Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pop ups/cant install antivirus or malware removers


  • Please log in to reply
16 replies to this topic

#1 thejayman

thejayman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 01 August 2009 - 02:43 PM

Thank you for your time. I had norton 360 3.0 on my computer that detected a virus called packed generic 200 that it could not remove. It was recommended by a friend to use Avast to remove it. Which it did at least it said it did and the problems stopped for a few weeks. However my norton 360 would not work properly and norton advised remove and reinstall. te removal work but I can not reinstall, I can download but not open. I have tried to use malwarebytes removal, but it will not run thou it appears to have installed. I have pop ups while surfing that do not open to a site one is list as(url.urtlk.com). But my biggest problem is that I can not open many sites that I normaly use and internet explorer is slow/freezes. I also have very questionable search respondes. Any help would be much appreciated. Thank you thejayman.DDS (Ver_09-07-30.01) - NTFSx86
Run by Jason F at 14:19:40.34 on Sat 08/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.702 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090801-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jason F\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant =
uCustomizeSearch =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [POINTER] c:\program files\microsoft hardware\mouse\point32.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\jasonf~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: <NO NAME> =
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm011YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
Trusted Zone: chase.com
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} - file://d:\components\hidinputmonitorx.ocx
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} - file://d:\components\A9.ocx
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: a0b6e283382 - c:\windows\system32\__c00C20B7.dat
Notify: a0b6e283648 - c:\windows\system32\CTMEDENG32.dll
Notify: __c007F8BE - c:\windows\system32\__c007F8BE.dat
Notify: __c00C3726 - c:\windows\system32\__c00C3726.dat
AppInit_DLLs: c:\windows\system32\CTMEDENG32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2004-8-19 23035]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-19 89610]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-19 138680]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-8-23 12160]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-19 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-19 352920]
S3 oflpydin;oflpydin;\??\c:\docume~1\jasonf~1\locals~1\temp\oflpydin.sys --> c:\docume~1\jasonf~1\locals~1\temp\oflpydin.sys [?]
S4 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]

=============== Created Last 30 ================

2009-08-01 14:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 14:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 14:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-01 13:35 <DIR> --dsh--- c:\windows\system32\SystemX86
2009-08-01 04:13 0 a------- c:\windows\system32\6B.tmp
2009-07-30 06:13 0 a------- c:\windows\system32\AD.tmp
2009-07-25 16:19 0 a------- c:\windows\system32\42.tmp
2009-07-21 22:03 0 a------- c:\windows\system32\2.tmp
2009-07-18 15:29 615 a------- c:\windows\system32\Gyg4ezb.vbs
2009-07-18 15:29 615 a------- c:\windows\system32\ykBfodSj8OHHX.vbs
2009-07-18 15:28 550 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-07-18 15:28 0 a------- c:\windows\system32\39.tmp
2009-07-18 15:28 121,344 a------- c:\windows\system32\CTMEDENG32.dll
2009-07-18 15:28 615 a------- c:\windows\system32\bIsEqv8nocnXn.vbs

==================== Find3M ====================

2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-19 09:25 6,250 a------- c:\windows\system32\uacinit.dll
2009-06-17 12:43 94,208 a------- c:\windows\DUMP8e74.tmp
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-02-14 22:07 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2008-03-19 16:10 21,872 a------- c:\docume~1\jasonf~1\applic~1\GDIPFONTCACHEV1.DAT
2004-11-24 01:54 23,040 a------- c:\program files\01001226.dot
2009-03-12 05:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031220090313\index.dat

============= FINISH: 14:21:17.56 ===============

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:43 PM

Posted 10 August 2009 - 12:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 thejayman

thejayman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 11 August 2009 - 05:46 PM

thank you taking the time to help me. I have attached the info as requested. I hope this is correct. Thanks again, Jason
DDS (Ver_09-07-30.01) - NTFSx86
Run by Jason F at 17:40:18.53 on Tue 08/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.622 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090811-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jason F\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant =
uCustomizeSearch =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /play
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [POINTER] c:\program files\microsoft hardware\mouse\point32.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\jasonf~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: <NO NAME> =
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm011YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
Trusted Zone: chase.com
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} - file://d:\components\hidinputmonitorx.ocx
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} - file://d:\components\A9.ocx
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: a0b6e283382 - c:\windows\system32\__c00C20B7.dat
Notify: a0b6e283648 - c:\windows\system32\CTMEDENG32.dll
Notify: __c007F8BE - c:\windows\system32\__c007F8BE.dat
Notify: __c00C3726 - c:\windows\system32\__c00C3726.dat
AppInit_DLLs: c:\windows\system32\CTMEDENG32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2004-8-19 23035]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-19 89610]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-19 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-19 352920]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-8-23 12160]
S3 oflpydin;oflpydin;\??\c:\docume~1\jasonf~1\locals~1\temp\oflpydin.sys --> c:\docume~1\jasonf~1\locals~1\temp\oflpydin.sys [?]
S4 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]

=============== Created Last 30 ================

2009-08-11 17:12 <DIR> --dsh--- c:\windows\system32\SystemX86
2009-08-11 04:28 0 a------- c:\windows\system32\95.tmp
2009-08-08 12:52 0 a------- c:\windows\system32\111.tmp
2009-08-07 12:56 0 a------- c:\windows\system32\BF.tmp
2009-08-06 07:45 0 a------- c:\windows\system32\3.tmp
2009-08-04 02:02 0 a------- c:\windows\system32\EC.tmp
2009-08-01 14:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 14:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 14:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-01 04:13 0 a------- c:\windows\system32\6B.tmp
2009-07-30 06:13 0 a------- c:\windows\system32\AD.tmp
2009-07-25 16:19 0 a------- c:\windows\system32\42.tmp
2009-07-21 22:03 0 a------- c:\windows\system32\2.tmp
2009-07-18 15:29 615 a------- c:\windows\system32\Gyg4ezb.vbs
2009-07-18 15:29 615 a------- c:\windows\system32\ykBfodSj8OHHX.vbs
2009-07-18 15:28 589 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-07-18 15:28 0 a------- c:\windows\system32\39.tmp
2009-07-18 15:28 121,344 a------- c:\windows\system32\CTMEDENG32.dll
2009-07-18 15:28 615 a------- c:\windows\system32\bIsEqv8nocnXn.vbs

==================== Find3M ====================

2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-19 09:25 6,250 a------- c:\windows\system32\uacinit.dll
2009-06-17 12:43 94,208 a------- c:\windows\DUMP8e74.tmp
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-02-14 22:07 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2008-03-19 16:10 21,872 a------- c:\docume~1\jasonf~1\applic~1\GDIPFONTCACHEV1.DAT
2004-11-24 01:54 23,040 a------- c:\program files\01001226.dot
2009-03-12 05:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031220090313\index.dat

============= FINISH: 17:42:10.59 ===============

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 14 August 2009 - 08:51 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

That looks like a nasty infeciton.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 thejayman

thejayman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 17 August 2009 - 07:46 PM

Thank you for your time I really do appreciate it. I Have followed your instructions and ran Combofix and attached the log. I tried to run the GMER as instructed about ten time and a few minutes in the computer crashes everytime. I was able to run Malwarebytes anti-walware, which i could not do before I ran combo fix. I have attahed that log also. Another good thing is that i was able to reinstall Nortons 360 again and it appears to function with the exception of full sytem scan, everytime I run the full scan about 5-10 minutes in the computer crashes. Again I could not reinstall 360 before I ran Combofix.
On a good note the computer is running better, even the search results and better. However the pop-ups continue. And everytime i run Malwarebytes it removes infected items. So in my computer doomed? Again I thank you for your time, Jason

Attached Files



#6 thejayman

thejayman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 17 August 2009 - 07:49 PM

Thank you for your time I really do appreciate it. I Have followed your instructions and ran Combofix and attached the log. I tried to run the GMER as instructed about ten time and a few minutes in the computer crashes everytime. I was able to run Malwarebytes anti-walware, which i could not do before I ran combo fix. I have attahed that log also. Another good thing is that i was able to reinstall Nortons 360 again and it appears to function with the exception of full sytem scan, everytime I run the full scan about 5-10 minutes in the computer crashes. Again I could not reinstall 360 before I ran Combofix.
On a good note the computer is running better, even the search results and better. However the pop-ups continue. And everytime i run Malwarebytes it removes infected items. So in my computer doomed? Again I thank you for your time, Jason

ComboFix 09-08-10.06 - Jason F 08/14/2009 17:19.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.658 [GMT -5:00]
Running from: c:\documents and settings\Jason F\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090814-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648C.manifest
c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648O.manifest
c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648P.manifest
c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648S.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648C.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648O.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648P.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648S.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165C.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165O.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165P.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165R.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165S.manifest
c:\documents and settings\Jason F\Application Data\FunWebProducts
c:\documents and settings\Jason F\Application Data\FunWebProducts\Data\Jason F\wffavs.dat
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\03A6C2F3.urr
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\recycler\NPROTECT\00212056.
c:\recycler\NPROTECT\00212099.com
c:\recycler\NPROTECT\00212103.
c:\recycler\NPROTECT\00212110.
c:\recycler\NPROTECT\00212130.
c:\recycler\NPROTECT\00212133.
c:\recycler\NPROTECT\00212172.
c:\recycler\NPROTECT\00212185.
c:\recycler\NPROTECT\00212200.
c:\recycler\NPROTECT\00212205.
c:\recycler\NPROTECT\00212206.
c:\windows\Installer\28edc.msi
c:\windows\Installer\b1ef7.msi
c:\windows\system32\bIsEqv8nocnXn.vbs
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\Gyg4ezb.vbs
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\UACelwmsixdqwbutfq.dat
c:\windows\system32\UACimxmmufcumlrwpp.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACsrfwbwucewuycdb.log
c:\windows\system32\ykBfodSj8OHHX.vbs
C:\xcrashdump.dat
c:\recycler\NPROTECT . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACD.SYS
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-14 22:09 . 2009-08-14 22:09 -------- d-sh--w- c:\windows\system32\SystemX86
2009-08-12 13:31 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-01 19:06 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 19:06 . 2009-08-01 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 19:06 . 2009-08-01 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-01 19:06 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 20:28 . 2009-07-18 20:28 121344 ----a-w- c:\windows\system32\CTMEDENG32.dll
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 22:30 . 2009-08-14 22:30 0 ----a-w- c:\windows\system32\4.tmp
2009-08-14 22:27 . 2004-08-23 21:52 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-10021102}.dat
2009-08-14 22:27 . 2004-08-23 21:52 288 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-10021102}.dat
2009-08-11 09:28 . 2009-08-11 09:28 0 ----a-w- c:\windows\system32\95.tmp
2009-08-08 17:52 . 2009-08-08 17:52 0 ----a-w- c:\windows\system32\111.tmp
2009-08-07 17:56 . 2009-08-07 17:56 0 ----a-w- c:\windows\system32\BF.tmp
2009-08-06 12:45 . 2009-08-06 12:45 0 ----a-w- c:\windows\system32\3.tmp
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 07:02 . 2009-08-04 07:02 0 ----a-w- c:\windows\system32\EC.tmp
2009-08-01 09:13 . 2009-08-01 09:13 0 ----a-w- c:\windows\system32\6B.tmp
2009-07-30 11:13 . 2009-07-30 11:13 0 ----a-w- c:\windows\system32\AD.tmp
2009-07-29 04:55 . 2004-08-23 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-26 15:53 . 2004-08-23 22:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-26 15:53 . 2004-08-23 22:24 -------- d-----w- c:\documents and settings\Jason F\Application Data\Symantec
2009-07-25 21:19 . 2009-07-25 21:19 0 ----a-w- c:\windows\system32\42.tmp
2009-07-22 03:03 . 2009-07-22 03:03 0 ----a-w- c:\windows\system32\2.tmp
2009-07-18 20:28 . 2009-07-18 20:28 0 ----a-w- c:\windows\system32\39.tmp
2009-07-18 16:25 . 2007-09-29 00:58 -------- d-----w- c:\program files\FrostWire
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-24 02:11 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 12:58 . 2009-07-10 12:58 1915520 ----a-w- c:\documents and settings\Jason F\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-29 16:12 . 2004-02-07 00:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-19 20:22 . 2009-06-19 20:22 -------- d-----w- c:\program files\Alwil Software
2009-06-17 17:43 . 2004-08-19 12:54 94208 ----a-w- c:\windows\DUMP8e74.tmp
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2003-03-31 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-08-19 18:05 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 20:50 . 2009-06-03 20:50 583896 ----a-w- c:\documents and settings\All Users\SPL24.tmp
2009-06-03 19:09 . 2003-05-13 15:28 1291264 ----a-w- c:\windows\system32\quartz.dll
2004-11-24 06:54 . 2005-04-29 01:38 23040 ----a-w- c:\program files\01001226.dot
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2002-09-13 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 176128]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-15 843776]

c:\documents and settings\Jason F\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-8-25 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-24 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\a0b6e283648]
2009-07-18 20:28 121344 ----a-w- c:\windows\system32\CTMEDENG32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"lxdc_device"=2 (0x2)
"GEARSecurity"=2 (0x2)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Joint Operations Typhoon Rising\\Jointops.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [8/19/2004 1:27 PM 23035]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/19/2004 1:24 PM 89610]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/19/2009 3:23 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/19/2009 3:23 PM 20560]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [8/23/2004 4:48 PM 12160]
S3 oflpydin;oflpydin;\??\c:\docume~1\JASONF~1\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\JASONF~1\LOCALS~1\Temp\oflpydin.sys [?]
S4 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
.
- - - - ORPHANS REMOVED - - - -

Notify-a0b6e283382 - c:\windows\system32\__c00C20B7.dat
Notify-__c007F8BE - c:\windows\system32\__c007F8BE.dat
Notify-__c00C3726 - c:\windows\system32\__c00C3726.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm011YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: chase.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" /run?Z?A~d???*?A~?????????w??????h?@?x?????B~D??????sx??s&:??????y??w????@@@????|D@@?????>??w????@93?H??????|???|???????|L(?s@93??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\System32\CTMEDENG32.dll

- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WININET.dll
c:\windows\System32\CTMEDENG32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LexBceS.exe
c:\windows\system32\Lexpps.exe
c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
c:\progra~1\Webshots\webshots.scr
c:\windows\system32\MsPMSPSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-08-14 17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-14 22:35

Pre-Run: 4,534,972,416 bytes free
Post-Run: 4,760,690,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

231 --- E O F --- 2009-08-12 14:15
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

8/14/2009 10:48:43 PM
mbam-log-2009-08-14 (22-48-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 227445
Time elapsed: 31 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a072ec12-a40b-41dd-9a1a-cdb848b70f3c} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\systemx86\6.tmp (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\7.tmp (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\8.tmp (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\9.tmp (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 18 August 2009 - 08:20 AM

Hello.

Let's see what we can do.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    
    File::
    c:\program files\01001226.dot
    c:\windows\system32\CTMEDENG32.dll
    c:\windows\DUMP8e74.tmp
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\a0b6e283648]
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    Driver::
    oflpydin
    lxdc_device
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Do the popups still occur?

Please post the contents of this file:
C:\Qoobox\Add-Remove Programs.txt

With Regards,
The Panda

#8 thejayman

thejayman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 22 August 2009 - 03:35 PM

Well it looks like things might be getting better. I hope I'm not jinxing myself. At this moment the pop-ups have stopped and I don't have any questionable internet searches occuring. I ran the combofix as directed and pasted the log. After that i ran malwarebytes and only had one infection and it said it removed.(C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.)
However I tried to run full system scan with Nortons 360 and again the computer shut off after 15 minutes or so. Finaly have paste the add remove programs log as requested. Again thank you for your time, Jason


ComboFix 09-08-21.02 - Jason F 08/22/2009 14:15.10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.604 [GMT -5:00]
Running from: c:\documents and settings\Jason F\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason F\Desktop\CFScript.txt

FILE ::
"c:\program files\01001226.dot"
"c:\windows\DUMP8e74.tmp"
"c:\windows\system32\CTMEDENG32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648C.manifest
c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648O.manifest
c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648P.manifest
c:\documents and settings\Administrator.THEJAYMAN.006\Application Data\02000000c82dd165648S.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648C.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648O.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648P.manifest
c:\documents and settings\Jason F\Application Data\02000000c82dd165648S.manifest
c:\program files\01001226.dot
c:\recycler\NPROTECT\00212099.com
c:\windows\_000021_.tmp.dll
c:\windows\DUMP8e74.tmp
c:\windows\GnuHashes.ini
c:\windows\system32\CTMEDENG32.dll
c:\recycler\NPROTECT . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LXDC_DEVICE
-------\Legacy_OFLPYDIN
-------\Service_lxdc_device
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 14:23 . 2009-08-22 14:23 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-22 14:22 . 2009-08-22 14:22 -------- d-sh--w- c:\windows\system32\SystemX86
2009-08-22 08:23 . 2009-08-22 08:23 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\naveng.sys
2009-08-22 08:23 . 2009-08-22 08:23 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\navex15.sys
2009-08-22 08:23 . 2009-08-22 08:23 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\eeCtrl.sys
2009-08-22 08:23 . 2009-08-22 08:23 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\ecmsvr32.dll
2009-08-22 08:23 . 2009-08-22 08:23 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\cceraser.dll
2009-08-22 08:23 . 2009-08-22 08:23 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\naveng32.dll
2009-08-22 08:23 . 2009-08-22 08:23 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\navex32a.dll
2009-08-22 08:23 . 2009-08-22 08:23 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090822.004\eraser.sys
2009-08-18 17:38 . 2009-08-15 18:07 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\EECTRL.SYS
2009-08-18 17:38 . 2009-08-15 18:07 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\ERASER.SYS
2009-08-18 17:38 . 2009-08-15 18:07 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\NAVENG32.DLL
2009-08-18 17:38 . 2009-08-15 18:07 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\NAVEX32A.DLL
2009-08-18 17:38 . 2009-08-15 18:07 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\ECMSVR32.DLL
2009-08-18 17:38 . 2009-08-15 18:07 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\CCERASER.DLL
2009-08-18 17:38 . 2009-08-15 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\NAVENG.SYS
2009-08-18 17:38 . 2009-08-15 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090818.003\NAVEX15.SYS
2009-08-15 19:59 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys
2009-08-15 19:59 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys
2009-08-15 19:59 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\Scxpx86.dll
2009-08-15 19:59 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSxpx86.dll
2009-08-15 19:59 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSviA64.sys
2009-08-15 18:08 . 2009-01-15 17:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-15 18:08 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-08-15 18:08 . 2009-08-15 18:07 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-15 18:07 . 2009-08-15 18:07 -------- d-----w- c:\program files\Symantec
2009-08-15 18:07 . 2009-08-15 18:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-15 18:07 . 2009-08-15 18:07 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-15 18:07 . 2009-08-15 18:07 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-08-15 18:07 . 2009-08-15 18:07 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-08-15 18:07 . 2009-08-15 18:07 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-08-15 18:06 . 2009-08-15 18:06 -------- d-----w- c:\windows\system32\drivers\N360
2009-08-15 18:06 . 2009-08-15 18:07 -------- d-----w- c:\program files\Norton 360
2009-08-15 18:06 . 2009-08-15 18:06 -------- d-----w- c:\program files\Windows Sidebar
2009-08-15 18:02 . 2009-08-15 18:02 -------- d-----w- c:\program files\NortonInstaller
2009-08-15 13:49 . 2009-08-15 13:49 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-15 03:15 . 2009-08-15 03:15 -------- d-----w- c:\documents and settings\Jason F\Application Data\Malwarebytes
2009-08-12 13:31 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-01 19:06 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 19:06 . 2009-08-15 13:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 19:06 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 19:06 . 2009-08-01 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 19:23 . 2004-08-23 21:52 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-10021102}.dat
2009-08-22 19:23 . 2004-08-23 21:52 288 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-10021102}.dat
2009-08-15 20:05 . 2004-08-23 22:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 18:08 . 2009-03-11 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-15 18:07 . 2009-08-15 18:07 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-15 18:07 . 2009-08-15 18:07 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-15 18:06 . 2009-03-11 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-11 09:28 . 2009-08-11 09:28 0 ----a-w- c:\windows\system32\95.tmp
2009-08-08 17:52 . 2009-08-08 17:52 0 ----a-w- c:\windows\system32\111.tmp
2009-08-07 17:56 . 2009-08-07 17:56 0 ----a-w- c:\windows\system32\BF.tmp
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 07:02 . 2009-08-04 07:02 0 ----a-w- c:\windows\system32\EC.tmp
2009-08-01 09:13 . 2009-08-01 09:13 0 ----a-w- c:\windows\system32\6B.tmp
2009-07-30 11:13 . 2009-07-30 11:13 0 ----a-w- c:\windows\system32\AD.tmp
2009-07-29 04:55 . 2004-08-23 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-26 15:53 . 2004-08-23 22:24 -------- d-----w- c:\documents and settings\Jason F\Application Data\Symantec
2009-07-25 21:19 . 2009-07-25 21:19 0 ----a-w- c:\windows\system32\42.tmp
2009-07-18 20:28 . 2009-07-18 20:28 0 ----a-w- c:\windows\system32\39.tmp
2009-07-18 16:25 . 2007-09-29 00:58 -------- d-----w- c:\program files\FrostWire
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-24 02:11 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-07-10 12:58 . 2009-07-10 12:58 1915520 ----a-w- c:\documents and settings\Jason F\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-29 16:12 . 2004-02-07 00:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2003-03-31 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-08-19 18:05 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 20:50 . 2009-06-03 20:50 583896 ----a-w- c:\documents and settings\All Users\SPL24.tmp
2009-06-03 19:09 . 2003-05-13 15:28 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_22.30.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-22 19:26 . 2009-08-22 19:26 16384 c:\windows\Temp\Perflib_Perfdata_374.dat
+ 2003-03-31 12:00 . 2008-04-14 00:12 49152 c:\windows\system32\wdigest(3).dll
+ 2003-03-31 12:00 . 2009-02-03 19:59 56832 c:\windows\system32\secur32(3).dll
+ 2009-08-15 18:08 . 2009-01-15 17:19 23848 c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspiWDM.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 39984 c:\windows\system32\drivers\N360\0300000.087\symndisv.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 37296 c:\windows\system32\drivers\N360\0300000.087\symndis.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 34736 c:\windows\system32\drivers\N360\0300000.087\symids.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 89776 c:\windows\system32\drivers\N360\0300000.087\symfw.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 43696 c:\windows\system32\drivers\N360\0300000.087\srtspx.sys
+ 2003-03-31 12:00 . 2008-04-14 00:11 299520 c:\windows\system32\kerberos(3).dll
+ 2009-08-15 18:08 . 2008-04-17 17:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspi.dll
+ 2009-08-15 18:07 . 2009-08-15 18:07 217392 c:\windows\system32\drivers\N360\0300000.087\symtdi.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 310320 c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 307760 c:\windows\system32\drivers\N360\0300000.087\srtsp.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 482352 c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys
+ 2009-08-15 18:07 . 2009-08-15 18:07 258608 c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys
+ 2009-08-15 18:08 . 2009-08-15 18:08 621056 c:\windows\Installer\2ba90.msi
+ 2009-08-22 14:03 . 2009-08-22 14:23 1262248 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2002-09-13 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2002-04-11 176128]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-15 843776]

c:\documents and settings\Jason F\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2004-8-25 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-24 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"lxdc_device"=2 (0x2)
"GEARSecurity"=2 (0x2)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Joint Operations Typhoon Rising\\Jointops.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [8/19/2004 1:27 PM 23035]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/19/2004 1:24 PM 89610]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [8/15/2009 1:07 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [8/15/2009 1:07 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [8/15/2009 1:07 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/15/2009 2:59 PM 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [8/15/2009 1:07 PM 115560]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [8/23/2004 4:48 PM 12160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/15/2009 2:55 PM 101936]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: chase.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 14:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" /run?Z?A~d???*?A~????????V???????h?@?x?????B~D??????sx??s????????y??w????@@@????|D@@?????>??w????@93?H??????|???|???????|L(?s@93??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LexBceS.exe
c:\windows\system32\Lexpps.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
c:\progra~1\Webshots\webshots.scr
.
**************************************************************************
.
Completion time: 2009-08-22 14:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 19:31
ComboFix2.txt 2009-08-18 22:05
ComboFix3.txt 2009-08-18 01:18
ComboFix4.txt 2009-08-16 00:05
ComboFix5.txt 2009-08-22 19:14

Pre-Run: 4,387,426,304 bytes free
Post-Run: 4,339,658,752 bytes free

253 --- E O F --- 2009-08-12 14:15

dobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Critical Update for Windows Media Player 11 (KB959772)
DVD Decrypter (Remove Only)
Enable S3 for USB Device
FrostWire 4.13.3
GEAR driver installer for x86 and x64
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
InCD EasyWrite Reader
Intel Application Accelerator RAID Edition
Intel® PRO Network Adapters and Drivers
Intel® PROSet
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 13
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Lexmark 1300 Series
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Nero OEM
NeroMediaPlayer
NeroVision Express 3
Norton 360
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
OLYMPUS Master 2
PowerCDR Express
PowerDVD
QuickTime
Realtek AC'97 Audio
Remote Control USB Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sound Blaster Audigy 2
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 23 August 2009 - 07:53 AM

Hello.

However I tried to run full system scan with Nortons 360 and again the computer shut off after 15 minutes or so

Let's try reinstalling Norton.

First, remove it refering to this topic.

Then reinstall, run an update, and tell me if you are able to run a scan after.

With Regards,
The Panda

#10 thejayman

thejayman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 23 August 2009 - 06:24 PM

First I want to thank you for your help. Bleeding computer and you are life savers. It's nice to know that there are people trying to fight bad hackers and the companys that profit from they're virusous.
I did as you asked in this last step and it appears that everything is working now. the 360 scan completed 100% with no infections, and so did anti-malware. thank you. One last thing if you don't mind. Is there any anti-virus, malware, trojan, ect... programs that you suggest to help protect me in the future? Well again I want to thank you, Jason.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 24 August 2009 - 07:55 AM

Hello.

Is there any anti-virus, malware, trojan, ect... programs that you suggest to help protect me in the future?

No single program is perfect.

Some free AVs that I recommend areIf you are looking for a paid version, I suggest Kaspersky, or ESET.

Let's run an online scan to check for anything left before we wrap up.

Update Java to Version 6 Update 16
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please also take a new DDS.txt log after for a final check.

With Regards,
The Panda

#12 thejayman

thejayman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 25 August 2009 - 04:54 PM

Ok I have completed the final tasks instructed to. I have attached the DDS log. I also ran the Kaspersky scanner as told, however my chick cleared it before I could save the log, she did make note that all catagories were at zero. Please let me know if you want me to do it again, sorry. Thank you, Jason


DS (Ver_09-07-30.01) - NTFSx86
Run by Jason F at 16:44:43.37 on Tue 08/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.572 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jason F\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
c:\docume~1\jasonf~1\locals~1\temp\rarsfx0\temp00
c:\docume~1\jasonf~1\locals~1\temp\rarsfx0\temp00
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [POINTER] c:\program files\microsoft hardware\mouse\point32.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\jasonf~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: <NO NAME> =
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
Trusted Zone: chase.com
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} - file://d:\components\hidinputmonitorx.ocx
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} - file://d:\components\A9.ocx
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2004-8-19 23035]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-19 89610]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-8-15 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-8-15 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-8-15 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090810.001\IDSXpx86.sys [2009-8-15 276344]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-8-15 115560]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-8-23 12160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-15 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090825.004\NAVENG.SYS [2009-8-25 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090825.004\NAVEX15.SYS [2009-8-25 1323568]

=============== Created Last 30 ================

2009-08-24 15:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-22 09:23 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-15 13:08 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-15 13:08 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-15 13:08 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-08-15 13:07 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-15 13:07 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-15 13:07 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-15 13:07 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-15 13:07 <DIR> --d----- c:\program files\Symantec
2009-08-15 13:06 <DIR> --d----- c:\windows\system32\drivers\N360
2009-08-15 13:06 <DIR> --d----- c:\program files\Norton 360
2009-08-15 13:02 <DIR> --d----- c:\program files\NortonInstaller
2009-08-14 22:15 <DIR> --d----- c:\docume~1\jasonf~1\applic~1\Malwarebytes
2009-08-14 17:33 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-14 17:19 <DIR> a-dshr-- C:\cmdcons
2009-08-14 17:16 228,864 a------- c:\windows\PEV.exe
2009-08-14 17:16 161,792 a------- c:\windows\SWREG.exe
2009-08-14 17:16 98,816 a------- c:\windows\sed.exe
2009-08-12 08:31 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 08:31 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 04:28 0 a------- c:\windows\system32\95.tmp
2009-08-08 12:52 0 a------- c:\windows\system32\111.tmp
2009-08-07 12:56 0 a------- c:\windows\system32\BF.tmp
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 02:02 0 a------- c:\windows\system32\EC.tmp
2009-08-01 14:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 14:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 14:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-01 04:13 0 a------- c:\windows\system32\6B.tmp
2009-07-30 06:13 0 a------- c:\windows\system32\AD.tmp

==================== Find3M ====================

2009-08-24 15:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-02-14 22:07 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2008-03-19 16:10 21,872 a------- c:\docume~1\jasonf~1\applic~1\GDIPFONTCACHEV1.DAT
2009-03-12 05:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031220090313\index.dat

============= FINISH: 16:45:29.04 ===============

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 25 August 2009 - 06:11 PM

That looks good.

Could you run DDS again though? There are some strange lines in the log that weren't there last time. Perhaps it's only a bug.

With Regards,
The Panda

#14 thejayman

thejayman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 26 August 2009 - 08:21 PM

Thank you for your time. I have attached the log as requested. My computer is working great with one exception every once and a while the computer just shuts down. It has happened once while running a movie and several other times when the computer is not even being used. However I am so happy with how the computer is working now, I can deal with that. Thanks again, Jason

DDS (Ver_09-07-30.01) - NTFSx86
Run by Jason F at 20:06:47.45 on Wed 08/26/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.634 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jason F\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [POINTER] c:\program files\microsoft hardware\mouse\point32.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\jasonf~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: <NO NAME> =
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
Trusted Zone: chase.com
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} - file://d:\components\hidinputmonitorx.ocx
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} - file://d:\components\A9.ocx
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2004-8-19 23035]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-19 89610]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-8-15 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-8-15 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-8-15 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090810.001\IDSXpx86.sys [2009-8-15 276344]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-8-15 115560]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2004-8-23 12160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090826.034\NAVENG.SYS [2009-8-26 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090826.034\NAVEX15.SYS [2009-8-26 1323568]

=============== Created Last 30 ================

2009-08-24 15:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-22 09:23 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-15 13:08 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-15 13:08 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-15 13:08 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-08-15 13:07 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-15 13:07 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-15 13:07 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-15 13:07 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-15 13:07 <DIR> --d----- c:\program files\Symantec
2009-08-15 13:06 <DIR> --d----- c:\windows\system32\drivers\N360
2009-08-15 13:06 <DIR> --d----- c:\program files\Norton 360
2009-08-15 13:02 <DIR> --d----- c:\program files\NortonInstaller
2009-08-14 22:15 <DIR> --d----- c:\docume~1\jasonf~1\applic~1\Malwarebytes
2009-08-14 17:33 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-14 17:19 <DIR> a-dshr-- C:\cmdcons
2009-08-14 17:16 228,864 a------- c:\windows\PEV.exe
2009-08-14 17:16 161,792 a------- c:\windows\SWREG.exe
2009-08-14 17:16 98,816 a------- c:\windows\sed.exe
2009-08-12 08:31 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 08:31 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 04:28 0 a------- c:\windows\system32\95.tmp
2009-08-08 12:52 0 a------- c:\windows\system32\111.tmp
2009-08-07 12:56 0 a------- c:\windows\system32\BF.tmp
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 02:02 0 a------- c:\windows\system32\EC.tmp
2009-08-01 14:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 14:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 14:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-01 04:13 0 a------- c:\windows\system32\6B.tmp
2009-07-30 06:13 0 a------- c:\windows\system32\AD.tmp

==================== Find3M ====================

2009-08-24 15:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-02-14 22:07 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2008-03-19 16:10 21,872 a------- c:\docume~1\jasonf~1\applic~1\GDIPFONTCACHEV1.DAT
2009-03-12 05:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031220090313\index.dat

============= FINISH: 20:07:36.29 ===============

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 27 August 2009 - 08:31 AM

The weird lines are gone from the DDS log.

Does the computer just power off? Or do you get an error first?

You might want to post about that in the Windows XP Forum.

In any case, you are good to go.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Please re-enable any antimalware programs that were disabled during the fix.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users