Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log Posted


  • This topic is locked This topic is locked
16 replies to this topic

#1 phydeaux99

phydeaux99

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 30 August 2009 - 10:16 PM

After recent incident and help from Norton Support (using Norton 360 V3.0) I continue to have repeated problems with programs (IE6, Outlook Express particualrly) not responding or running so slow that they are un-usable. Have cleared browser cache regularly. Problems began after 13 yr old began messing around on MySpace, adding browser toolbars, changing default search engine, DL wallpapers Etc. Uninstalled what I could but had issue with one pesky adware that required assistance from Norton as it had rendered N360 un-useable. I see a program calles ZwangiSearch listed and suspect it as a problem but need to know if there are others lurking as well as the proper method of removing them.....The last one got worse when I tried to uninstall it. That one was "MyFreeze.com" or "Freeze.com" and appears to be gone....I hope.

Posting below are HJT log, DDS and RootRepeal texts Thank You:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:46 AM, on 8/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS.0\system32\CTHELPER.EXE
C:\WINDOWS.0\system32\CTXFIHLP.EXE
C:\WINDOWS.0\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS.0\SM1BG.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.7.0.19\ccProxy.exe
C:\WINDOWS.0\system32\CTsvcCDA.exe
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ZwangiSearch\zwangi123.exe
C:\Program Files\ZwangiSearch\zwangi.exe
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.10\IPSBHO.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo

R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio

Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS.0\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo

R320"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS.0\SM1BG.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo RX680 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATICJA.EXE /FU "C:\WINDOWS.0\TEMP\E_S506.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Beyond TV.lnk = C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187399381328
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199497434198
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.10\coIEPlg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.7.0.19\ccProxy.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS.0\system32\CTsvcCDA.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EPSON\EPW!3

SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
O23 - Service: ZwangiSearch Service - Unknown owner - C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ZwangiSearch\zwangi123.exe

--
End of file - 9605 bytes



DDS (Ver_09-07-30.01) - NTFSx86
Run by Doug at 9:33:14.65 on Sun 08/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1431 [GMT -4:00]

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
C:\WINDOWS.0\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS.0\system32\CTHELPER.EXE
C:\WINDOWS.0\system32\CTXFIHLP.EXE
C:\WINDOWS.0\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS.0\SM1BG.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS.0\system32\ctfmon.exe
svchost.exe
C:\Program Files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.7.0.19\ccProxy.exe
C:\WINDOWS.0\system32\CTsvcCDA.exe
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\WINDOWS.0\system32\svchost.exe -k imgsvc
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ZwangiSearch\zwangi123.exe
C:\Program Files\ZwangiSearch\zwangi.exe
C:\Program Files\Norton 360\Engine\3.5.2.10\ccSvcHst.exe
C:\WINDOWS.0\System32\svchost.exe -k HTTPFilter
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Documents and Settings\Doug.A-BIT-KV7\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.10\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.10\IPSBHO.DLL
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.10\coIEPlg.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus Photo RX680 Series] c:\windows.0\system32\spool\drivers\w32x86\3\e_faticja.exe /fu "c:\windows.0\temp\E_S506.tmp" /EF "HKCU"
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [SansaDispatch] c:\documents and settings\doug.a-bit-kv7\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [EPSON Stylus Photo R300 Series] c:\windows.0\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows.0\UpdReg.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [EPSON Stylus Photo R320 Series] c:\windows.0\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [SM1BG] c:\windows.0\SM1BG.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\beyond~1.lnk - c:\program files\snapstream media\beyond tv\BTVAgent2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows.0\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187399381328
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199497434198
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.10\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\doug~1.a-b\applic~1\mozilla\firefox\profiles\jwfpbmoo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.google.mozilla.com/firefox&client=firefox-a&rls=com.google:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={85671624-D596-A556-8F97-4B74C4D7717A}&q=
FF - component: c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows.0\system32\drivers\n360\0305020.00a\SymEFA.sys [2009-8-22 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows.0\system32\drivers\n360\0305020.00a\BHDrvx86.sys [2009-8-22 259632]
R1 ccHP;Symantec Hash Provider;c:\windows.0\system32\drivers\n360\0305020.00a\cchpx86.sys [2009-8-22 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090810.001\IDSXpx86.sys [2009-8-22 276344]
R2 ccProxy;Symantec Network Proxy;c:\program files\norton 360\addons\norton addon pack\engine\3.7.0.19\ccProxy.exe [2009-8-22 186744]
R2 Esdpdx01;Esdpdx01;c:\windows.0\system32\drivers\ESDPDX01.SYS [2003-1-19 95449]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.10\ccSvcHst.exe [2009-8-22 117640]
R2 ZwangiSearch Service;ZwangiSearch Service;c:\documents and settings\all users.windows.0\application data\zwangisearch\zwangi123.exe [2009-8-26 54760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows.0\system32\drivers\libusb0.sys [2009-3-6 28672]
R3 NAVENG;NAVENG;c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090829.019\NAVENG.SYS [2009-8-29 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090829.019\NAVEX15.SYS [2009-8-29 1323568]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\doug~1.a-b\locals~1\temp\dmskssrh.sys --> c:\docume~1\doug~1.a-b\locals~1\temp\DMSKSSRh.sys [?]
S3 imhidusb;Immersion's HID USB Driver;c:\windows.0\system32\drivers\imhidusb.sys [2007-8-18 30920]
S3 mam4410c;mam4410c;c:\windows.0\system32\drivers\mam4410c.sys [2007-8-29 24784]
S3 mam4410m;mam4410m;c:\windows.0\system32\drivers\mam4410m.sys [2007-8-29 25044]
S3 mam4410u;mam4410u;c:\windows.0\system32\drivers\mam4410u.sys [2007-8-29 52565]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows.0\system32\drivers\silabenm.sys [2009-1-4 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows.0\system32\drivers\silabser.sys [2009-1-4 61440]

=============== Created Last 30 ================

2009-08-30 07:28 <DIR> --d----- c:\program files\Trend Micro
2009-08-22 00:37 <DIR> --d--r-- c:\program files\Norton Support
2009-08-22 00:25 107,368 a----r-- c:\windows.0\system32\GEARAspi.dll
2009-08-22 00:24 36,400 a----r-- c:\windows.0\system32\drivers\SymIM.sys
2009-08-22 00:24 124,976 a------- c:\windows.0\system32\drivers\SYMEVENT.SYS
2009-08-22 00:24 60,808 a------- c:\windows.0\system32\S32EVNT1.DLL
2009-08-22 00:24 7,456 a------- c:\windows.0\system32\drivers\SYMEVENT.CAT
2009-08-22 00:24 806 a------- c:\windows.0\system32\drivers\SYMEVENT.INF
2009-08-22 00:24 <DIR> --d----- c:\program files\Symantec
2009-08-22 00:24 <DIR> --d----- c:\windows.0\system32\drivers\N360
2009-08-22 00:23 <DIR> --d----- c:\program files\Norton 360
2009-08-22 00:23 <DIR> --d----- c:\program files\NortonInstaller
2009-08-21 19:36 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-21 19:36 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-21 19:36 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-21 19:36 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-21 19:24 <DIR> --d----- c:\windows.0\system32\wbem\Repository
2009-08-21 17:41 <DIR> --d----- c:\windows.0\system32\XPSViewer
2009-08-21 17:37 <DIR> --d----- c:\windows.0\SxsCaPendDel
2009-08-20 21:42 <DIR> --d----- c:\program files\ZwangiSearch
2009-08-20 21:42 <DIR> --d----- c:\docume~1\alluse~1.0\applic~1\ZwangiSearch
2009-08-20 21:40 <DIR> --d----- c:\docume~1\doug~1.a-b\applic~1\WeatherBug
2009-08-10 15:55 <DIR> -cd-h--- c:\docume~1\alluse~1.0\applic~1\{B686CEE6-EB31-4C09-8037-6D50DC49A8D3}
2009-08-05 10:54 <DIR> --d----- C:\users

==================== Find3M ====================

2009-08-24 12:57 40,982 a------- c:\docume~1\doug~1.a-b\applic~1\wklnhst.dat
2009-08-22 00:24 26,600 a----r-- c:\windows.0\system32\drivers\GEARAspiWDM.sys
2009-04-23 22:54 87,608 a------- c:\docume~1\doug~1.a-b\applic~1\inst.exe
2009-04-23 22:54 47,360 a------- c:\docume~1\doug~1.a-b\applic~1\pcouffin.sys
2008-07-02 15:13 676 a------- c:\docume~1\doug~1.a-b\applic~1\waver_2.95.dat
2003-08-27 14:19 36,963 a----r-- c:\program files\common files\SM1updtr.dll

============= FINISH: 9:33:39.93 ===============



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/30 09:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS.0\system32\drivers\rootrepeal.sys
Address: 0xA1AF4000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xBA68A000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\doug.a-bit-kv7\local settings\temp\etilqs_tduccwxf9ffx0hf3e6gh
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\ZINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090829.019\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a24a860

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a210c70

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8802a378

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8a510128

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a464d68

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS.0\system32\Drivers\SYMEVENT.SYS" at address 0xa5333130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x87fe0e00

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x88085b78

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a525950

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a4e8128

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS.0\system32\Drivers\SYMEVENT.SYS" at address 0xa53333b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS.0\system32\Drivers\SYMEVENT.SYS" at address 0xa5333910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8802a650

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x88029a70

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a2306c8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a161128

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x88250060

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x88029918

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a51b128

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS.0\system32\Drivers\SYMEVENT.SYS" at address 0xa53336c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8802a970

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x87f64658

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a242c70

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8802a7e0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x88086838

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a31ba58

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a19e0c0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x88029640

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8a222128

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS.0\system32\Drivers\SYMEVENT.SYS" at address 0xa5333b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a21d128

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a208128

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x87f74340

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x88007b78

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x87fbab78

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x88029e80

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a271388

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8a2ceb38

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x8a270008

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8a2cecb0

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x8a30ac28

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8a2f2208

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8a2fc2e0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8a295678

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8800d4b0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8a628210

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 phydeaux99

phydeaux99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 07 September 2009 - 10:10 PM

While I suspect that there may be other malicious services running please note that my Windows task manager shows "zwangi.exe" and "zwangi125.exe" running. A google search of "zwangi" turns up several sites indicating that this is a "trojan" or "cloaked malware" and naturally offering to sell software to remove it... :(

A search of my HD turns up the following folder:
C:\program files\ZwangiSearch\

and files:
C:\program files\ZwangiSearch\zwangi.dll
C:\program files\ZwangiSearch\zwangi.exe
and the following in my windows preftech folder...
ZWANGI.EXE-07F1218C.pf
ZWANGI.EXE-1F31E71D.pf
ZWANGI125.EXE-11B1EF78.pf

I continue to encounter problems with Outlook Express which will lock up while receiving mail and require a reboot as well as needing to re-open OE a second time after reboot because it was shut down improperly at reboot.

Additionally, last evening I had to re-install Roxio Media Creator which failed to open for no known reason.

#3 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:13 PM

Posted 15 September 2009 - 09:48 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#4 phydeaux99

phydeaux99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 16 September 2009 - 09:12 PM

Thank you for your reply. I am attaching a new "attach.txt" file and posting the DDS.txt file below.

Let me update you first. In the interim since my original post I have been running with 2 processes terminated via Windows Task Manager. These are the 2 suspect files "zwangi.exe" and "zwangi125.exe" I can't tell if I have any other issues but with these 2 disabled I seem to be running much better. Programs such as Outlook Express and IE that would lock up have not had any issues.

Naturally since I have re-booted these 2 services are back and I will leave things as they are for the time being awaiting further instructions.

Again per instructions one file posted and the other attached. And thank you again for your time.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Doug at 21:51:19.96 on Wed 09/16/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1362 [GMT -4:00]

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
C:\WINDOWS.0\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS.0\system32\CTHELPER.EXE
C:\WINDOWS.0\system32\CTXFIHLP.EXE
C:\WINDOWS.0\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS.0\SM1BG.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
svchost.exe
C:\Program Files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.7.0.19\ccProxy.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSettingsService.exe
C:\WINDOWS.0\system32\CTsvcCDA.exe
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS.0\system32\svchost.exe -k imgsvc
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ZwangiSearch\zwangi125.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVLibraryService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSchedulerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVNetworkService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\ZwangiSearch\zwangi.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\System32\svchost.exe -k HTTPFilter
C:\WINDOWS.0\system32\wscntfy.exe
C:\Documents and Settings\Doug.A-BIT-KV7\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus Photo RX680 Series] c:\windows.0\system32\spool\drivers\w32x86\3\e_faticja.exe /fu "c:\windows.0\temp\E_S506.tmp" /EF "HKCU"
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [SansaDispatch] c:\documents and settings\doug.a-bit-kv7\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [EPSON Stylus Photo R300 Series] c:\windows.0\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows.0\UpdReg.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [EPSON Stylus Photo R320 Series] c:\windows.0\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [SM1BG] c:\windows.0\SM1BG.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\beyond~1.lnk - c:\program files\snapstream media\beyond tv\BTVAgent2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows.0\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187399381328
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199497434198
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\doug~1.a-b\applic~1\mozilla\firefox\profiles\jwfpbmoo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.google.mozilla.com/firefox&client=firefox-a&rls=com.google:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={85671624-D596-A556-8F97-4B74C4D7717A}&q=
FF - component: c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows.0\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-8-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows.0\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-8-31 259632]
R1 ccHP;Symantec Hash Provider;c:\windows.0\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-8-31 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-16 329080]
R2 ccProxy;Symantec Network Proxy;c:\program files\norton 360\addons\norton addon pack\engine\3.7.0.19\ccProxy.exe [2009-8-22 186744]
R2 Esdpdx01;Esdpdx01;c:\windows.0\system32\drivers\ESDPDX01.SYS [2003-1-19 95449]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-8-31 117640]
R2 ZwangiSearch Service;ZwangiSearch Service;c:\documents and settings\all users.windows.0\application data\zwangisearch\zwangi125.exe [2009-9-3 54760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows.0\system32\drivers\libusb0.sys [2009-3-6 28672]
R3 NAVENG;NAVENG;c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090916.003\NAVENG.SYS [2009-9-16 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows.0\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090916.003\NAVEX15.SYS [2009-9-16 1323568]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\doug~1.a-b\locals~1\temp\dmskssrh.sys --> c:\docume~1\doug~1.a-b\locals~1\temp\DMSKSSRh.sys [?]
S3 imhidusb;Immersion's HID USB Driver;c:\windows.0\system32\drivers\imhidusb.sys [2007-8-18 30920]
S3 mam4410c;mam4410c;c:\windows.0\system32\drivers\mam4410c.sys [2007-8-29 24784]
S3 mam4410m;mam4410m;c:\windows.0\system32\drivers\mam4410m.sys [2007-8-29 25044]
S3 mam4410u;mam4410u;c:\windows.0\system32\drivers\mam4410u.sys [2007-8-29 52565]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows.0\system32\drivers\silabenm.sys [2009-1-4 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows.0\system32\drivers\silabser.sys [2009-1-4 61440]

=============== Created Last 30 ================

2009-09-03 15:54 <DIR> --d----- c:\program files\ATT-SST
2009-08-30 07:28 <DIR> --d----- c:\program files\Trend Micro
2009-08-22 00:37 <DIR> --d--r-- c:\program files\Norton Support
2009-08-22 00:25 107,368 a----r-- c:\windows.0\system32\GEARAspi.dll
2009-08-22 00:24 36,400 a----r-- c:\windows.0\system32\drivers\SymIM.sys
2009-08-22 00:24 124,976 a------- c:\windows.0\system32\drivers\SYMEVENT.SYS
2009-08-22 00:24 60,808 a------- c:\windows.0\system32\S32EVNT1.DLL
2009-08-22 00:24 7,456 a------- c:\windows.0\system32\drivers\SYMEVENT.CAT
2009-08-22 00:24 806 a------- c:\windows.0\system32\drivers\SYMEVENT.INF
2009-08-22 00:24 <DIR> --d----- c:\program files\Symantec
2009-08-22 00:24 <DIR> --d----- c:\windows.0\system32\drivers\N360
2009-08-22 00:23 <DIR> --d----- c:\program files\Norton 360
2009-08-22 00:23 <DIR> --d----- c:\program files\NortonInstaller
2009-08-21 19:36 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-21 19:36 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-21 19:36 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-21 19:36 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-21 19:24 <DIR> --d----- c:\windows.0\system32\wbem\Repository
2009-08-21 17:41 <DIR> --d----- c:\windows.0\system32\XPSViewer
2009-08-21 17:37 <DIR> --d----- c:\windows.0\SxsCaPendDel
2009-08-20 21:42 <DIR> --d----- c:\program files\ZwangiSearch
2009-08-20 21:42 <DIR> --d----- c:\docume~1\alluse~1.0\applic~1\ZwangiSearch
2009-08-20 21:40 <DIR> --d----- c:\docume~1\doug~1.a-b\applic~1\WeatherBug

==================== Find3M ====================

2009-09-15 21:42 41,110 a------- c:\docume~1\doug~1.a-b\applic~1\wklnhst.dat
2009-08-22 00:24 26,600 a----r-- c:\windows.0\system32\drivers\GEARAspiWDM.sys
2009-04-23 22:54 87,608 a------- c:\docume~1\doug~1.a-b\applic~1\inst.exe
2009-04-23 22:54 47,360 a------- c:\docume~1\doug~1.a-b\applic~1\pcouffin.sys
2008-07-02 15:13 676 a------- c:\docume~1\doug~1.a-b\applic~1\waver_2.95.dat
2003-08-27 14:19 36,963 a----r-- c:\program files\common files\SM1updtr.dll

============= FINISH: 21:52:00.76 ===============

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:13 AM

Posted 18 September 2009 - 03:36 AM

Hi phydeaux99,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Please go to Add/Remove Programs on the Control Panel and uninstall:

    Zwangi 1.0

    Also delete the following folders:

    C:\Documents and Settings\All Users.WINDOWS.0\Application Data\ZwangiSearch
    C:\Program Files\ZwangiSearch

  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"="http://windowsupdate.microsoft.com/"
    "Completed"=hex:01,00,00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • I see also WeatherBug is/was installed on the computer. There is no entry on the program list and it might already be uninstalled.
    Go to Start => Progra Programs and see if there an entry related to AWS or WeatherBug and if there is an uninstaller there. If not see if there is and uninstaller in the following folder:

    C:\Program Files\AWS\WeatherBug

    If you find the uninstaller uninstall the program. If no uninstaller is found delete the folder.

  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.


#6 phydeaux99

phydeaux99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 19 September 2009 - 10:50 AM

Good morning farbar,

Thank you for helping with these issues. I have followed instructions however did not find the AWS or Weatherbug stuff you referenced. I do recall removing weatherbug via "add/remove programs" a couple of weeks prior to posting for the current problems. I also know whom in the family was responsible for that one....currently not allowed to use the computer :(

Here are 2 log files, the malwarebytes log and the HJT log:

Malwarebytes' Anti-Malware 1.41
Database version: 2824
Windows 5.1.2600 Service Pack 2

9/19/2009 11:21:13 AM
mbam-log-2009-09-19 (11-21-13).txt

Scan type: Quick Scan
Objects scanned: 159484
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\SelectRebates (Adware.SelectRebates) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\SelectRebates\SelectRebatesDownload.exe (Adware.SelectRebates) -> Quarantined and deleted successfully.
C:\WINDOWS.0\msagent\chars\reaper.acs (Backdoor.PcClient) -> Quarantined and deleted successfully.


Now HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:01 AM, on 9/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.7.0.19\ccProxy.exe
C:\WINDOWS.0\system32\CTsvcCDA.exe
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS.0\system32\CTHELPER.EXE
C:\WINDOWS.0\system32\CTXFIHLP.EXE
C:\WINDOWS.0\SM1BG.EXE
C:\WINDOWS.0\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSettingsService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVTaskManagerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVLibraryService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVSchedulerService.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVNetworkService.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\SnapStream Media\Beyond TV\BTVRecordingEngine.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS.0\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS.0\SM1BG.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo RX680 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATICJA.EXE /FU "C:\WINDOWS.0\TEMP\E_S506.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Beyond TV.lnk = C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187399381328
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199497434198
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.7.0.19\ccProxy.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS.0\system32\CTsvcCDA.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

--
End of file - 10023 bytes


Thank you again

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:13 AM

Posted 19 September 2009 - 01:29 PM

I also know whom in the family was responsible for that one....currently not allowed to use the computer


Good thinking.

Since MBAM caught one backdoor I would like to do a through check up.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Edited by farbar, 19 September 2009 - 01:32 PM.


#8 phydeaux99

phydeaux99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 20 September 2009 - 05:29 PM

Farbar....Since yesterday was apparently National Talk Like A Pirate Day....."Ear's thee log yars askin' fer"

ComboFix 09-09-18.02 - Doug 09/20/2009 18:12.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1293 [GMT -4:00]
Running from: c:\documents and settings\Doug.A-BIT-KV7\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Doug.A-BIT-KV7\Application Data\inst.exe
c:\recycler\S-1-5-21-854245398-583907252-725345543-1003
c:\recycler\S-1-5-21-854245398-583907252-725345543-500
c:\windows.0\Alcmtr.exe
c:\windows.0\jestertb.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-19 15:13 . 2009-09-10 18:54 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2009-09-19 15:12 . 2009-09-19 15:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 15:12 . 2009-09-10 18:53 19160 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2009-09-03 19:54 . 2009-09-03 19:56 -------- d-----w- c:\program files\ATT-SST
2009-08-30 11:28 . 2009-08-30 11:28 -------- d-----w- c:\program files\Trend Micro
2009-08-30 03:19 . 2009-08-30 03:19 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Mozilla
2009-08-22 04:37 . 2009-08-22 04:37 -------- d-----r- c:\program files\Norton Support
2009-08-22 04:25 . 2009-08-22 04:24 107368 ----a-r- c:\windows.0\system32\GEARAspi.dll
2009-08-22 04:24 . 2009-08-22 04:24 36400 ----a-r- c:\windows.0\system32\drivers\SymIM.sys
2009-08-22 04:24 . 2009-08-22 04:24 60808 ----a-w- c:\windows.0\system32\S32EVNT1.DLL
2009-08-22 04:24 . 2009-08-22 04:24 124976 ----a-w- c:\windows.0\system32\drivers\SYMEVENT.SYS
2009-08-22 04:24 . 2009-08-22 04:24 -------- d-----w- c:\program files\Symantec
2009-08-22 04:24 . 2009-09-02 20:17 -------- d-----w- c:\windows.0\system32\drivers\N360
2009-08-22 04:23 . 2009-08-22 04:58 -------- d-----w- c:\program files\Norton 360
2009-08-22 04:23 . 2009-08-22 04:23 -------- d-----w- c:\program files\Windows Sidebar
2009-08-22 04:23 . 2009-08-22 04:23 -------- d-----w- c:\program files\NortonInstaller
2009-08-22 03:10 . 2009-08-22 03:10 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ICS
2009-08-22 03:10 . 2009-08-22 03:10 -------- d-----w- c:\documents and settings\Doug.A-BIT-KV7\Local Settings\Application Data\ICS
2009-08-22 00:27 . 2009-08-22 00:27 -------- d-----w- c:\documents and settings\Doug.A-BIT-KV7\Local Settings\Application Data\Symantec
2009-08-21 23:36 . 2009-08-21 23:36 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-21 23:36 . 2009-08-21 23:36 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-21 23:36 . 2009-08-21 23:36 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-21 23:36 . 2009-08-21 23:36 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-21 23:24 . 2009-08-21 23:24 -------- d-----w- c:\windows.0\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 21:48 . 2007-08-22 15:31 41110 ----a-w- c:\documents and settings\Doug.A-BIT-KV7\Application Data\wklnhst.dat
2009-09-15 02:56 . 2007-09-14 13:10 -------- d-----w- c:\documents and settings\Doug.A-BIT-KV7\Application Data\Audacity
2009-09-06 11:13 . 2008-04-26 06:21 -------- d-----w- c:\program files\Common Files\Motive
2009-09-06 11:05 . 2005-01-09 03:34 -------- d-----w- c:\program files\Common Files\Real
2009-09-04 20:02 . 2008-04-26 06:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Motive
2009-09-03 19:57 . 2008-04-26 06:43 -------- d-----w- c:\documents and settings\Doug.A-BIT-KV7\Application Data\Motive
2009-09-03 19:55 . 2008-04-26 06:39 -------- d-----w- c:\program files\SBC Self Support Tool
2009-09-03 19:55 . 2005-07-26 22:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-03 19:55 . 2007-08-18 00:30 -------- d-----w- c:\program files\Realtek
2009-09-03 19:55 . 2006-05-27 04:39 -------- d-----w- c:\program files\OfficeUpdate11
2009-09-03 19:55 . 2006-01-10 09:29 -------- d-----w- c:\program files\RegCleaner
2009-09-03 19:55 . 2005-01-09 03:34 -------- d-----w- c:\program files\Real
2009-09-03 19:55 . 2007-07-05 02:20 -------- d-----w- c:\program files\Mobile Action
2009-09-03 19:55 . 2006-01-18 06:02 -------- d-----w- c:\program files\Google
2009-09-03 19:55 . 2004-04-20 04:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 19:55 . 2005-12-28 04:46 -------- d-----w- c:\program files\Driver Cleaner Pro
2009-09-03 19:55 . 2007-02-05 18:12 -------- d-----w- c:\program files\3DGroove
2009-08-22 04:58 . 2009-05-03 23:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\NortonInstaller
2009-08-22 04:47 . 2004-04-22 02:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-22 04:24 . 2009-08-22 04:24 806 ----a-w- c:\windows.0\system32\drivers\SYMEVENT.INF
2009-08-22 04:24 . 2009-08-22 04:24 7456 ----a-w- c:\windows.0\system32\drivers\SYMEVENT.CAT
2009-08-22 04:24 . 2008-01-29 16:01 26600 ----a-r- c:\windows.0\system32\drivers\GEARAspiWDM.sys
2009-08-22 04:23 . 2009-05-03 23:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Norton
2009-08-22 04:04 . 2006-02-17 06:33 -------- d-----w- c:\program files\SpywareBlaster
2009-08-22 04:01 . 2008-04-29 23:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy
2009-08-21 22:01 . 2007-08-18 01:08 125784 ----a-w- c:\documents and settings\Doug.A-BIT-KV7\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 21:41 . 2009-08-21 21:41 -------- d-----w- c:\program files\MSBuild
2009-08-21 01:41 . 2009-08-21 01:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Yahoo! Companion
2009-08-21 01:40 . 2009-08-21 01:40 -------- d-----w- c:\documents and settings\Doug.A-BIT-KV7\Application Data\WeatherBug
2009-08-21 01:40 . 2007-01-30 02:26 -------- d-----w- c:\program files\Yahoo!
2009-08-18 23:36 . 2009-05-03 23:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-12 20:01 . 2004-12-10 19:15 -------- d-----w- c:\program files\EPSON Print CD
2009-08-10 19:55 . 2009-08-10 19:55 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{B686CEE6-EB31-4C09-8037-6D50DC49A8D3}
2009-08-10 19:55 . 2009-01-04 23:00 -------- d-----w- c:\program files\SE322
2009-07-27 01:58 . 2007-08-25 04:59 -------- d-----w- c:\documents and settings\Doug.A-BIT-KV7\Application Data\Publish Providers
2009-07-27 01:35 . 2008-06-15 00:20 -------- d-----w- c:\program files\CCleaner
2009-07-27 01:35 . 2009-07-27 01:35 -------- d-----w- c:\documents and settings\Doug.A-BIT-KV7\Application Data\Yahoo!
2003-08-27 18:19 . 2004-04-21 20:13 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2009-04-01 02:47 . 2008-04-01 01:12 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

------- Sigcheck -------

[-] 2007-08-17 . 9EE87A04C5F7F64472A514DB91FBD83B . 1580544 . . [5.1.2600.2180] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SansaDispatch"="c:\documents and settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-03-29 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"EPSON Stylus Photo R300 Series"="c:\windows.0\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows.0\UpdReg.EXE" [2000-05-11 90112]
"EPSON Stylus Photo R320 Series"="c:\windows.0\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"SM1BG"="c:\windows.0\SM1BG.EXE" [2003-08-27 94208]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-11-17 1691648]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows.0\RTHDCPL.exe [2007-04-10 16126464]
"CTHelper"="CTHELPER.EXE" - c:\windows.0\system32\CtHelper.exe [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows.0\system32\CTXFIHLP.EXE [2006-05-24 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows.0\MIDIDEF.EXE [2006-05-24 25600]

c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\
Beyond TV.lnk - c:\program files\SnapStream Media\Beyond TV\BTVAgent2.exe [2007-4-2 258048]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\I:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS.0\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\SetupWizard.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows.0\system32\drivers\N360\0305020.00B\SymEFA.sys [8/31/2009 6:53 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows.0\system32\drivers\N360\0305020.00B\BHDrvx86.sys [8/31/2009 6:53 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows.0\system32\drivers\N360\0305020.00B\cchpx86.sys [8/31/2009 6:53 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users.WINDOWS.0\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [9/16/2009 6:14 PM 329080]
R2 Esdpdx01;Esdpdx01;c:\windows.0\system32\drivers\ESDPDX01.SYS [1/19/2003 1:00 AM 95449]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [8/31/2009 6:52 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 7:32 PM 102448]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows.0\system32\drivers\libusb0.sys [3/6/2009 12:38 PM 28672]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\DOUG~1.A-B\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\DOUG~1.A-B\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 imhidusb;Immersion's HID USB Driver;c:\windows.0\system32\drivers\imhidusb.sys [8/18/2007 3:43 AM 30920]
S3 mam4410c;mam4410c;c:\windows.0\system32\drivers\mam4410c.sys [8/29/2007 11:44 PM 24784]
S3 mam4410m;mam4410m;c:\windows.0\system32\drivers\mam4410m.sys [8/29/2007 11:43 PM 25044]
S3 mam4410u;mam4410u;c:\windows.0\system32\drivers\mam4410u.sys [8/29/2007 11:43 PM 52565]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows.0\system32\drivers\silabenm.sys [1/4/2009 4:51 PM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows.0\system32\drivers\silabser.sys [1/4/2009 4:51 PM 61440]
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows.0\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-03-04 11:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows.0\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Doug.A-BIT-KV7\Application Data\Mozilla\Firefox\Profiles\jwfpbmoo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.google.mozilla.com/firefox&client=firefox-a&rls=com.google:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={85671624-D596-A556-8F97-4B74C4D7717A}&q=
FF - component: c:\documents and settings\All Users.WINDOWS.0\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users.WINDOWS.0\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
AddRemove-SBC Self Support Tool - c:\docume~1\DOUG~1.A-B\LOCALS~1\Temp\SST\CustomUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 18:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Doug.A-BIT-KV7\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?aterInstall&platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_conte

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows.0\system32\Ati2evxx.dll
.
Completion time: 2009-09-20 18:19
ComboFix-quarantined-files.txt 2009-09-20 22:19
ComboFix2.txt 2007-06-02 03:31

Pre-Run: 15,891,222,528 bytes free
Post-Run: 15,978,524,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /pae /fastdetect /usepmtimer /NoExecute=OptOut
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect=OptIn /usepmtimer

238 --- E O F --- 2009-08-21 21:54

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:13 AM

Posted 20 September 2009 - 06:13 PM

Farbar....Since yesterday was apparently National Talk Like A Pirate Day....."Ear's thee log yars askin' fer"

:(

Click on this link--> virustotal

Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

c:\windows.0\system32\sfcfiles.dll

If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#10 phydeaux99

phydeaux99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 20 September 2009 - 09:39 PM

Like this?


File sfcfiles.dll received on 2009.09.21 02:32:05 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.21 -
AhnLab-V3 5.0.0.2 2009.09.19 -
AntiVir 7.9.1.19 2009.09.18 -
Antiy-AVL 2.0.3.7 2009.09.18 -
Authentium 5.1.2.4 2009.09.20 -
Avast 4.8.1351.0 2009.09.20 -
AVG 8.5.0.412 2009.09.20 -
BitDefender 7.2 2009.09.21 -
CAT-QuickHeal 10.00 2009.09.19 -
ClamAV 0.94.1 2009.09.21 -
Comodo 2386 2009.09.21 -
DrWeb 5.0.0.12182 2009.09.21 -
eSafe 7.0.17.0 2009.09.17 -
eTrust-Vet 31.6.6746 2009.09.18 -
F-Prot 4.5.1.85 2009.09.20 -
F-Secure 8.0.14470.0 2009.09.21 -
Fortinet 3.120.0.0 2009.09.19 -
GData 19 2009.09.21 -
Ikarus T3.1.1.72.0 2009.09.21 -
Jiangmin 11.0.800 2009.09.20 -
K7AntiVirus 7.10.849 2009.09.19 -
Kaspersky 7.0.0.125 2009.09.21 -
McAfee 5747 2009.09.20 -
McAfee+Artemis 5747 2009.09.20 -
McAfee-GW-Edition 6.8.5 2009.09.20 -
Microsoft 1.5005 2009.09.21 -
NOD32 4441 2009.09.19 -
Norman 6.01.09 2009.09.18 -
nProtect 2009.1.8.0 2009.09.20 -
Panda 10.0.2.2 2009.09.20 -
PCTools 4.4.2.0 2009.09.20 -
Prevx 3.0 2009.09.21 -
Rising 21.47.62.00 2009.09.20 -
Sophos 4.45.0 2009.09.21 -
Sunbelt 3.2.1858.2 2009.09.20 -
Symantec 1.4.4.12 2009.09.21 -
TheHacker 6.5.0.2.012 2009.09.18 -
TrendMicro 8.950.0.1094 2009.09.20 -
VBA32 3.12.10.10 2009.09.20 -
ViRobot 2009.9.21.1944 2009.09.21 -
VirusBuster 4.6.5.0 2009.09.20 -
Additional information
File size: 1580544 bytes
MD5...: 9ee87a04c5f7f64472a514db91fbd83b
SHA1..: 6b7fb968dab465ff3e051cb2872ea8f22b2b93e2
SHA256: 23a29326f4396667c086acb50a3dd03a7d919c1eaa4bf8c43bed4218feaa2006
ssdeep: 3072:nb9Go/7HtFUipn9tVtjRsSLKKWPY+/eReYw4a75pGgdR0TmVG3cxmFD9VRM<br>NujWw:n1/7NFU8t9m575wgggG3emFrRMNu<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x120d<br>timedatestamp.....: 0x41107c20 (Wed Aug 04 06:03:12 2004)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xcbf 0xe00 5.88 26f3f85ddf7d183e3679894901dc54b3<br>.data 0x2000 0x1765b8 0x176600 3.27 a62f39db0cb3df62f777c535a73029ab<br>.rsrc 0x179000 0x418 0x600 2.54 3602e2d32d16564d93b70db769379042<br>.reloc 0x17a000 0x9e56 0xa000 5.76 d5f4de8f8bae56e26c617081b34c746a<br><br>( 1 imports ) <br>&gt; ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory<br><br>( 1 exports ) <br>SfcGetFiles<br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Windows 2000 System File Checker<br>original name: sfcfiles.dll<br>internal name: sfcfiles.dll<br>file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

Antivirus Version Last Update Result

Additional information
File size: 1580544 bytes
MD5...: 9ee87a04c5f7f64472a514db91fbd83b
SHA1..: 6b7fb968dab465ff3e051cb2872ea8f22b2b93e2
SHA256: 23a29326f4396667c086acb50a3dd03a7d919c1eaa4bf8c43bed4218feaa2006
ssdeep: 3072:nb9Go/7HtFUipn9tVtjRsSLKKWPY+/eReYw4a75pGgdR0TmVG3cxmFD9VRM<br>NujWw:n1/7NFU8t9m575wgggG3emFrRMNu<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x120d<br>timedatestamp.....: 0x41107c20 (Wed Aug 04 06:03:12 2004)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xcbf 0xe00 5.88 26f3f85ddf7d183e3679894901dc54b3<br>.data 0x2000 0x1765b8 0x176600 3.27 a62f39db0cb3df62f777c535a73029ab<br>.rsrc 0x179000 0x418 0x600 2.54 3602e2d32d16564d93b70db769379042<br>.reloc 0x17a000 0x9e56 0xa000 5.76 d5f4de8f8bae56e26c617081b34c746a<br><br>( 1 imports ) <br>&gt; ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory<br><br>( 1 exports ) <br>SfcGetFiles<br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Windows 2000 System File Checker<br>original name: sfcfiles.dll<br>internal name: sfcfiles.dll<br>file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:13 AM

Posted 21 September 2009 - 02:59 AM

Though the file is not flagged is it better to be replaced as it looks not legit. Do you have a Windows installation CD?

#12 phydeaux99

phydeaux99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 24 September 2009 - 03:35 PM

I have my OEM XP-sp1 disc.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:13 AM

Posted 24 September 2009 - 04:42 PM

Since you have Windows XP SP1 when we replace the file it will replace the file which is a Service Pack 2 with an older version. A better option is to update Windows to SP3. Service pack 3 is much safer than SP2 and sooner or later you have to update Windows. What do you think?

#14 phydeaux99

phydeaux99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 26 September 2009 - 07:58 AM

K

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:13 AM

Posted 26 September 2009 - 08:02 AM

If you decide to install SP3 close all the open windows and disable your antivirus and other application monitoring registry changes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users