f:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\holly\applic~1\mozilla\firefox\profiles\gyk88ysn.default\
FF - component: f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: f:\documents and settings\holly\application data\mozilla\firefox\profiles\gyk88ysn.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: f:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: f:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-6-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;f:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-6-13 258608]
R1 ccHP;Symantec Hash Provider;f:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-6-13 482352]
R1 IDSxpx86;IDSxpx86;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090715.003\IDSXpx86.sys [2009-7-17 276344]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 Norton Internet Security;Norton Internet Security;f:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-6-13 115560]
R2 Seagate Sync Service;Seagate Sync Service;f:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-12 101936]
R3 NAVENG;NAVENG;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090723.056\NAVENG.SYS [2009-7-23 87888]
R3 NAVEX15;NAVEX15;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090723.056\NAVEX15.SYS [2009-7-23 875728]
R3 PTSimBus;PenTablet Bus Enumerator;f:\windows\system32\drivers\PTSimBus.sys [2007-6-7 18944]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;f:\windows\system32\drivers\PTSimHid.sys [2007-4-23 10752]
S3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-16 20:19 36,400 a----r-- f:\windows\system32\drivers\SymIM.sys
2009-07-13 18:43 73,728 a------- f:\windows\system32\javacpl.cpl
2009-07-13 17:49 410,984 a------- f:\windows\system32\deploytk.dll
2009-07-12 14:08 <DIR> --d----- f:\documents and settings\holly\.SunDownloadManager
2009-07-11 09:15 <DIR> -cd----- f:\windows\system32\dllcache\cache
2009-07-11 08:25 <DIR> a-dshr-- F:\cmdcons
2009-07-10 21:43 161,792 a------- f:\windows\SWREG.exe
2009-07-10 21:43 98,816 a------- f:\windows\sed.exe
2009-07-10 13:46 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-10 13:46 <DIR> --d----- f:\program files\SUPERAntiSpyware
2009-07-10 13:46 <DIR> --d----- f:\docume~1\holly\applic~1\SUPERAntiSpyware.com
2009-07-10 13:45 <DIR> --d----- f:\program files\common files\Wise Installation Wizard
2009-07-09 22:08 <DIR> --d----- f:\docume~1\holly\applic~1\Malwarebytes
2009-07-09 22:07 38,160 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 22:07 19,096 a------- f:\windows\system32\drivers\mbam.sys
2009-07-09 22:07 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-07-09 22:07 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-07 15:22 <DIR> --d--r-- f:\program files\Norton Support
2009-06-24 21:36 21,504 ac------ f:\windows\system32\dllcache\hidserv.dll
2009-06-24 21:36 21,504 a------- f:\windows\system32\hidserv.dll
2009-06-24 21:36 14,848 ac------ f:\windows\system32\dllcache\kbdhid.sys
2009-06-24 21:36 14,848 a------- f:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2009-07-11 15:00 124,464 a------- f:\windows\system32\drivers\SYMEVENT.SYS
2009-07-11 15:00 60,808 a------- f:\windows\system32\S32EVNT1.DLL
2009-07-11 15:00 7,386 a------- f:\windows\system32\drivers\SYMEVENT.CAT
2009-07-11 15:00 805 a------- f:\windows\system32\drivers\SYMEVENT.INF
2009-05-07 11:44 344,064 a------- f:\windows\system32\localspl.dll
2009-04-29 00:55 78,336 -------- f:\windows\system32\ieencode.dll
2008-06-26 21:58 47,360 a------- f:\docume~1\holly\applic~1\pcouffin.sys
2007-11-04 15:24 33,810,889 a------- f:\program files\FretsOnFire-1.2.512-win32.exe
2007-10-01 21:50 9,024,472 a------- f:\program files\trillian-v3[1].1.7.0.exe

============= FINISH: 23:14:00.59 ===============

ComboFix 09-07-09.08 - holly 07/11/2009 8:45.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.99 [GMT -4:00]
Running from: f:\documents and settings\holly\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\holly\Application Data\inst.exe
f:\recycler\NPROTECT\00121819.
f:\recycler\NPROTECT\00121821.
f:\recycler\NPROTECT\00127676.
f:\recycler\NPROTECT\00127677.
f:\recycler\NPROTECT\00127692.
f:\recycler\NPROTECT\00127693.
f:\recycler\NPROTECT\00129469.
f:\recycler\NPROTECT\00129497.
f:\recycler\NPROTECT\00129498.
f:\recycler\NPROTECT\00129532.
f:\recycler\NPROTECT\00129533.
f:\windows\COUPON~1.OCX
f:\windows\CouponPrinter.ocx
f:\windows\Downloaded Program Files\CpnMgr.dll
f:\windows\Downloaded Program Files\ODCTOOLS
f:\windows\system32\BSTIEPrintCtl1.dll
f:\windows\system32\drivers\hjgruixvdyiurr.sys
f:\windows\system32\hjgruifqjewsqo.dll
f:\windows\system32\hjgruiilrqaknm.dll
f:\windows\system32\hjgruiqoqooruy.dat
f:\windows\system32\hjgruixummbwfv.dat
f:\windows\system32\WgaLogon.dll
f:\recycler\NPROTECT . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruisipxmkmk


((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-11 13:02 . 2009-06-12 21:40 165240 ----a-r- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-07-11 12:15 . 2009-07-05 14:05 89104 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\naveng.sys
2009-07-11 12:15 . 2009-07-05 14:05 876144 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\navex15.sys
2009-07-11 12:15 . 2009-07-05 14:05 371248 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\eeCtrl.sys
2009-07-11 12:15 . 2009-07-05 14:05 259368 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\ecmsvr32.dll
2009-07-11 12:15 . 2009-07-05 14:05 2414128 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\cceraser.dll
2009-07-11 12:15 . 2009-07-05 14:05 177520 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\naveng32.dll
2009-07-11 12:15 . 2009-07-05 14:05 1181040 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\navex32a.dll
2009-07-11 12:15 . 2009-07-05 14:05 101936 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\eraser.sys
2009-07-11 01:21 . 2009-06-26 03:16 533880 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\Scxpx86.dll
2009-07-11 01:21 . 2009-06-26 03:16 447864 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSxpx86.dll
2009-07-11 01:21 . 2009-06-26 03:16 292912 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSvix86.sys
2009-07-11 01:21 . 2009-06-26 03:16 276344 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSXpx86.sys
2009-07-11 01:21 . 2009-06-26 03:16 396848 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSviA64.sys
2009-07-10 17:58 . 2009-07-10 17:58 117760 ----a-w- f:\documents and settings\Administrator.ANY-D9PXOIS4JVX\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-10 17:57 . 2009-07-10 17:57 -------- d-----w- f:\documents and settings\Administrator.ANY-D9PXOIS4JVX\Application Data\SUPERAntiSpyware.com
2009-07-10 17:47 . 2009-07-10 17:48 117760 ----a-w- f:\documents and settings\holly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-10 17:46 . 2009-07-10 17:46 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-10 17:46 . 2009-07-10 17:46 -------- d-----w- f:\program files\SUPERAntiSpyware
2009-07-10 17:46 . 2009-07-10 17:46 -------- d-----w- f:\documents and settings\holly\Application Data\SUPERAntiSpyware.com
2009-07-10 17:45 . 2009-07-10 17:45 -------- d-----w- f:\program files\Common Files\Wise Installation Wizard
2009-07-10 17:13 . 2009-07-10 17:13 -------- d-sh--w- f:\documents and settings\Administrator.ANY-D9PXOIS4JVX\PrivacIE
2009-07-10 16:46 . 2009-07-10 16:46 -------- d-----w- f:\documents and settings\Administrator.ANY-D9PXOIS4JVX\Application Data\Malwarebytes
2009-07-10 16:46 . 2009-07-10 16:46 -------- d-sh--w- f:\documents and settings\Administrator.ANY-D9PXOIS4JVX\IETldCache
2009-07-10 07:00 . 2009-07-05 14:05 89104 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\naveng.sys
2009-07-10 07:00 . 2009-07-05 14:05 876144 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\navex15.sys
2009-07-10 07:00 . 2009-07-05 14:05 371248 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\eeCtrl.sys
2009-07-10 07:00 . 2009-07-05 14:05 259368 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\ecmsvr32.dll
2009-07-10 07:00 . 2009-07-05 14:05 2414128 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\cceraser.dll
2009-07-10 07:00 . 2009-07-05 14:05 177520 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\naveng32.dll
2009-07-10 07:00 . 2009-07-05 14:05 1181040 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\navex32a.dll
2009-07-10 07:00 . 2009-07-05 14:05 101936 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090709.049\eraser.sys
2009-07-10 02:08 . 2009-07-10 02:08 -------- d-----w- f:\documents and settings\holly\Application Data\Malwarebytes
2009-07-10 02:07 . 2009-06-17 15:27 38160 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 02:07 . 2009-07-10 02:08 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2009-07-10 02:07 . 2009-07-10 02:07 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 02:07 . 2009-06-17 15:27 19096 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-07-07 19:22 . 2009-07-07 19:22 -------- d-----r- f:\program files\Norton Support
2009-07-07 19:21 . 2009-07-07 19:21 -------- d-----w- f:\documents and settings\holly\Local Settings\Application Data\Symantec
2009-07-07 18:06 . 2009-07-07 18:06 -------- d-sh--w- f:\windows\system32\config\systemprofile\IETldCache
2009-07-07 17:29 . 2009-06-26 03:16 533880 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\Scxpx86.dll
2009-07-07 17:29 . 2009-06-26 03:16 447864 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSxpx86.dll
2009-07-07 17:29 . 2009-06-26 03:16 396848 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSviA64.sys
2009-07-07 17:29 . 2009-06-26 03:16 292912 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSvix86.sys
2009-07-07 17:29 . 2009-06-26 03:16 276344 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSXpx86.sys
2009-06-25 01:36 . 2004-08-04 04:56 21504 -c--a-w- f:\windows\system32\dllcache\hidserv.dll
2009-06-25 01:36 . 2004-08-04 04:56 21504 ----a-w- f:\windows\system32\hidserv.dll
2009-06-25 01:36 . 2004-08-04 02:58 14848 -c--a-w- f:\windows\system32\dllcache\kbdhid.sys
2009-06-25 01:36 . 2004-08-04 02:58 14848 ----a-w- f:\windows\system32\drivers\kbdhid.sys
2009-06-14 16:32 . 2009-06-14 16:32 -------- d-sh--w- f:\documents and settings\LocalService\IETldCache
2009-06-12 23:30 . 2009-06-12 23:30 -------- d-----w- f:\documents and settings\holly\Local Settings\Application Data\PCHealth
2009-06-12 23:29 . 2009-06-12 23:29 -------- d-sh--w- f:\documents and settings\holly\PrivacIE
2009-06-12 23:25 . 2009-06-12 23:25 -------- d-sh--w- f:\documents and settings\holly\IETldCache
2009-06-12 22:58 . 2009-06-12 22:58 209416 ----a-w- f:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-12 22:56 . 2009-06-12 22:56 -------- d-----w- f:\windows\system32\XPSViewer
2009-06-12 22:56 . 2009-06-12 22:56 -------- d-----w- f:\program files\MSBuild
2009-06-12 22:56 . 2009-06-12 22:56 -------- d-----w- f:\program files\Reference Assemblies
2009-06-12 22:54 . 2008-07-06 12:06 89088 -c----w- f:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-12 22:54 . 2008-07-06 12:06 575488 -c----w- f:\windows\system32\dllcache\xpsshhdr.dll
2009-06-12 22:54 . 2008-07-06 12:06 575488 ------w- f:\windows\system32\xpsshhdr.dll
2009-06-12 22:54 . 2008-07-06 12:06 117760 ------w- f:\windows\system32\prntvpt.dll
2009-06-12 22:54 . 2008-07-06 10:50 597504 -c----w- f:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-12 22:54 . 2008-07-06 12:06 1676288 -c----w- f:\windows\system32\dllcache\xpssvcs.dll
2009-06-12 22:54 . 2008-07-06 12:06 1676288 ------w- f:\windows\system32\xpssvcs.dll
2009-06-12 22:45 . 2009-06-12 22:45 -------- d-----w- f:\program files\MSXML 6.0
2009-06-12 22:41 . 2009-06-12 22:41 -------- d-----w- f:\windows\ie8updates
2009-06-12 22:41 . 2009-05-12 05:11 102912 -c----w- f:\windows\system32\dllcache\iecompat.dll
2009-06-12 22:37 . 2009-06-12 22:40 -------- dc-h--w- f:\windows\ie8
2009-06-12 21:42 . 2009-06-12 21:40 546160 ----a-r- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2009-06-12 21:41 . 2009-06-12 21:41 35888 ----a-r- f:\windows\system32\drivers\SymIM.sys
2009-06-12 21:41 . 2009-06-12 21:41 -------- d-----w- f:\program files\Symantec
2009-06-12 21:41 . 2009-06-12 21:41 60808 ----a-w- f:\windows\system32\S32EVNT1.DLL
2009-06-12 21:41 . 2009-06-12 21:41 124464 ----a-w- f:\windows\system32\drivers\SYMEVENT.SYS
2009-06-12 21:40 . 2009-06-12 21:40 1294680 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-06-12 21:40 . 2009-06-12 21:40 136840 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-06-12 21:40 . 2009-06-12 21:40 796016 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-06-12 21:40 . 2009-06-13 15:34 -------- d-----w- f:\windows\system32\drivers\NIS
2009-06-12 21:40 . 2009-06-12 21:40 -------- d-----w- f:\program files\Norton Internet Security
2009-06-12 21:40 . 2009-06-12 21:40 -------- d-----w- f:\program files\Windows Sidebar
2009-06-12 21:40 . 2009-06-12 21:40 -------- d-----w- f:\documents and settings\All Users\Application Data\Norton
2009-06-12 21:36 . 2009-06-12 21:37 -------- d-----w- f:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-12 21:36 . 2009-06-12 21:36 -------- d-----w- f:\program files\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 13:00 . 2009-05-23 14:46 24 ----a-w- f:\windows\system32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000002-80221102}.dat
2009-07-11 13:00 . 2009-05-23 14:46 24 ----a-w- f:\windows\system32\DVCState-{00000002-00000000-00000009-00001102-00000002-80221102}.dat
2009-07-07 18:39 . 2007-07-19 03:08 -------- d-----w- f:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-26 03:16 . 2009-03-16 20:03 533880 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-06-26 03:16 . 2009-01-29 21:50 276344 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-06-26 03:16 . 2009-01-29 21:50 292912 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-06-26 03:16 . 2009-01-29 21:50 447864 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-06-26 03:16 . 2009-01-29 21:50 396848 ----a-w- f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-06-12 23:38 . 2007-07-23 16:00 108936 ----a-w- f:\documents and settings\holly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 22:12 . 2007-07-13 01:12 -------- d-----w- f:\documents and settings\All Users\Application Data\Symantec
2009-06-12 21:43 . 2007-07-13 01:12 -------- d-----w- f:\program files\Common Files\Symantec Shared
2009-06-12 21:41 . 2009-06-12 21:41 806 ----a-w- f:\windows\system32\drivers\SYMEVENT.INF
2009-06-12 21:41 . 2009-06-12 21:41 10635 ----a-w- f:\windows\system32\drivers\SYMEVENT.CAT
2009-06-06 22:36 . 2009-06-06 22:36 152576 ----a-w- f:\documents and settings\holly\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-06-04 16:44 . 2009-06-04 16:44 -------- d-----w- f:\program files\Davidson
2009-05-25 20:26 . 2007-07-28 20:41 -------- d-----w- f:\program files\QuickTime
2009-05-22 23:21 . 2009-05-22 20:48 -------- d-----w- f:\program files\iPod
2009-05-22 22:58 . 2009-05-22 22:09 -------- d-----w- f:\program files\Creative
2009-05-22 22:57 . 2007-07-13 03:15 -------- d--h--w- f:\program files\InstallShield Installation Information
2009-05-22 20:51 . 2007-07-28 01:34 -------- d-----w- f:\documents and settings\holly\Application Data\RipIt4Me
2009-05-22 20:51 . 2009-03-05 19:15 -------- d-----w- f:\documents and settings\holly\Application Data\ri4mupdater
2009-05-22 20:50 . 2008-06-27 01:58 -------- d-----w- f:\program files\DVDFab 5
2009-05-22 20:48 . 2009-05-22 20:48 -------- d-----w- f:\program files\Bonjour
2009-05-22 20:48 . 2009-04-18 17:40 -------- d-----w- f:\program files\Bonjour(2)
2009-05-22 20:48 . 2007-07-28 20:42 -------- d-----w- f:\program files\iTunes
2009-05-22 20:48 . 2009-05-22 20:48 -------- d-----w- f:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-05-22 20:48 . 2009-04-18 17:47 -------- d-----w- f:\program files\iPod(2)
2009-05-22 20:48 . 2007-07-28 20:39 -------- d-----w- f:\program files\Common Files\Apple
2009-05-07 15:44 . 2004-08-04 04:56 344064 ----a-w- f:\windows\system32\localspl.dll
2009-04-29 04:55 . 2009-04-29 04:55 78336 ------w- f:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 03:17 1846656 ----a-w- f:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 04:56 584192 ----a-w- f:\windows\system32\rpcrt4.dll
2007-11-04 19:24 . 2007-11-04 19:16 33810889 ----a-w- f:\program files\FretsOnFire-1.2.512-win32.exe
2007-10-02 01:50 . 2007-10-02 01:50 9024472 ----a-w- f:\program files\trillian-v3[1].1.7.0.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-12-14 06:12 . 2004-12-14 06:12 483328 f:\program files\Adobe\Adobe Acrobat 7.0\Distillr\bak\Acrotray.exe
2004-12-14 06:12 . 2004-12-14 06:12 483328 f:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

2005-04-04 22:58 . 2005-04-04 22:58 856064 f:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\bak\VersionCueCS2Tray.exe

2006-09-14 11:55 . 2006-09-14 11:55 61440 f:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe

2007-07-26 01:35 . 2006-03-22 01:30 1191936 f:\program files\Canon\MyPrinter\bak\BJMyPrt.exe

2003-09-30 04:14 . 2003-09-30 04:14 155648 f:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

2005-02-03 03:21 . 2005-02-03 03:21 58488 f:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2007-07-14 02:06 . 2004-11-03 00:24 32768 f:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2007-07-10 13:18 . 2007-07-10 13:18 270648 f:\program files\iTunes\bak\iTunesHelper.exe
2008-11-20 18:20 . 2008-11-20 18:20 290088 f:\program files\iTunes\iTunesHelper.exe

2007-08-05 15:00 . 2007-07-12 08:00 132496 f:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 f:\program files\QuickTime\bak\QTTask.exe
2009-01-05 20:18 . 2009-01-05 20:18 413696 f:\program files\QuickTime\QTTask.exe

2006-03-21 17:19 . 2006-03-21 17:19 69632 f:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe

2007-07-15 02:55 . 2005-08-08 17:49 1110016 f:\program files\Webroot\Washer\bak\wwDisp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-27 14:06 66912 ----a-w- f:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Version Cue CS2"="f:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [N/A]
"Acrobat Assistant 7.0"="f:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"StxTrayMenu"="f:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"UpdReg"="f:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="f:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"WTClient"="WTClient.exe" - f:\windows\system32\WTClient.exe [2007-04-11 40960]
"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2003-10-06 741376]
"WINDVDPatch"="CTHELPER.EXE" - f:\windows\system32\CTHELPER.EXE [2002-07-02 24576]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - f:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-7-13 25214]
Adobe Gamma.lnk - f:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Last.fm Helper.lnk - f:\program files\Last.fm\LastFMHelper.exe [2007-9-9 110592]
Printkey2000.lnk - f:\program files\PrintKey2000\Printkey2000.exe [2007-7-14 869376]
Ralink Wireless Utility.lnk - f:\program files\RALINK\Common\RaUI.exe [2008-12-19 1114112]
WinZip Quick Pick.lnk - f:\program files\WinZip\WZQKPICK.EXE [2007-7-13 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
"<NO NAME>"= 3

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"f:\\Program Files\\Last.fm\\LastFM.exe"=
"f:\\Program Files\\Trillian\\trillian.exe"=
"f:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"f:\\Program Files\\FrostWire\\FrostWire.exe"=
"f:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\NIS\1000000.07D\SymEFA.sys [6/12/2009 5:41 PM 309296]
R1 BHDrvx86;Symantec Heuristics Driver;f:\windows\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [6/12/2009 5:41 PM 254512]
R1 ccHP;Symantec Hash Provider;f:\windows\system32\drivers\NIS\1000000.07D\ccHPx86.sys [6/12/2009 5:41 PM 362544]
R1 IDSxpx86;IDSxpx86;f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSXpx86.sys [7/10/2009 9:21 PM 276344]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 Norton Internet Security;Norton Internet Security;f:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [6/12/2009 5:40 PM 115560]
R2 Seagate Sync Service;Seagate Sync Service;f:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 2:20 PM 24120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/12/2009 4:00 AM 101936]
R3 PTSimBus;PenTablet Bus Enumerator;f:\windows\system32\drivers\PTSimBus.sys [6/7/2007 1:16 PM 18944]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;f:\windows\system32\drivers\PTSimHid.sys [4/23/2007 11:28 AM 10752]
S3 SASENUM;SASENUM;f:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - f:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
FF - ProfilePath - f:\documents and settings\holly\Application Data\Mozilla\Firefox\Profiles\gyk88ysn.default\
FF - component: f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: f:\documents and settings\holly\Application Data\Mozilla\Firefox\Profiles\gyk88ysn.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: f:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: f:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 09:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"f:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"f:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\b4fm.SxContextMenu1\Clsid]
@DACL=(02 0000)
@="{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}\InprocServer32]
@DACL=(02 0000)
@="f:\\WINDOWS\\system32\\b4fm.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}\ProgID]
@DACL=(02 0000)
@="b4fm.SxContextMenu1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
f:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3664)
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\windows\system32\nvsvc32.exe
f:\windows\system32\drivers\WTSrv.exe
f:\windows\system32\wwSecure.exe
f:\windows\system32\rundll32.exe
f:\windows\system32\WISPTIS.EXE
f:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
f:\windows\system32\wscntfy.exe
f:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-11 9:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 13:21

Pre-Run: 3,827,507,200 bytes free
Post-Run: 7,192,416,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="/fastdetect" /fastdetect

337 --- E O F --- 2009-05-22 21:11

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:18 AM

Posted 24 July 2009 - 06:13 PM

Okay jtsx, Combofix has removed a rootkit so we really only need to do a couple of scans to check there's nothing left.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
If your PC is clean these two logs should be (and they probably will be :thumbup2: ) clear.
Posted Image
m0le is a proud member of UNITE

#7 jtsx

jtsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 25 July 2009 - 10:37 AM

Hello,
Malwarebytes log shows no infection as well as my Norton Internet Security.
The BitDefendor did find one Trojan that was deleted. I don't know why the other
two programs didn't find it. The logs follow:

Thanks again,
Mary Ann


Malwarebytes' Anti-Malware 1.39
Database version: 2496
Windows 5.1.2600 Service Pack 2

7/25/2009 8:19:37 AM
mbam-log-2009-07-25 (08-19-37).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 261363
Time elapsed: 3 hour(s), 29 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




BitDefender Online Scanner







Scan report generated at: Sat, Jul 25, 2009 - 10:46:14









Scan path: A:\;C:\;D:\;E:\;F:\;















Statistics

Time


02:04:11

Files


435340

Folders


16650

Boot Sectors


0

Archives


3388

Packed Files


24218







Results

Identified Viruses


1

Infected Files


5

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


5







Engines Info

Virus Definitions


3849638

Engine build


AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins


17

Archive plugins


45

Unpack plugins


7

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

F:\Documents and Settings\holly\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-43cf34ab


Infected with: Trojan.CryptRedol.Gen.3

F:\Documents and Settings\holly\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-43cf34ab


Deleted

F:\Qoobox\Quarantine\F\WINDOWS\system32\drivers\hjgruixvdyiurr.sys.vir


Infected with: Trojan.CryptRedol.Gen.3

F:\Qoobox\Quarantine\F\WINDOWS\system32\drivers\hjgruixvdyiurr.sys.vir


Deleted

F:\Qoobox\Quarantine\F\WINDOWS\system32\hjgruiilrqaknm.dll.vir


Infected with: Trojan.CryptRedol.Gen.3

F:\Qoobox\Quarantine\F\WINDOWS\system32\hjgruiilrqaknm.dll.vir


Deleted

F:\System Volume Information\_restore{2E4BD30A-3878-4BD3-9018-F2C8FFEBD76A}\RP684\A0130174.sys


Infected with: Trojan.CryptRedol.Gen.3

F:\System Volume Information\_restore{2E4BD30A-3878-4BD3-9018-F2C8FFEBD76A}\RP684\A0130174.sys


Deleted

F:\System Volume Information\_restore{2E4BD30A-3878-4BD3-9018-F2C8FFEBD76A}\RP684\A0130175.dll


Infected with: Trojan.CryptRedol.Gen.3

F:\System Volume Information\_restore{2E4BD30A-3878-4BD3-9018-F2C8FFEBD76A}\RP684\A0130175.dll


Deleted

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:18 AM

Posted 25 July 2009 - 10:50 AM

The BitDefendor did find one Trojan that was deleted. I don't know why the other
two programs didn't find it


BitDefender searches different areas than the other two and has found infections in relatively safe places like the restore folder, the Java cache and Combofix's quarantine folder. The first and third will be dealt with in the final instructions, the second we will sort out below.

The good news is that, for all intents and purposes, that BitDefender log was clean really.

Let's do a quick clean up and see where we're at.


Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Then

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.

Finally,

Please post new DDS logs.
Posted Image
m0le is a proud member of UNITE

#9 jtsx

jtsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 25 July 2009 - 12:48 PM

Hello,
Here is the new DDS log after JavaRa and ATF Cleaner:


DDS (Ver_09-06-26.01) - NTFSx86
Run by holly at 13:35:55.50 on Sat 07/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.100 [GMT -4:00]


============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\System32\Drivers\WTSRV.EXE
F:\WINDOWS\system32\wwSecure.exe
F:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\WINDOWS\system32\WTClient.exe
F:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
F:\WINDOWS\system32\WISPTIS.EXE
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\QuickTime\QTTask.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Last.fm\LastFMHelper.exe
F:\Program Files\PrintKey2000\Printkey2000.exe
F:\Program Files\RALINK\Common\RaUI.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
F:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Documents and Settings\holly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - f:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - f:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: FlpLauncher Class: {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - f:\program files\e-book systems\flipalbum 5 pro\FpLaunch.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - f:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - f:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - f:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f4d76f01-7896-458a-890f-e1f05c46069f} - f:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - f:\program files\canon\easy-webprint\Toolband.dll
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} - f:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - f:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [Adobe Version Cue CS2] "f:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "f:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [WTClient] WTClient.exe
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [StxTrayMenu] "f:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] f:\windows\UpdReg.EXE
mRun: [Jet Detection] "f:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - f:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\lastfm~1.lnk - f:\program files\last.fm\LastFMHelper.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - f:\program files\printkey2000\Printkey2000.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - f:\program files\ralink\common\RaUI.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - f:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
mPolicies-explorer: <NO NAME> = 3
IE: Convert link target to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - f:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - f:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - f:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - f:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\holly\applic~1\mozilla\firefox\profiles\gyk88ysn.default\
FF - component: f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: f:\documents and settings\holly\application data\mozilla\firefox\profiles\gyk88ysn.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: f:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: f:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-6-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;f:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-6-13 258608]
R1 ccHP;Symantec Hash Provider;f:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-6-13 482352]
R1 IDSxpx86;IDSxpx86;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090715.003\IDSXpx86.sys [2009-7-17 276344]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 Norton Internet Security;Norton Internet Security;f:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-6-13 115560]
R2 Seagate Sync Service;Seagate Sync Service;f:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-12 101936]
R3 NAVENG;NAVENG;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090725.003\NAVENG.SYS [2009-7-25 87888]
R3 NAVEX15;NAVEX15;f:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090725.003\NAVEX15.SYS [2009-7-25 875728]
R3 PTSimBus;PenTablet Bus Enumerator;f:\windows\system32\drivers\PTSimBus.sys [2007-6-7 18944]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;f:\windows\system32\drivers\PTSimHid.sys [2007-4-23 10752]
S3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-16 20:19 36,400 a----r-- f:\windows\system32\drivers\SymIM.sys
2009-07-13 18:43 73,728 a------- f:\windows\system32\javacpl.cpl
2009-07-13 17:49 410,984 a------- f:\windows\system32\deploytk.dll
2009-07-12 14:08 <DIR> --d----- f:\documents and settings\holly\.SunDownloadManager
2009-07-11 09:15 <DIR> -cd----- f:\windows\system32\dllcache\cache
2009-07-11 08:25 <DIR> a-dshr-- F:\cmdcons
2009-07-10 21:43 161,792 a------- f:\windows\SWREG.exe
2009-07-10 21:43 98,816 a------- f:\windows\sed.exe
2009-07-10 13:46 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-10 13:46 <DIR> --d----- f:\program files\SUPERAntiSpyware
2009-07-10 13:46 <DIR> --d----- f:\docume~1\holly\applic~1\SUPERAntiSpyware.com
2009-07-10 13:45 <DIR> --d----- f:\program files\common files\Wise Installation Wizard
2009-07-09 22:08 <DIR> --d----- f:\docume~1\holly\applic~1\Malwarebytes
2009-07-09 22:07 38,160 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 22:07 19,096 a------- f:\windows\system32\drivers\mbam.sys
2009-07-09 22:07 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-07-09 22:07 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-07 15:22 <DIR> --d--r-- f:\program files\Norton Support

==================== Find3M ====================

2009-07-11 15:00 124,464 a------- f:\windows\system32\drivers\SYMEVENT.SYS
2009-07-11 15:00 60,808 a------- f:\windows\system32\S32EVNT1.DLL
2009-07-11 15:00 7,386 a------- f:\windows\system32\drivers\SYMEVENT.CAT
2009-07-11 15:00 805 a------- f:\windows\system32\drivers\SYMEVENT.INF
2009-05-07 11:44 344,064 a------- f:\windows\system32\localspl.dll
2009-04-29 00:55 78,336 -------- f:\windows\system32\ieencode.dll
2008-06-26 21:58 47,360 a------- f:\docume~1\holly\applic~1\pcouffin.sys
2007-11-04 15:24 33,810,889 a------- f:\program files\FretsOnFire-1.2.512-win32.exe
2007-10-01 21:50 9,024,472 a------- f:\program files\trillian-v3[1].1.7.0.exe

============= FINISH: 13:37:40.77 ===============

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:18 AM

Posted 25 July 2009 - 01:20 PM

That's looking very nice, jtsx. :thumbup2:

One more thing, the Ask toolbar is not recommended. This toolbar enhances internet browsing and provides a direct link to the "ask.com" search engine. This program is not known to be bundled with spyware - The company strongly denies the toolbar as being malware.

Please read why here.

If you choose to remove it then follow the instructions below.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

askpbar

Additional instructions can be found here if needed.

But the logs are now clean!!

Good stuff! :)

Let's do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
I recommend that you download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it jtsx, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#11 jtsx

jtsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 25 July 2009 - 07:16 PM

Thank you so much!!! I followed all your instructions to clean up the computer and
it seems to be running great. Thanks again for everything!

Mary Ann :thumbup2:

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:18 AM

Posted 26 July 2009 - 03:59 AM

You're welcome, jtsx. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:18 AM

Posted 30 July 2009 - 04:56 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users